docs/security-advisories/powerdns-advisory-2019-06.rst

   1 PowerDNS Security Advisory 2019-06: Denial of service via crafted zone records
   2 ==============================================================================
   3
   4 -  CVE: CVE-2019-10203
   5 -  Date: July 30th, 2019
   6 -  Affects: PowerDNS Authoritative 4.0.0 and up, when using the gpgsql (PostgreSQL) backend
   7 -  Not affected: 4.2.0, 4.1.11, 4.0.9
   8 -  Severity: Low
   9 -  Impact: Denial of Service
  10 -  Exploit: This problem can be triggered via crafted records
  11 -  Risk of system compromise: No
  12 -  Solution: Update the database schema
  13 -  Workaround: run the process inside the guardian or inside a supervisor
  14
  15 An issue has been found in PowerDNS Authoritative Server allowing an
  16 authorized user to cause the server to exit by inserting a crafted record in a
  17 MASTER type zone under their control. The issue is due to the fact that the
  18 Authoritative Server will exit when it tries to store the notified serial in
  19 the PostgreSQL database, if this serial cannot be represented in 31 bits.
  20
  21 This issue has been assigned CVE-2019-10203.
  22
  23 PowerDNS Authoritative up to and including 4.1.10 is affected. Please note
  24 that at the time of writing, PowerDNS Authoritative 3.4 and below are no
  25 longer supported, as described in
  26 https://doc.powerdns.com/authoritative/appendices/EOL.html.
  27
  28 To fix the issue, run the following command against your PostgreSQL pdns
  29 database: `ALTER TABLE domains ALTER notified_serial TYPE bigint USING CASE
  30 WHEN notified_serial >= 0 THEN notified_serial::bigint END;`. No software
  31 changes are required.
  32
  33 We would like to thank Klaus Darilion for finding and subsequently reporting
  34 this issue!