Update changelog, secpoll and advisories for auth-4.0.7 and auth-4.1.7.
Changelogs for 4.0.x
====================
+PowerDNS Authoritative Server 4.0.7
+-----------------------------------
+
+Released 18th of March 2019
+
+This release fixes PowerDNS Security Advisory
+:doc:`2019-03 <../security-advisories/powerdns-advisory-2019-03>`: Insufficient validation in the HTTP remote backend (CVE-2019-3871)
+
+Bug fixes
+~~~~~~~~~
+
+- `#7582 <https://github.com/PowerDNS/pdns/pull/7582>`__: Insufficient validation in the HTTP remote backend (CVE-2019-3871)
+
+
PowerDNS Authoritative Server 4.0.6
-----------------------------------
Changelogs for 4.1.x
====================
+.. changelog::
+ :version: 4.1.7
+ :released: March 18th 2019
+
+ This release fixes the following security advisory:
+
+ - PowerDNS Security Advisory :doc:`2019-03 <../security-advisories/powerdns-advisory-2019-03>` (CVE-2019-3871)
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 7577
+
+ Insufficient validation in the HTTP remote backend (CVE-2019-3871, PowerDNS Security Advisory :doc:`2019-03 <../security-advisories/powerdns-advisory-2019-03>`)
+
.. changelog::
:version: 4.1.6
:released: January 31st 2019
-@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019022801 10800 3600 604800 10800
+@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019031801 10800 3600 604800 10800
@ 3600 IN NS pdns-public-ns1.powerdns.com.
@ 3600 IN NS pdns-public-ns2.powerdns.com.
; Auth
auth-4.0.4-rc1.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html"
auth-4.0.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html"
auth-4.0.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html"
-auth-4.0.6.security-status 60 IN TXT "1 OK"
+auth-4.0.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html"
+auth-4.0.7.security-status 60 IN TXT "1 OK"
auth-4.1.0-rc1.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
auth-4.1.0-rc2.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
auth-4.1.0-rc3.security-status 60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
auth-4.1.2.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html"
auth-4.1.3.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html"
auth-4.1.4.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html"
-auth-4.1.5.security-status 60 IN TXT "1 OK"
-auth-4.1.6.security-status 60 IN TXT "1 OK"
+auth-4.1.5.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html"
+auth-4.1.6.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html"
+auth-4.1.7.security-status 60 IN TXT "1 OK"
auth-4.2.0-alpha1.security-status 60 IN TXT "1 OK"
auth-4.2.0-beta1.security-status 60 IN TXT "1 OK"
--- /dev/null
+PowerDNS Security Advisory 2019-03: Insufficient validation in the HTTP remote backend
+======================================================================================
+
+- CVE: CVE-2019-3871
+- Date: March 18th 2019
+- Affects: PowerDNS Authoritative up to and including 4.1.6
+- Not affected: 4.1.7, 4.0.7
+- Severity: High
+- Impact: Denial of Service, Information Disclosure, Content spoofing
+- Exploit: This problem can be triggered via crafted queries
+- Risk of system compromise: No
+- Solution: Upgrade to a non-affected version
+
+An issue has been found in PowerDNS Authoritative Server when the
+HTTP remote backend is used in RESTful mode (without post=1 set),
+allowing a remote user to cause the HTTP backend to connect to
+an attacker-specified host instead of the configured one, via a
+crafted DNS query.
+This can be used to cause a denial of service by preventing the remote
+backend from getting a response, content spoofing if the attacker can
+time its own query so that subsequent queries will use an attacker-controlled
+HTTP server instead of the configured one, and possibly information
+disclosure if the Authoritative Server has access to internal servers.
+
+This issue has been assigned CVE-2019-3871.
+
+PowerDNS Authoritative up to and including 4.1.6 is affected.
+Please note that at the time of writing, PowerDNS Authoritative 3.4 and
+below are no longer supported, as described in
+https://doc.powerdns.com/authoritative/appendices/EOL.html.
+
+We would like to thank Adam Dobrawy, Frederico Silva and Gregory
+Brzeski from HyperOne.com for finding and subsequently reporting
+this issue!
projects / thirdparty / pdns.git / commitdiff
