From: aerique <aerique@xs4all.nl>
Date: Mon, 18 Mar 2019 19:56:57 +0000 (+0100)
Subject: Merge pull request #7593 from aerique/feature/update-for-changelog-and-secpoll-for... 
X-Git-Tag: dnsdist-1.4.0-alpha1~61
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=44737619c559e175e792bb3599e50cdb6defaf08;p=thirdparty%2Fpdns.git

Merge pull request #7593 from aerique/feature/update-for-changelog-and-secpoll-for-auth-4.0.7-and-4.1.7

Update changelog, secpoll and advisories for auth-4.0.7 and auth-4.1.7.
---

diff --git a/docs/changelog/4.0.rst b/docs/changelog/4.0.rst
index a0c11453b9..d230886809 100644
--- a/docs/changelog/4.0.rst
+++ b/docs/changelog/4.0.rst
@@ -1,6 +1,20 @@
 Changelogs for 4.0.x
 ====================
 
+PowerDNS Authoritative Server 4.0.7
+-----------------------------------
+
+Released 18th of March 2019
+
+This release fixes PowerDNS Security Advisory
+:doc:`2019-03 <../security-advisories/powerdns-advisory-2019-03>`: Insufficient validation in the HTTP remote backend (CVE-2019-3871)
+
+Bug fixes
+~~~~~~~~~
+
+- `#7582 <https://github.com/PowerDNS/pdns/pull/7582>`__: Insufficient validation in the HTTP remote backend (CVE-2019-3871)
+
+
 PowerDNS Authoritative Server 4.0.6
 -----------------------------------
 
diff --git a/docs/changelog/4.1.rst b/docs/changelog/4.1.rst
index 18e400a797..ac1236b636 100644
--- a/docs/changelog/4.1.rst
+++ b/docs/changelog/4.1.rst
@@ -1,6 +1,20 @@
 Changelogs for 4.1.x
 ====================
 
+.. changelog::
+  :version: 4.1.7
+  :released: March 18th 2019
+
+  This release fixes the following security advisory:
+
+  - PowerDNS Security Advisory :doc:`2019-03 <../security-advisories/powerdns-advisory-2019-03>` (CVE-2019-3871)
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 7577
+
+    Insufficient validation in the HTTP remote backend (CVE-2019-3871, PowerDNS Security Advisory :doc:`2019-03 <../security-advisories/powerdns-advisory-2019-03>`)
+
 .. changelog::
   :version: 4.1.6
   :released: January 31st 2019
diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index fca45e4721..400790aa8e 100644
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019022801 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019031801 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 ; Auth
@@ -31,7 +31,8 @@ auth-4.0.3.security-status                              60 IN TXT "3 Upgrade now
 auth-4.0.4-rc1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html"
 auth-4.0.4.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html"
 auth-4.0.5.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html"
-auth-4.0.6.security-status                              60 IN TXT "1 OK"
+auth-4.0.6.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html"
+auth-4.0.7.security-status                              60 IN TXT "1 OK"
 auth-4.1.0-rc1.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 auth-4.1.0-rc2.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 auth-4.1.0-rc3.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
@@ -40,8 +41,9 @@ auth-4.1.1.security-status                              60 IN TXT "3 Upgrade now
 auth-4.1.2.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html"
 auth-4.1.3.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html"
 auth-4.1.4.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-03.html https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-05.html"
-auth-4.1.5.security-status                              60 IN TXT "1 OK"
-auth-4.1.6.security-status                              60 IN TXT "1 OK"
+auth-4.1.5.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html"
+auth-4.1.6.security-status                              60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html"
+auth-4.1.7.security-status                              60 IN TXT "1 OK"
 auth-4.2.0-alpha1.security-status                       60 IN TXT "1 OK"
 auth-4.2.0-beta1.security-status                        60 IN TXT "1 OK"
 
diff --git a/docs/security-advisories/powerdns-advisory-2019-03.rst b/docs/security-advisories/powerdns-advisory-2019-03.rst
new file mode 100644
index 0000000000..2f84dd96f1
--- /dev/null
+++ b/docs/security-advisories/powerdns-advisory-2019-03.rst
@@ -0,0 +1,34 @@
+PowerDNS Security Advisory 2019-03: Insufficient validation in the HTTP remote backend
+======================================================================================
+
+-  CVE: CVE-2019-3871
+-  Date: March 18th 2019
+-  Affects: PowerDNS Authoritative up to and including 4.1.6
+-  Not affected: 4.1.7, 4.0.7
+-  Severity: High
+-  Impact: Denial of Service, Information Disclosure, Content spoofing
+-  Exploit: This problem can be triggered via crafted queries
+-  Risk of system compromise: No
+-  Solution: Upgrade to a non-affected version
+
+An issue has been found in PowerDNS Authoritative Server when the
+HTTP remote backend is used in RESTful mode (without post=1 set),
+allowing a remote user to cause the HTTP backend to connect to
+an attacker-specified host instead of the configured one, via a
+crafted DNS query.
+This can be used to cause a denial of service by preventing the remote
+backend from getting a response, content spoofing if the attacker can
+time its own query so that subsequent queries will use an attacker-controlled
+HTTP server instead of the configured one, and possibly information
+disclosure if the Authoritative Server has access to internal servers.
+
+This issue has been assigned CVE-2019-3871.
+
+PowerDNS Authoritative up to and including 4.1.6 is affected.
+Please note that at the time of writing, PowerDNS Authoritative 3.4 and
+below are no longer supported, as described in 
+https://doc.powerdns.com/authoritative/appendices/EOL.html.
+
+We would like to thank Adam Dobrawy, Frederico Silva and Gregory
+Brzeski from HyperOne.com for finding and subsequently reporting 
+this issue!