[gentoo-announce] [ GLSA 202012-18 ] PowerDNS: information disclosure - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 202012-18 ] PowerDNS: information disclosure
Date:	Wed, 23 Dec 2020 20:31:39
Message-Id:	`363e5d95-7304-cda8-5e96-6ba00abc7de9@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 202012-18

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Low

8

     Title: PowerDNS: information disclosure

9

      Date: December 23, 2020

10

      Bugs: #744160

11

        ID: 202012-18

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

An information disclosure vulnerability in PowerDNS allow remote

19

attackers to obtain sensitive information.

20

21

Background

22

==========

23

24

The PowerDNS nameserver is an authoritative-only nameserver which uses

25

a flexible backend architecture.

26

27

Affected packages

28

=================

29

30

     -------------------------------------------------------------------

31

      Package              /     Vulnerable     /            Unaffected

32

     -------------------------------------------------------------------

33

   1  net-dns/pdns                 < 4.3.1                    >= 4.3.1

34

35

Description

36

===========

37

38

It was discovered that PowerDNS did not properly handle certain unknown

39

records.

40

41

Impact

42

======

43

44

An authorized attacker with the ability to insert crafted records into

45

a zone might be able to leak the content of uninitialized memory.

46

Crafted records cannot be inserted via AXFR.

47

48

Workaround

49

==========

50

51

Do not take zone data from untrusted users.

52

53

Resolution

54

==========

55

56

All PowerDNS users should upgrade to the latest version:

57

58

   # emerge --sync

59

   # emerge --ask --oneshot --verbose ">=net-dns/pdns-4.3.1"

60

61

References

62

==========

63

64

[ 1 ] CVE-2020-17482

65

       https://nvd.nist.gov/vuln/detail/CVE-2020-17482

66

[ 2 ] PowerDNS Security Advisory 2020-05

67

68

https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html

69

70

Availability

71

============

72

73

This GLSA and any updates to it are available for viewing at

74

the Gentoo Security Website:

75

76

  https://security.gentoo.org/glsa/202012-18

77

78

Concerns?

79

=========

80

81

Security is a primary focus of Gentoo Linux and ensuring the

82

confidentiality and security of our users' machines is of utmost

83

importance to us. Any security concerns should be addressed to

84

security@g.o or alternatively, you may file a bug at

85

https://bugs.gentoo.org.

86

87

License

88

=======

89

90

Copyright 2020 Gentoo Foundation, Inc; referenced text

91

belongs to its owner(s).

92

93

The contents of this document are licensed under the

94

Creative Commons - Attribution / Share Alike license.

95

96

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 202012-18
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Low
8	Title: PowerDNS: information disclosure
9	Date: December 23, 2020
10	Bugs: #744160
11	ID: 202012-18
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	An information disclosure vulnerability in PowerDNS allow remote
19	attackers to obtain sensitive information.
20
21	Background
22	==========
23
24	The PowerDNS nameserver is an authoritative-only nameserver which uses
25	a flexible backend architecture.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 net-dns/pdns < 4.3.1 >= 4.3.1
34
35	Description
36	===========
37
38	It was discovered that PowerDNS did not properly handle certain unknown
39	records.
40
41	Impact
42	======
43
44	An authorized attacker with the ability to insert crafted records into
45	a zone might be able to leak the content of uninitialized memory.
46	Crafted records cannot be inserted via AXFR.
47
48	Workaround
49	==========
50
51	Do not take zone data from untrusted users.
52
53	Resolution
54	==========
55
56	All PowerDNS users should upgrade to the latest version:
57
58	# emerge --sync
59	# emerge --ask --oneshot --verbose ">=net-dns/pdns-4.3.1"
60
61	References
62	==========
63
64	[ 1 ] CVE-2020-17482
65	https://nvd.nist.gov/vuln/detail/CVE-2020-17482
66	[ 2 ] PowerDNS Security Advisory 2020-05
67
68	https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2020-05.html
69
70	Availability
71	============
72
73	This GLSA and any updates to it are available for viewing at
74	the Gentoo Security Website:
75
76	https://security.gentoo.org/glsa/202012-18
77
78	Concerns?
79	=========
80
81	Security is a primary focus of Gentoo Linux and ensuring the
82	confidentiality and security of our users' machines is of utmost
83	importance to us. Any security concerns should be addressed to
84	security@g.o or alternatively, you may file a bug at
85	https://bugs.gentoo.org.
86
87	License
88	=======
89
90	Copyright 2020 Gentoo Foundation, Inc; referenced text
91	belongs to its owner(s).
92
93	The contents of this document are licensed under the
94	Creative Commons - Attribution / Share Alike license.
95
96	https://creativecommons.org/licenses/by-sa/2.5