[manjaro-security] [ASA-201901-13] powerdns-recursor: multiple issues
foxboron at archlinux.org
Sun Jan 27 11:52:32 CET 2019
Arch Linux Security Advisory ASA-201901-13
Date : 2019-01-24
CVE-ID : CVE-2019-3806 CVE-2019-3807
Package : powerdns-recursor
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-856
The package powerdns-recursor before version 4.1.9-1 is vulnerable to
multiple issues including insufficient validation and access
Upgrade to 4.1.9-1.
# pacman -Syu "powerdns-recursor>=4.1.9-1"
The problems have been fixed upstream in version 4.1.9.
- CVE-2019-3806 (access restriction bypass)
An issue has been found in PowerDNS Recursor before 4.1.9 where Lua
hooks are not properly applied to queries received over TCP in some
specific combination of settings, possibly bypassing security policies
enforced using Lua.
- CVE-2019-3807 (insufficient validation)
An issue has been found in PowerDNS Recursor before 4.1.9 where records
in the answer section of responses received from authoritative servers
with the AA flag not set were not properly validated, allowing an
attacker to bypass DNSSEC validation.
A remote attacker can bypass access restrictions by doing a TCP query
or bypass DNSSEC validation for records where the AA flag was not set.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the manjaro-security