openSUSE Security Update: Security update for pdns-recursor ______________________________________________________________________________ Announcement ID: openSUSE-SU-2017:3218-1 Rating: moderate References: #1069242 Cross-References: CVE-2017-15090 CVE-2017-15092 CVE-2017-15093 CVE-2017-15094 Affected Products: openSUSE Leap 42.3 openSUSE Leap 42.2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for pdns-recursor fixes the following issues: Security issues fixed: - CVE-2017-15090: An issue has been found in the DNSSEC validation component of PowerDNS Recursor, where the signatures might have been accepted as valid even if the signed data was not in bailiwick of the DNSKEY used to sign it. This allows an attacker in position of man-in-the-middle to alter the content of records by issuing a valid signature for the crafted records (boo#1069242). - CVE-2017-15092: An issue has been found in the web interface of PowerDNS Recursor, where the qname of DNS queries was displayed without any escaping, allowing a remote attacker to inject HTML and Javascript code into the web interface, altering the content (boo#1069242). - CVE-2017-15093: When `api-config-dir` is set to a non-empty value, which is not the case by default, the API allows an authorized user to update the Recursor's ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor's configuration (boo#1069242). - CVE-2017-15094: An issue has been found in the DNSSEC parsing code of PowerDNS Recursor during a code audit by Nixu, leading to a memory leak when parsing specially crafted DNSSEC ECDSA keys (boo#1069242). Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2017-1339=1 - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-1339=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.3 (x86_64): pdns-recursor-4.0.5-3.1 pdns-recursor-debuginfo-4.0.5-3.1 pdns-recursor-debugsource-4.0.5-3.1 - openSUSE Leap 42.2 (i586 x86_64): pdns-recursor-3.7.3-9.3.1 pdns-recursor-debuginfo-3.7.3-9.3.1 pdns-recursor-debugsource-3.7.3-9.3.1 References: https://www.suse.com/security/cve/CVE-2017-15090.html https://www.suse.com/security/cve/CVE-2017-15092.html https://www.suse.com/security/cve/CVE-2017-15093.html https://www.suse.com/security/cve/CVE-2017-15094.html https://bugzilla.suse.com/1069242