Mailinglist Archive: opensuse-updates (119 mails)

< Previous Next >
openSUSE-SU-2017:3218-1: moderate: Security update for pdns-recursor
openSUSE Security Update: Security update for pdns-recursor
______________________________________________________________________________

Announcement ID: openSUSE-SU-2017:3218-1
Rating: moderate
References: #1069242
Cross-References: CVE-2017-15090 CVE-2017-15092 CVE-2017-15093
CVE-2017-15094
Affected Products:
openSUSE Leap 42.3
openSUSE Leap 42.2
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

This update for pdns-recursor fixes the following issues:

Security issues fixed:

- CVE-2017-15090: An issue has been found in the DNSSEC validation
component of PowerDNS Recursor, where the signatures might have been
accepted as valid even if the signed data was not in bailiwick of the
DNSKEY used to sign it. This allows an attacker in position of
man-in-the-middle to alter the content of records by issuing a valid
signature for the crafted records (boo#1069242).
- CVE-2017-15092: An issue has been found in the web interface of PowerDNS
Recursor, where the qname of DNS queries was displayed without any
escaping, allowing a remote attacker to inject HTML and Javascript code
into the web interface, altering the content (boo#1069242).
- CVE-2017-15093: When `api-config-dir` is set to a non-empty value, which
is not the case by default, the API allows an authorized user to update
the Recursor's ACL by adding and removing netmasks, and to configure
forward zones. It was discovered that the new netmask and IP addresses
of forwarded zones were not sufficiently validated, allowing an
authenticated user to inject new configuration directives into the
Recursor's configuration (boo#1069242).
- CVE-2017-15094: An issue has been found in the DNSSEC parsing code of
PowerDNS Recursor during a code audit by Nixu, leading to a memory leak
when parsing specially crafted DNSSEC ECDSA keys (boo#1069242).


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2017-1339=1

- openSUSE Leap 42.2:

zypper in -t patch openSUSE-2017-1339=1

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE Leap 42.3 (x86_64):

pdns-recursor-4.0.5-3.1
pdns-recursor-debuginfo-4.0.5-3.1
pdns-recursor-debugsource-4.0.5-3.1

- openSUSE Leap 42.2 (i586 x86_64):

pdns-recursor-3.7.3-9.3.1
pdns-recursor-debuginfo-3.7.3-9.3.1
pdns-recursor-debugsource-3.7.3-9.3.1


References:

https://www.suse.com/security/cve/CVE-2017-15090.html
https://www.suse.com/security/cve/CVE-2017-15092.html
https://www.suse.com/security/cve/CVE-2017-15093.html
https://www.suse.com/security/cve/CVE-2017-15094.html
https://bugzilla.suse.com/1069242


< Previous Next >
This Thread
  • No further messages