Bug 1069242 (CVE-2017-15090)

Summary: VUL-0: CVE-2017-15090, CVE-2017-15091, CVE-2017-15092, CVE-2017-15093, CVE-2017-15094: pdns: Multiple security issues
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: astieger, jsegitz, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE 42.2   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 5 Marcus Meissner 2017-11-27 16:11:37 UTC 
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html


PowerDNS Security Advisory 2017-04: Missing check on API operations

    CVE: CVE-2017-15091
    Date: November 27th 2017
    Credit: everyman
    Affects: PowerDNS Authoritative up to and including 4.0.4, 3.4.11
    Not affected: PowerDNS Authoritative 4.0.5
    Severity: Low
    Impact: Denial of service
    Exploit: This problem can be triggered by an attacker with valid API credentials
    Risk of system compromise: No
    Solution: Upgrade to a non-affected version

An issue has been found in the API component of PowerDNS Authoritative, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly keyword. This missing check allows an attacker with valid API credentials could flush the cache, trigger a zone transfer or send a NOTIFY. This issue has been assigned CVE-2017-15091.

PowerDNS Authoritative up to and including 4.0.4 and 3.4.11 are affected.

For those unable to upgrade to a new version, a minimal patch is available

We would like to thank everyman for finding and subsequently reporting this issue.
Comment 6 Bernhard Wiedemann 2017-11-27 17:10:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1069242) was mentioned in
https://build.opensuse.org/request/show/546073 42.2+42.3 / pdns-recursor
https://build.opensuse.org/request/show/546077 42.2+42.3 / pdns
Comment 8 Andreas Stieger 2017-12-05 20:54:53 UTC 
releasing, done
Comment 9 Swamp Workflow Management 2017-12-06 02:08:33 UTC 
openSUSE-SU-2017:3218-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1069242
CVE References: CVE-2017-15090,CVE-2017-15092,CVE-2017-15093,CVE-2017-15094
Sources used:
openSUSE Leap 42.3 (src):    pdns-recursor-4.0.5-3.1
openSUSE Leap 42.2 (src):    pdns-recursor-3.7.3-9.3.1
Comment 10 Swamp Workflow Management 2017-12-06 02:09:19 UTC 
openSUSE-SU-2017:3221-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1069242
CVE References: CVE-2017-15091
Sources used:
openSUSE Leap 42.3 (src):    pdns-4.0.3-9.1
openSUSE Leap 42.2 (src):    pdns-3.4.9-5.3.1
Comment 11 Swamp Workflow Management 2018-01-23 09:00:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1069242) was mentioned in
https://build.opensuse.org/request/show/568487 Factory / pdns-recursor
Comment 12 Swamp Workflow Management 2018-04-16 19:08:25 UTC 
openSUSE-SU-2018:0953-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1069242,1077154
CVE References: CVE-2018-1000003
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    pdns-recursor-4.1.2-5.1
Comment 13 OBSbugzilla Bot 2022-03-29 09:50:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1069242) was mentioned in
https://build.opensuse.org/request/show/965588 Backports:SLE-12-SP4 / pdns-recursor