Bug 1121889 - (CVE-2019-3807) VUL-0: CVE-2019-3807: pdns-recursor: Insufficient validation of DNSSEC signatures
(CVE-2019-3807)
VUL-0: CVE-2019-3807: pdns-recursor: Insufficient validation of DNSSEC signat...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/222817/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-01-14 16:57 UTC by Marcus Meissner
Modified: 2022-03-29 09:50 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Marcus Meissner 2019-01-21 14:27:28 UTC
PowerDNS Security Advisory 2019-02: Insufficient validation of DNSSEC
signatures
=====================================================================

-  CVE: CVE-2019-3807
-  Date: 21st of January 2019
-  Affects: PowerDNS Recursor from 4.1.0 up to and including 4.1.8
-  Not affected: 4.0.x, 4.1.9
-  Severity: Medium
-  Impact: Insufficient validation
-  Exploit: This problem can be triggered via crafted responses
-  Risk of system compromise: No
-  Solution: Upgrade to a non-affected version

An issue has been found in PowerDNS Recursor where records in the answer
section of responses received from authoritative servers with the AA
flag not set were not properly validated, allowing an attacker to bypass
DNSSEC validation.

This issue has been assigned CVE-2019-3807 by Red Hat.

PowerDNS Recursor from 4.1.0 up to and including 4.1.8 is affected.

We would like to thank Ralph Dolmans and George Thessalonikefs of
NLNetLabs for finding and subsequently reporting this issue!
Comment 4 Swamp Workflow Management 2019-01-21 15:30:12 UTC
This is an autogenerated message for OBS integration:
This bug (1121889) was mentioned in
https://build.opensuse.org/request/show/667620 Factory / pdns-recursor
https://build.opensuse.org/request/show/667621 15.0 / pdns-recursor
Comment 5 Adam Majer 2019-01-28 15:31:30 UTC
Fixes submitted to all affected codestreams. SLE-15 backports are from Leap-15.0:Updates

Reassigning to security-team
Comment 6 Swamp Workflow Management 2019-01-28 15:50:10 UTC
This is an autogenerated message for OBS integration:
This bug (1121889) was mentioned in
https://build.opensuse.org/request/show/669114 Backports:SLE-12-SP1 / pdns-recursor
Comment 7 Swamp Workflow Management 2019-01-29 14:20:00 UTC
openSUSE-SU-2019:0100-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1121889
CVE References: CVE-2019-3807
Sources used:
openSUSE Leap 15.0 (src):    pdns-recursor-4.1.2-lp150.2.6.1
Comment 8 Swamp Workflow Management 2019-01-31 17:09:51 UTC
openSUSE-SU-2019:0107-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1121889
CVE References: CVE-2019-3807
Sources used:
openSUSE Backports SLE-15 (src):    pdns-recursor-4.1.2-bp150.2.6.1
Comment 9 Swamp Workflow Management 2019-02-04 17:09:23 UTC
openSUSE-SU-2019:0131-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1121887,1121889
CVE References: CVE-2019-3806,CVE-2019-3807
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    pdns-recursor-4.1.10-16.1
Comment 10 Marcus Meissner 2019-11-15 07:01:48 UTC
done
Comment 11 OBSbugzilla Bot 2022-03-29 09:50:20 UTC
This is an autogenerated message for OBS integration:
This bug (1121889) was mentioned in
https://build.opensuse.org/request/show/965588 Backports:SLE-12-SP4 / pdns-recursor