Bug 1171553 - (CVE-2020-10030) VUL-0: CVE-2020-10030,CVE-2020-10995,CVE-2020-12244: pdns-recursor: Multiple vulnerabilities
(CVE-2020-10030)
VUL-0: CVE-2020-10030,CVE-2020-10995,CVE-2020-12244: pdns-recursor: Multiple ...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P3 - Medium : Normal (vote)
: Leap 15.1
Assigned To: Security Team bot
E-mail List
https://smash.suse.de/issue/259587/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-05-13 08:09 UTC by Alexandros Toptsoglou
Modified: 2022-03-29 09:50 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 6 Alexandros Toptsoglou 2020-05-19 09:27:28 UTC
now public through https://blog.powerdns.com/2020/05/19/powerdns-recursor-4-3-1-4-2-2-and-4-1-16-released/

Hello!,

Today we are releasing PowerDNS Recursor 4.3.1, 4.2.2. and 4.1.16, containing security fixes for three CVEs:

– CVE-2020-10995
– CVE-2020-12244
– CVE-2020-10030

The issues are:

CVE-2020-10995: An issue in the DNS protocol has been found that allows malicious parties to use recursive DNS services to attack third party authoritative name servers. Severity is medium. We would like to thank Lior Shafir, Yehuda Afek and Anat Bremler-Barr for finding and subsequently reporting this issue!

CVE-2020-12244: Records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated. Severity is medium. We would like to thank Matt Nordhoff for finding and subsequently reporting this issue!

CVE-2020-10030: An attacker with enough privileges to change the hostname might be able to disclose uninitialized memory. This issue also affects the Authoritative Server and dnsdist; since the attack requires very high privileges and the issue does not affect Linux, we will not be releasing new versions for those just for this issue. Severity is low.

As usual, there were also other smaller enhancements and bugfixes. Please refer to the 4.3.1 changelog, 4.2.2 changelog and 4.1.16 changelog for details.

The 4.3.1 tarball (signature), 4.2.2 tarball (signature) and 4.1.16 tarball (signature) are available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.

Note that the 4.1 packages will be published later today.

4.0 and older releases are EOL, refer to the documentation for details about our release cycles.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.
Comment 7 OBSbugzilla Bot 2020-05-19 11:50:08 UTC
This is an autogenerated message for OBS integration:
This bug (1171553) was mentioned in
https://build.opensuse.org/request/show/807216 Factory / pdns-recursor
Comment 8 OBSbugzilla Bot 2020-05-19 15:20:06 UTC
This is an autogenerated message for OBS integration:
This bug (1171553) was mentioned in
https://build.opensuse.org/request/show/807355 15.1+Backports:SLE-12-SP1+Backports:SLE-15-SP1 / pdns-recursor
Comment 9 Adam Majer 2020-05-19 19:03:53 UTC
Fixes submitted. Re-assigning back to security for tracking.
Comment 10 Swamp Workflow Management 2020-05-23 13:12:59 UTC
openSUSE-SU-2020:0698-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1171553
CVE References: CVE-2020-10030,CVE-2020-10995,CVE-2020-12244
Sources used:
openSUSE Leap 15.1 (src):    pdns-recursor-4.1.12-lp151.3.3.1
openSUSE Backports SLE-15-SP1 (src):    pdns-recursor-4.1.12-bp151.4.3.1
Comment 11 Swamp Workflow Management 2020-05-23 13:13:46 UTC
openSUSE-SU-2020:0698-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1171553
CVE References: CVE-2020-10030,CVE-2020-10995,CVE-2020-12244
Sources used:
openSUSE Leap 15.1 (src):    pdns-recursor-4.1.12-lp151.3.3.1
openSUSE Backports SLE-15-SP1 (src):    pdns-recursor-4.1.12-bp151.4.3.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    pdns-recursor-4.1.16-19.1
Comment 12 Alexandros Toptsoglou 2021-01-27 10:20:59 UTC
Done
Comment 13 OBSbugzilla Bot 2022-03-29 09:50:24 UTC
This is an autogenerated message for OBS integration:
This bug (1171553) was mentioned in
https://build.opensuse.org/request/show/965588 Backports:SLE-12-SP4 / pdns-recursor