Advisories » MGASA-2019-0122

Updated pdns packages fix security vulnerability

Publication date: 29 Mar 2019
Modification date: 29 Mar 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2019-3871

Description

Updated pdns packages fix security vulnerability:

An issue has been found in PowerDNS Authoritative Server when the HTTP
remote backend is used in RESTful mode (without post=1 set), allowing a
remote user to cause the HTTP backend to connect to an attacker-specified
host instead of the configured one, via a crafted DNS query. This can be
used to cause a denial of service by preventing the remote backend from
getting a response, content spoofing if the attacker can time its own
query so that subsequent queries will use an attacker-controlled HTTP
server instead of the configured one, and possibly information disclosure
if the Authoritative Server has access to internal servers (CVE-2019-3871).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=24531
• https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3871

SRPMS

6/core

• pdns-4.1.7-1.mga6