CVE-2019-3871

NameCVE-2019-3871
DescriptionA vulnerability was found in PowerDNS Authoritative Server before 4.0.7 and before 4.1.7. An insufficient validation of data coming from the user when building a HTTP request from a DNS query in the HTTP Connector of the Remote backend, allowing a remote user to cause a denial of service by making the server connect to an invalid endpoint, or possibly information disclosure by making the server connect to an internal endpoint and somehow extracting meaningful information about the response
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1737-1, DSA-4424-1
Debian Bugs924966

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pdns (PTS)buster4.1.6-3+deb10u1fixed
bullseye4.4.1-1fixed
bookworm4.7.3-2fixed
trixie4.8.3-4fixed
sid4.9.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pdnssourcejessie3.4.1-4+deb8u9DLA-1737-1
pdnssourcestretch4.0.3-1+deb9u4DSA-4424-1
pdnssource(unstable)4.1.6-2924966

Notes

https://github.com/PowerDNS/pdns/issues/7573
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
Patches: https://downloads.powerdns.com/patches/2019-03/
Search for package or bug name: Reporting problems