CVE-2019-3871

NameCVE-2019-3871
DescriptionA vulnerability was found in PowerDNS Authoritative Server before 4.0.7 and before 4.1.7. An insufficient validation of data coming from the user when building a HTTP request from a DNS query in the HTTP Connector of the Remote backend, allowing a remote user to cause a denial of service by making the server connect to an invalid endpoint, or possibly information disclosure by making the server connect to an internal endpoint and somehow extracting meaningful information about the response
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1737-1, DSA-4424-1
NVD severitymedium
Debian Bugs924966

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pdns (PTS)jessie3.4.1-4+deb8u8vulnerable
jessie (security)3.4.1-4+deb8u10fixed
stretch (security), stretch4.0.3-1+deb9u5fixed
buster4.1.6-3fixed
bullseye, sid4.2.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pdnssource(unstable)4.1.6-2924966
pdnssourcejessie3.4.1-4+deb8u9DLA-1737-1
pdnssourcestretch4.0.3-1+deb9u4DSA-4424-1

Notes

https://github.com/PowerDNS/pdns/issues/7573
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
Patches: https://downloads.powerdns.com/patches/2019-03/

Search for package or bug name: Reporting problems