Debian Bug report logs -
#924966
pdns: CVE-2019-3871: Insufficient validation in the HTTP remote backend
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, pdns packagers <pdns@packages.debian.org>:
Bug#924966; Package src:pdns.
(Tue, 19 Mar 2019 09:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, pdns packagers <pdns@packages.debian.org>.
(Tue, 19 Mar 2019 09:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pdns
Version: 4.1.6-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/PowerDNS/pdns/issues/7573
Control: found -1 4.0.3-1+deb9u3
Control: found -1 4.0.3-1
Hi,
The following vulnerability was published for pdns.
CVE-2019-3871[0]:
Insufficient validation in the HTTP remote backend
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-3871
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3871
[1] https://www.openwall.com/lists/oss-security/2019/03/18/4
[2] https://github.com/PowerDNS/pdns/issues/7573
[3] https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
[4] https://downloads.powerdns.com/patches/2019-03/
Regards,
Salvatore
Marked as found in versions pdns/4.0.3-1+deb9u3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Tue, 19 Mar 2019 09:36:04 GMT) (full text, mbox, link).
Marked as found in versions pdns/4.0.3-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Tue, 19 Mar 2019 09:36:04 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Mon, 25 Mar 2019 19:30:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, pdns packagers <pdns@packages.debian.org>:
Bug#924966; Package src:pdns.
(Fri, 29 Mar 2019 16:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to pdns packagers <pdns@packages.debian.org>.
(Fri, 29 Mar 2019 16:39:05 GMT) (full text, mbox, link).
Message #16 received at 924966@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 924966 + patch
Control: tags 924966 + pending
Dear maintainer,
I've prepared an NMU for pdns (versioned as 4.1.6-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
There is a corresponding merge request at
https://salsa.debian.org/dns-team/pdns/merge_requests/1 .
Regards,
Salvatore
[pdns-4.1.6-1.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 924966-submit@bugs.debian.org.
(Fri, 29 Mar 2019 16:39:05 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 924966-submit@bugs.debian.org.
(Fri, 29 Mar 2019 16:39:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, pdns packagers <pdns@packages.debian.org>:
Bug#924966; Package src:pdns.
(Sun, 31 Mar 2019 09:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Hofstaedtler <zeha@debian.org>:
Extra info received and forwarded to list. Copy sent to pdns packagers <pdns@packages.debian.org>.
(Sun, 31 Mar 2019 09:39:06 GMT) (full text, mbox, link).
Message #25 received at 924966@bugs.debian.org (full text, mbox, reply):
* Salvatore Bonaccorso <carnil@debian.org> [190329 17:39]:
> Control: tags 924966 + patch
> Control: tags 924966 + pending
>
>
> Dear maintainer,
>
> I've prepared an NMU for pdns (versioned as 4.1.6-1.1) and
> uploaded it to DELAYED/5. Please feel free to tell me if I
> should delay it longer.
>
> There is a corresponding merge request at
> https://salsa.debian.org/dns-team/pdns/merge_requests/1 .
I'll try to have a look at it this weekend, but if you don't hear
anything else please go ahead :-)
Thanks,
Chris
Reply sent
to Chris Hofstaedtler <zeha@debian.org>:
You have taken responsibility.
(Sun, 31 Mar 2019 13:21:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 31 Mar 2019 13:21:14 GMT) (full text, mbox, link).
Message #30 received at 924966-close@bugs.debian.org (full text, mbox, reply):
Source: pdns
Source-Version: 4.1.6-2
We believe that the bug you reported is fixed in the latest version of
pdns, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 924966@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Hofstaedtler <zeha@debian.org> (supplier of updated pdns package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 31 Mar 2019 12:48:59 +0000
Source: pdns
Architecture: source
Version: 4.1.6-2
Distribution: unstable
Urgency: high
Maintainer: pdns packagers <pdns@packages.debian.org>
Changed-By: Chris Hofstaedtler <zeha@debian.org>
Closes: 924966
Changes:
pdns (4.1.6-2) unstable; urgency=high
.
[ Salvatore Bonaccorso ]
* Insufficient validation in the HTTP remote backend (CVE-2019-3871)
(Closes: #924966)
Checksums-Sha1:
00bc3fe46856aa7c67075d72a12a2a0c507d8778 3319 pdns_4.1.6-2.dsc
61d806f124b82b9b54056a90dd1fff75b3267311 44696 pdns_4.1.6-2.debian.tar.xz
76a616732181d63a11794d8aff50ede00fda0697 9428 pdns_4.1.6-2_source.buildinfo
Checksums-Sha256:
02336c85b5490513aeab8597ebedb5b9ec02d3deb997acb8390d7475d59da33b 3319 pdns_4.1.6-2.dsc
609dd418defbec96767b1ac843e6fd3e9df2487b811b5e4d301b46394d2657e3 44696 pdns_4.1.6-2.debian.tar.xz
087860edc753cbc78aeda205f24a13d422756c26a618409b5dfd1090586579cb 9428 pdns_4.1.6-2_source.buildinfo
Files:
b9e61078cfdef9d1962b796fda8c5c48 3319 net optional pdns_4.1.6-2.dsc
ba695d7f4bf638359132cf0f030349c7 44696 net optional pdns_4.1.6-2.debian.tar.xz
385aa47317ae51db20948bc5fb733f66 9428 net optional pdns_4.1.6-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfRrP+tnggGycTNOSXBPW25MFLgMFAlyguhUACgkQXBPW25MF
LgOngg//ThMstxoOYLeSGdXG8E4H5DAFhesSA8VMNTXGFqu41c1Yp3GV0oVZRNLi
ipbwN9pvDFfeTrueRsqJwqccehWgn+67eIiIkIwxJvnFIMvBC6n/5devY3T/hZpD
0bXvlMmPEOmyLkoK1vVvLMurkTsyYZhuFEYE8GxF84I+v+gDbReZnE1/H1V66G5+
b+KrGwfehgqTyFfI+XUmfX+x2Acoimhv0aGNOJ7lgUTZUNnz/Rd1w6MNrzHQgoxz
QW7pV1N7mwBawiXG09p3cPi73BqqngFNEpwMi/5GVWTvF+NZ4l/3g7LtPX1QKRbo
WoGoqaWrcgLsBB1vbxGlrnYIHJn8mhxxeJzSL4aG5DFn7245g1zMwTnt3P10PJD9
LJl9SXPJPKogzcLF3csevcsT3bhf68kjvPD2p0W+2QEkIF6ypyzHRENkkUPfC1wH
+Bj4jDIgARvPiywjWWs3iMKHKGKey3jf9Ri2Qd1gowpMR+frTc5bn+CwvyWuJolg
KG0+VXeBkDKKXNsZQa1Iw4pAUHT3Ylj2d/u9yG9qB1P2nkXkKIgbGbzlFrYxi6Y/
mxaxIAdxHht9dksGBO7TyKBIuaHF4I/d1i04JNni1objAvmqle1JcXWFGVWGOMsx
kahaF+QhI3J2CXluwCpyKic/0qCRcRgzzGIn8l6Fp+9uNI3cFfc=
=dMiq
-----END PGP SIGNATURE-----
Reply sent
to Christian Hofstaedtler <zeha@debian.org>:
You have taken responsibility.
(Fri, 19 Apr 2019 14:36:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 19 Apr 2019 14:36:05 GMT) (full text, mbox, link).
Message #35 received at 924966-close@bugs.debian.org (full text, mbox, reply):
Source: pdns
Source-Version: 4.0.3-1+deb9u4
We believe that the bug you reported is fixed in the latest version of
pdns, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 924966@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Hofstaedtler <zeha@debian.org> (supplier of updated pdns package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 31 Mar 2019 13:28:32 +0000
Source: pdns
Architecture: source
Version: 4.0.3-1+deb9u4
Distribution: stretch-security
Urgency: medium
Maintainer: Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>
Changed-By: Christian Hofstaedtler <zeha@debian.org>
Closes: 924966
Changes:
pdns (4.0.3-1+deb9u4) stretch-security; urgency=medium
.
* Insufficient validation in the HTTP remote backend (CVE-2019-3871)
Thanks to Salvatore Bonaccorso <carnil@debian.org> (Closes: #924966)
Checksums-Sha1:
6286ac85c6b1e76fd8e8f7f7810018f7e9f2210a 3387 pdns_4.0.3-1+deb9u4.dsc
de3562f135d31c6ccf9363f587bb59a5f65d1d91 1312299 pdns_4.0.3.orig.tar.bz2
58aa0bdec5c3e3560cecb97e5aa5adbfeeb65293 53064 pdns_4.0.3-1+deb9u4.debian.tar.xz
131c8d9ced9dc4ca4996ac42dcaa04ee6b823126 8965 pdns_4.0.3-1+deb9u4_source.buildinfo
Checksums-Sha256:
afd3ac52bd69a37cafe4a1086559e9d4188305306d722d06b14a9f589446e7ed 3387 pdns_4.0.3-1+deb9u4.dsc
60fa21550b278b41f58701af31c9f2b121badf271fb9d7642f6d35bfbea8e282 1312299 pdns_4.0.3.orig.tar.bz2
506c3f73faafa1729ffc2f8af82270f8d89c4ef3994fdeb1521c6aa6876a2de7 53064 pdns_4.0.3-1+deb9u4.debian.tar.xz
f9f0018ca898917f36872a6df5fb163362a997e9fc06f577163203e6dbd736d7 8965 pdns_4.0.3-1+deb9u4_source.buildinfo
Files:
78b95e2eebd76f42c2b08dc98f1c788a 3387 net extra pdns_4.0.3-1+deb9u4.dsc
bbb1ebed50edc0f2127d6c4331c1429a 1312299 net extra pdns_4.0.3.orig.tar.bz2
39cb4b69b561492ecb9c67053c443ba2 53064 net extra pdns_4.0.3-1+deb9u4.debian.tar.xz
11e9cd77766dd463b02a426f05527dfc 8965 net extra pdns_4.0.3-1+deb9u4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfRrP+tnggGycTNOSXBPW25MFLgMFAlykoFgACgkQXBPW25MF
LgM+ug//YON5dKcfMjBE4AoYsdsswG57BatEUEdRrAcNn69ukeGQmbvnmlLeqqVn
lSVGPHH2VaQ/TxUjx1Iy2GF2Da0DrJhv3xtRWj014QBLeym+E/AbL6wGVQTQDTID
3Cro5qYUJTVsxcqF/ntvsxsdp+1QVcLzopFzzQfQfw4sgz1uOj5fyO1mu46X+Dbk
zkl4wUqmf8meBmOujmQQF9lEwixoGNirSXQAGb3EQ0Vn2j393KQmM6onEwCfspTp
Eqesn5QZ2j7MPWHqTw4ENSEuztua2+k71V78yujBU9eqz0Bk4qn0K7di1w1XP57a
GmWfIjshZf02VQxxljMgYlJN1UA0Z8bk33HyrxQ0uwWEDXhNtlCrouo3VVzDUhQj
KIFF3ol/uiyBL8etuP8TRS+mqTtCeVsorlvp7fOjZxn857rWbq9Pf1EhdZGquiOp
ArOTuZnaPL6tyWQe1dUxGWUXCZf7UcLKtXJR/R6xVHJGwrZxwiWBRIxBkrm3KuFf
SdNXeatw5UhP1QCLhyRCvvANAEb1Ql3sNptyVKHPzsO8KVI/v2e3BzGsq4r6feOz
kmVNZS0qfwGxgRfpJdLMahC8lparbcpMaFa3JwahlXm8Iun8Bgd6GtqGZLgxCxNF
Sm2xfrGXeiVyKvxAwzGMxJsJC3k001PXZpSu86ACeCjHG9tXaSM=
=to65
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:05:41 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon