Security update for pdns SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1128-1 Final 1 1 2019-04-03T01:51:41Z current 2019-04-03T01:51:41Z 2019-04-03T01:51:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for pdns This update for pdns fixes the following issue: Security issue fixed: - CVE-2019-3871: Fixed an insufficient validation in the HTTP remote backend which could allow a remote user to cause the HTTP backend to connect to an attacker-specified host instead of the configured one (bsc#1129734). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1128 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6HWYPEI7LWADS6EXV3RDYBSB4K4WDP6U/#6HWYPEI7LWADS6EXV3RDYBSB4K4WDP6U E-Mail link for openSUSE-SU-2019:1128-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1129734 SUSE Bug 1129734 https://www.suse.com/security/cve/CVE-2019-3871/ SUSE CVE CVE-2019-3871 page SUSE Package Hub 12 SP1 SUSE Package Hub 15 openSUSE Leap 15.0 pdns-4.1.2-bp150.2.6.1 pdns-backend-geoip-4.1.2-bp150.2.6.1 pdns-backend-godbc-4.1.2-bp150.2.6.1 pdns-backend-ldap-4.1.2-bp150.2.6.1 pdns-backend-lua-4.1.2-bp150.2.6.1 pdns-backend-mydns-4.1.2-bp150.2.6.1 pdns-backend-mysql-4.1.2-bp150.2.6.1 pdns-backend-postgresql-4.1.2-bp150.2.6.1 pdns-backend-remote-4.1.2-bp150.2.6.1 pdns-backend-sqlite3-4.1.2-bp150.2.6.1 pdns-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 12 SP1 pdns-backend-geoip-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 12 SP1 pdns-backend-godbc-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 12 SP1 pdns-backend-ldap-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 12 SP1 pdns-backend-lua-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 12 SP1 pdns-backend-mydns-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 12 SP1 pdns-backend-mysql-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 12 SP1 pdns-backend-postgresql-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 12 SP1 pdns-backend-remote-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 12 SP1 pdns-backend-sqlite3-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 12 SP1 pdns-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 15 pdns-backend-geoip-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 15 pdns-backend-godbc-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 15 pdns-backend-ldap-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 15 pdns-backend-lua-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 15 pdns-backend-mydns-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 15 pdns-backend-mysql-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 15 pdns-backend-postgresql-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 15 pdns-backend-remote-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 15 pdns-backend-sqlite3-4.1.2-bp150.2.6.1 as a component of SUSE Package Hub 15 pdns-4.1.2-bp150.2.6.1 as a component of openSUSE Leap 15.0 pdns-backend-geoip-4.1.2-bp150.2.6.1 as a component of openSUSE Leap 15.0 pdns-backend-godbc-4.1.2-bp150.2.6.1 as a component of openSUSE Leap 15.0 pdns-backend-ldap-4.1.2-bp150.2.6.1 as a component of openSUSE Leap 15.0 pdns-backend-lua-4.1.2-bp150.2.6.1 as a component of openSUSE Leap 15.0 pdns-backend-mydns-4.1.2-bp150.2.6.1 as a component of openSUSE Leap 15.0 pdns-backend-mysql-4.1.2-bp150.2.6.1 as a component of openSUSE Leap 15.0 pdns-backend-postgresql-4.1.2-bp150.2.6.1 as a component of openSUSE Leap 15.0 pdns-backend-remote-4.1.2-bp150.2.6.1 as a component of openSUSE Leap 15.0 pdns-backend-sqlite3-4.1.2-bp150.2.6.1 as a component of openSUSE Leap 15.0 A vulnerability was found in PowerDNS Authoritative Server before 4.0.7 and before 4.1.7. An insufficient validation of data coming from the user when building a HTTP request from a DNS query in the HTTP Connector of the Remote backend, allowing a remote user to cause a denial of service by making the server connect to an invalid endpoint, or possibly information disclosure by making the server connect to an internal endpoint and somehow extracting meaningful information about the response CVE-2019-3871 SUSE Package Hub 12 SP1:pdns-4.1.2-bp150.2.6.1 SUSE Package Hub 12 SP1:pdns-backend-geoip-4.1.2-bp150.2.6.1 SUSE Package Hub 12 SP1:pdns-backend-godbc-4.1.2-bp150.2.6.1 SUSE Package Hub 12 SP1:pdns-backend-ldap-4.1.2-bp150.2.6.1 SUSE Package Hub 12 SP1:pdns-backend-lua-4.1.2-bp150.2.6.1 SUSE Package Hub 12 SP1:pdns-backend-mydns-4.1.2-bp150.2.6.1 SUSE Package Hub 12 SP1:pdns-backend-mysql-4.1.2-bp150.2.6.1 SUSE Package Hub 12 SP1:pdns-backend-postgresql-4.1.2-bp150.2.6.1 SUSE Package Hub 12 SP1:pdns-backend-remote-4.1.2-bp150.2.6.1 SUSE Package Hub 12 SP1:pdns-backend-sqlite3-4.1.2-bp150.2.6.1 SUSE Package Hub 15:pdns-4.1.2-bp150.2.6.1 SUSE Package Hub 15:pdns-backend-geoip-4.1.2-bp150.2.6.1 SUSE Package Hub 15:pdns-backend-godbc-4.1.2-bp150.2.6.1 SUSE Package Hub 15:pdns-backend-ldap-4.1.2-bp150.2.6.1 SUSE Package Hub 15:pdns-backend-lua-4.1.2-bp150.2.6.1 SUSE Package Hub 15:pdns-backend-mydns-4.1.2-bp150.2.6.1 SUSE Package Hub 15:pdns-backend-mysql-4.1.2-bp150.2.6.1 SUSE Package Hub 15:pdns-backend-postgresql-4.1.2-bp150.2.6.1 SUSE Package Hub 15:pdns-backend-remote-4.1.2-bp150.2.6.1 SUSE Package Hub 15:pdns-backend-sqlite3-4.1.2-bp150.2.6.1 openSUSE Leap 15.0:pdns-4.1.2-bp150.2.6.1 openSUSE Leap 15.0:pdns-backend-geoip-4.1.2-bp150.2.6.1 openSUSE Leap 15.0:pdns-backend-godbc-4.1.2-bp150.2.6.1 openSUSE Leap 15.0:pdns-backend-ldap-4.1.2-bp150.2.6.1 openSUSE Leap 15.0:pdns-backend-lua-4.1.2-bp150.2.6.1 openSUSE Leap 15.0:pdns-backend-mydns-4.1.2-bp150.2.6.1 openSUSE Leap 15.0:pdns-backend-mysql-4.1.2-bp150.2.6.1 openSUSE Leap 15.0:pdns-backend-postgresql-4.1.2-bp150.2.6.1 openSUSE Leap 15.0:pdns-backend-remote-4.1.2-bp150.2.6.1 openSUSE Leap 15.0:pdns-backend-sqlite3-4.1.2-bp150.2.6.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6HWYPEI7LWADS6EXV3RDYBSB4K4WDP6U/#6HWYPEI7LWADS6EXV3RDYBSB4K4WDP6U https://www.suse.com/security/cve/CVE-2019-3871.html CVE-2019-3871 https://bugzilla.suse.com/1129734 SUSE Bug 1129734