[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#882959: stretch-pu: package pdns/4.0.3-1+deb9u2

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Security update using upstream patch, for CVE-2017-15091.
DSA has marked this no-DSA but suggested that this should
be fixed via stable-updates.

4.0.3-1+deb9u1 is already in p-u, the attached debdiff is
against that version. Please let me know if this is bad.

Thanks,
Chris

diff -Nru pdns-4.0.3/debian/changelog pdns-4.0.3/debian/changelog
--- pdns-4.0.3/debian/changelog	2017-10-30 07:12:17.000000000 +0000
+++ pdns-4.0.3/debian/changelog	2017-11-27 22:02:24.000000000 +0000
@@ -1,3 +1,10 @@
+pdns (4.0.3-1+deb9u2) stretch; urgency=medium
+
+  * Add upstream patch fixing security issue:
+  * Missing check on API operations. CVE-2017-15091
+
+ -- Christian Hofstaedtler <zeha@debian.org>  Mon, 27 Nov 2017 22:02:24 +0000
+
 pdns (4.0.3-1+deb9u1) stretch; urgency=medium
 
   * Fix incorrect qname casing in NSEC3 generation (Closes: #869222)
diff -Nru pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch
--- pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch	1970-01-01 00:00:00.000000000 +0000
+++ pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch	2017-11-27 22:02:24.000000000 +0000
@@ -0,0 +1,30 @@
+diff -ru pdns-4.0.4.orig/pdns/ws-auth.cc pdns-4.0.4/pdns/ws-auth.cc
+--- pdns-4.0.4.orig/pdns/ws-auth.cc	2017-06-22 22:07:25.000000000 +0200
++++ pdns-4.0.4/pdns/ws-auth.cc	2017-11-02 18:07:20.986764858 +0100
+@@ -860,7 +860,7 @@
+ static void apiServerZoneAxfrRetrieve(HttpRequest* req, HttpResponse* resp) {
+   DNSName zonename = apiZoneIdToName(req->parameters["id"]);
+ 
+-  if(req->method != "PUT")
++  if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
+     throw HttpMethodNotAllowedException();
+ 
+   UeberBackend B;
+@@ -879,7 +879,7 @@
+ static void apiServerZoneNotify(HttpRequest* req, HttpResponse* resp) {
+   DNSName zonename = apiZoneIdToName(req->parameters["id"]);
+ 
+-  if(req->method != "PUT")
++  if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
+     throw HttpMethodNotAllowedException();
+ 
+   UeberBackend B;
+@@ -1191,7 +1191,7 @@
+ }
+ 
+ void apiServerCacheFlush(HttpRequest* req, HttpResponse* resp) {
+-  if(req->method != "PUT")
++  if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
+     throw HttpMethodNotAllowedException();
+ 
+   DNSName canon = apiNameToDNSName(req->getvars["domain"]);
diff -Nru pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc
--- pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc	1970-01-01 00:00:00.000000000 +0000
+++ pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc	2017-11-27 22:02:24.000000000 +0000
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFNBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAloStHQaHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEYtRgf3bMwaR4tdR0p5f0TMCuFN
+7QbOpyLFLhatNYQFhUEFXQ7nesgNtNObu6qLOTi9fxD4zpcvnkz/a22m5S9tkf0W
+Y6E2fMy9NoLysSvTwgBCrXKbqttzFvpYRCWVzKnWgz67hjF4U57Wp1rY88XWmVHE
+5T4unYv7Kn+C2mDfBl1cOnRO2Y1VeJ79hS802q1WrnqREJkIZrN+CzpXGX/512Tg
+PLQ6Dke25kvlqGqsC7PRI8lU9Sm9UPLkR1ILKQCoIgxi7RXXYNmIE2dPgI2z06pm
+Cu9wFIYiaYtUjG+u4N6heJSfDvJZbWX+c8Xhvy16u3i1M/xPhB2Sq/IgZQV7S+NK
+=0Skb
+-----END PGP SIGNATURE-----
diff -Nru pdns-4.0.3/debian/patches/series pdns-4.0.3/debian/patches/series
--- pdns-4.0.3/debian/patches/series	2017-10-30 07:12:17.000000000 +0000
+++ pdns-4.0.3/debian/patches/series	2017-11-27 22:02:24.000000000 +0000
@@ -1 +1,2 @@
 869222-lowercase-qname-before-NSEC-generation.patch
+CVE-2017-15091-4.0.4.patch
Reply to: