Bug#882961: jessie-pu: package pdns/3.4.1-4+deb8u8
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Security update for CVE-2017-15091. DSA has marked this
no-DSA but suggested this goes through (old)-stable-updates.
debdiff attached.
Thanks,
Chris
diff -Nru pdns-3.4.1/debian/changelog pdns-3.4.1/debian/changelog
--- pdns-3.4.1/debian/changelog 2017-01-07 00:45:53.000000000 +0000
+++ pdns-3.4.1/debian/changelog 2017-11-27 21:19:19.000000000 +0000
@@ -1,3 +1,10 @@
+pdns (3.4.1-4+deb8u8) jessie; urgency=medium
+
+ * Add patch fixing security issue:
+ * Missing check on API operations: CVE-2017-15091
+
+ -- Christian Hofstaedtler <zeha@debian.org> Mon, 27 Nov 2017 21:19:19 +0000
+
pdns (3.4.1-4+deb8u7) jessie-security; urgency=high
* Security upload.
diff -Nru pdns-3.4.1/debian/patches/CVE-2017-15091.patch pdns-3.4.1/debian/patches/CVE-2017-15091.patch
--- pdns-3.4.1/debian/patches/CVE-2017-15091.patch 1970-01-01 00:00:00.000000000 +0000
+++ pdns-3.4.1/debian/patches/CVE-2017-15091.patch 2017-11-27 21:19:19.000000000 +0000
@@ -0,0 +1,16 @@
+Index: pdns/pdns/ws-auth.cc
+===================================================================
+--- pdns.orig/pdns/ws-auth.cc
++++ pdns/pdns/ws-auth.cc
+@@ -1144,6 +1144,11 @@ void AuthWebServer::jsonstat(HttpRequest
+ {
+ string command;
+
++ if (::arg().mustDo("experimental-api-readonly")) {
++ resp->body = returnJsonError("Unavailable when API is readonly");
++ resp->status = 405;
++ }
++
+ if(req->getvars.count("command")) {
+ command = req->getvars["command"];
+ req->getvars.erase("command");
diff -Nru pdns-3.4.1/debian/patches/series pdns-3.4.1/debian/patches/series
--- pdns-3.4.1/debian/patches/series 2017-01-07 00:45:53.000000000 +0000
+++ pdns-3.4.1/debian/patches/series 2017-11-27 21:19:19.000000000 +0000
@@ -9,3 +9,4 @@
CVE-2016-7072.patch
CVE-2016-7068.patch
CVE-2016-2120.patch
+CVE-2017-15091.patch
Reply to: