Created attachment 216129 [details] Update to PowerDNS Recursor 4.3.2 This update contains a security fix for CVE-2020-14196. The issue is: CVE-2020-14196: An issue has been found in PowerDNS Recursor where the ACL applied to the internal web server via webserver-allow-from is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction. In the default configuration the API webserver is not enabled. Only installations using a non-default value for webserver and webserver-address are affected. As usual, there were also other smaller enhancements and bugfixes. In particular, the 4.3.2 release contains fixes that allow long CNAME chains to resolve properly, where previously they could fail if qname minimization is enabled. QA: portlint: OK (looks fine.) testport: OK (12.1, amd64) Removed file(s): files/patch-hostnamemax (no longer necessary since it has been merged by upstream)
Created attachment 216130 [details] Security advisory for VuXML (1 CVE)
A commit references this bug: Author: joneum Date: Thu Jul 2 08:58:43 UTC 2020 New revision: 541025 URL: https://svnweb.freebsd.org/changeset/ports/541025 Log: Add entrx for dns/powerdns-recursor PR: 247707 Submitted by: Ralf van der Enden <tremere@cainites.net> Sponsored by: Netzkommune GmbH Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: joneum Date: Thu Jul 2 10:20:53 UTC 2020 New revision: 541029 URL: https://svnweb.freebsd.org/changeset/ports/541029 Log: Update to 4.3.2 This update contains a security fix for CVE-2020-14196. The issue is: CVE-2020-14196: An issue has been found in PowerDNS Recursor where the ACL applied to the internal web server via webserver-allow-from is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction. In the default configuration the API webserver is not enabled. Only installations using a non-default value for webserver and webserver-address are affected. As usual, there were also other smaller enhancements and bugfixes. In particular, the 4.3.2 release contains fixes that allow long CNAME chains to resolve properly, where previously they could fail if qname minimization is enabled. PR: 247707 Submitted by: Ralf van der Enden <tremere@cainites.net> (maintainer) MFH: 2020Q3 Security: 641cd669-bc37-11ea-babf-6805ca2fa271 Sponsored by: Netzkommune GmbH Changes: head/dns/powerdns-recursor/Makefile head/dns/powerdns-recursor/distinfo head/dns/powerdns-recursor/files/patch-hostnamemax
A commit references this bug: Author: joneum Date: Thu Jul 2 10:22:07 UTC 2020 New revision: 541030 URL: https://svnweb.freebsd.org/changeset/ports/541030 Log: MFH: r541029 Update to 4.3.2 This update contains a security fix for CVE-2020-14196. The issue is: CVE-2020-14196: An issue has been found in PowerDNS Recursor where the ACL applied to the internal web server via webserver-allow-from is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction. In the default configuration the API webserver is not enabled. Only installations using a non-default value for webserver and webserver-address are affected. As usual, there were also other smaller enhancements and bugfixes. In particular, the 4.3.2 release contains fixes that allow long CNAME chains to resolve properly, where previously they could fail if qname minimization is enabled. PR: 247707 Submitted by: Ralf van der Enden <tremere@cainites.net> (maintainer) Security: 641cd669-bc37-11ea-babf-6805ca2fa271 Sponsored by: Netzkommune GmbH Approved by: ports-secteam (with hat) Changes: _U branches/2020Q3/ branches/2020Q3/dns/powerdns-recursor/Makefile branches/2020Q3/dns/powerdns-recursor/distinfo branches/2020Q3/dns/powerdns-recursor/files/patch-hostnamemax
^Triage: - Set security issues (severity: affects many, priority: normal) - Track merge (merge-quarterly +)