subject:"Bug#882959\: stretch\-pu\: package pdns\/4.0.3\-1\+deb9u2"

Bug#882959: stretch-pu: package pdns/4.0.3-1+deb9u2

2017-11-29 Thread Adam D. Barratt


Control: tags -1 + pending

On 2017-11-28 23:35, Christian Hofstaedtler wrote:

* Adam D. Barratt  [171128 22:22]:

Control: tags -1 + confirmed

On Mon, 2017-11-27 at 22:25 +, Chris Hofstaedtler wrote:
> Security update using upstream patch, for CVE-2017-15091.
> DSA has marked this no-DSA but suggested that this should
> be fixed via stable-updates.

I assume you mean proposed-updates.


Indeed; sorry for that mixup.


Please go ahead.


Uploaded, thanks.


Flagged for acceptance.

Regards,

Adam

Bug#882959: stretch-pu: package pdns/4.0.3-1+deb9u2

2017-11-28 Thread Christian Hofstaedtler

* Adam D. Barratt  [171128 22:22]:
> Control: tags -1 + confirmed
> 
> On Mon, 2017-11-27 at 22:25 +, Chris Hofstaedtler wrote:
> > Security update using upstream patch, for CVE-2017-15091.
> > DSA has marked this no-DSA but suggested that this should
> > be fixed via stable-updates.
> 
> I assume you mean proposed-updates.

Indeed; sorry for that mixup.

> Please go ahead.

Uploaded, thanks.

Chris

Bug#882959: stretch-pu: package pdns/4.0.3-1+deb9u2

2017-11-28 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Mon, 2017-11-27 at 22:25 +, Chris Hofstaedtler wrote:
> Security update using upstream patch, for CVE-2017-15091.
> DSA has marked this no-DSA but suggested that this should
> be fixed via stable-updates.

I assume you mean proposed-updates.

Please go ahead.

Regards,

Adam

Bug#882959: stretch-pu: package pdns/4.0.3-1+deb9u2

2017-11-27 Thread Chris Hofstaedtler

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Security update using upstream patch, for CVE-2017-15091.
DSA has marked this no-DSA but suggested that this should
be fixed via stable-updates.

4.0.3-1+deb9u1 is already in p-u, the attached debdiff is
against that version. Please let me know if this is bad.

Thanks,
Chris
diff -Nru pdns-4.0.3/debian/changelog pdns-4.0.3/debian/changelog
--- pdns-4.0.3/debian/changelog 2017-10-30 07:12:17.0 +
+++ pdns-4.0.3/debian/changelog 2017-11-27 22:02:24.0 +
@@ -1,3 +1,10 @@
+pdns (4.0.3-1+deb9u2) stretch; urgency=medium
+
+  * Add upstream patch fixing security issue:
+  * Missing check on API operations. CVE-2017-15091
+
+ -- Christian Hofstaedtler   Mon, 27 Nov 2017 22:02:24 +
+
 pdns (4.0.3-1+deb9u1) stretch; urgency=medium
 
   * Fix incorrect qname casing in NSEC3 generation (Closes: #869222)
diff -Nru pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch 
pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch
--- pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch1970-01-01 
00:00:00.0 +
+++ pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch2017-11-27 
22:02:24.0 +
@@ -0,0 +1,30 @@
+diff -ru pdns-4.0.4.orig/pdns/ws-auth.cc pdns-4.0.4/pdns/ws-auth.cc
+--- pdns-4.0.4.orig/pdns/ws-auth.cc2017-06-22 22:07:25.0 +0200
 pdns-4.0.4/pdns/ws-auth.cc 2017-11-02 18:07:20.986764858 +0100
+@@ -860,7 +860,7 @@
+ static void apiServerZoneAxfrRetrieve(HttpRequest* req, HttpResponse* resp) {
+   DNSName zonename = apiZoneIdToName(req->parameters["id"]);
+ 
+-  if(req->method != "PUT")
++  if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
+ throw HttpMethodNotAllowedException();
+ 
+   UeberBackend B;
+@@ -879,7 +879,7 @@
+ static void apiServerZoneNotify(HttpRequest* req, HttpResponse* resp) {
+   DNSName zonename = apiZoneIdToName(req->parameters["id"]);
+ 
+-  if(req->method != "PUT")
++  if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
+ throw HttpMethodNotAllowedException();
+ 
+   UeberBackend B;
+@@ -1191,7 +1191,7 @@
+ }
+ 
+ void apiServerCacheFlush(HttpRequest* req, HttpResponse* resp) {
+-  if(req->method != "PUT")
++  if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
+ throw HttpMethodNotAllowedException();
+ 
+   DNSName canon = apiNameToDNSName(req->getvars["domain"]);
diff -Nru pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc 
pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc
--- pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc1970-01-01 
00:00:00.0 +
+++ pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc2017-11-27 
22:02:24.0 +
@@ -0,0 +1,11 @@
+-BEGIN PGP SIGNATURE-
+
+iQFNBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAloStHQaHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEYtRgf3bMwaR4tdR0p5f0TMCuFN
+7QbOpyLFLhatNYQFhUEFXQ7nesgNtNObu6qLOTi9fxD4zpcvnkz/a22m5S9tkf0W
+Y6E2fMy9NoLysSvTwgBCrXKbqttzFvpYRCWVzKnWgz67hjF4U57Wp1rY88XWmVHE
+5T4unYv7Kn+C2mDfBl1cOnRO2Y1VeJ79hS802q1WrnqREJkIZrN+CzpXGX/512Tg
+PLQ6Dke25kvlqGqsC7PRI8lU9Sm9UPLkR1ILKQCoIgxi7RXXYNmIE2dPgI2z06pm
+Cu9wFIYiaYtUjG+u4N6heJSfDvJZbWX+c8Xhvy16u3i1M/xPhB2Sq/IgZQV7S+NK
+=0Skb
+-END PGP SIGNATURE-
diff -Nru pdns-4.0.3/debian/patches/series pdns-4.0.3/debian/patches/series
--- pdns-4.0.3/debian/patches/series2017-10-30 07:12:17.0 +
+++ pdns-4.0.3/debian/patches/series2017-11-27 22:02:24.0 +
@@ -1 +1,2 @@
 869222-lowercase-qname-before-NSEC-generation.patch
+CVE-2017-15091-4.0.4.patch

Bug#882959: stretch-pu: package pdns/4.0.3-1+deb9u2

Bug#882959: stretch-pu: package pdns/4.0.3-1+deb9u2

Bug#882959: stretch-pu: package pdns/4.0.3-1+deb9u2

Bug#882959: stretch-pu: package pdns/4.0.3-1+deb9u2

4 matches

Site Navigation

Mail list logo

Footer information