Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Security update using upstream patch, for CVE-2017-15091.
DSA has marked this no-DSA but suggested that this should
be fixed via stable-updates.
4.0.3-1+deb9u1 is already in p-u, the attached debdiff is
against that version. Please let me know if this is bad.
Thanks,
Chris
diff -Nru pdns-4.0.3/debian/changelog pdns-4.0.3/debian/changelog
--- pdns-4.0.3/debian/changelog 2017-10-30 07:12:17.0 +
+++ pdns-4.0.3/debian/changelog 2017-11-27 22:02:24.0 +
@@ -1,3 +1,10 @@
+pdns (4.0.3-1+deb9u2) stretch; urgency=medium
+
+ * Add upstream patch fixing security issue:
+ * Missing check on API operations. CVE-2017-15091
+
+ -- Christian Hofstaedtler Mon, 27 Nov 2017 22:02:24 +
+
pdns (4.0.3-1+deb9u1) stretch; urgency=medium
* Fix incorrect qname casing in NSEC3 generation (Closes: #869222)
diff -Nru pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch
pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch
--- pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch1970-01-01
00:00:00.0 +
+++ pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch2017-11-27
22:02:24.0 +
@@ -0,0 +1,30 @@
+diff -ru pdns-4.0.4.orig/pdns/ws-auth.cc pdns-4.0.4/pdns/ws-auth.cc
+--- pdns-4.0.4.orig/pdns/ws-auth.cc2017-06-22 22:07:25.0 +0200
pdns-4.0.4/pdns/ws-auth.cc 2017-11-02 18:07:20.986764858 +0100
+@@ -860,7 +860,7 @@
+ static void apiServerZoneAxfrRetrieve(HttpRequest* req, HttpResponse* resp) {
+ DNSName zonename = apiZoneIdToName(req->parameters["id"]);
+
+- if(req->method != "PUT")
++ if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
+ throw HttpMethodNotAllowedException();
+
+ UeberBackend B;
+@@ -879,7 +879,7 @@
+ static void apiServerZoneNotify(HttpRequest* req, HttpResponse* resp) {
+ DNSName zonename = apiZoneIdToName(req->parameters["id"]);
+
+- if(req->method != "PUT")
++ if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
+ throw HttpMethodNotAllowedException();
+
+ UeberBackend B;
+@@ -1191,7 +1191,7 @@
+ }
+
+ void apiServerCacheFlush(HttpRequest* req, HttpResponse* resp) {
+- if(req->method != "PUT")
++ if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
+ throw HttpMethodNotAllowedException();
+
+ DNSName canon = apiNameToDNSName(req->getvars["domain"]);
diff -Nru pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc
pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc
--- pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc1970-01-01
00:00:00.0 +
+++ pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc2017-11-27
22:02:24.0 +
@@ -0,0 +1,11 @@
+-BEGIN PGP SIGNATURE-
+
+iQFNBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAloStHQaHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEYtRgf3bMwaR4tdR0p5f0TMCuFN
+7QbOpyLFLhatNYQFhUEFXQ7nesgNtNObu6qLOTi9fxD4zpcvnkz/a22m5S9tkf0W
+Y6E2fMy9NoLysSvTwgBCrXKbqttzFvpYRCWVzKnWgz67hjF4U57Wp1rY88XWmVHE
+5T4unYv7Kn+C2mDfBl1cOnRO2Y1VeJ79hS802q1WrnqREJkIZrN+CzpXGX/512Tg
+PLQ6Dke25kvlqGqsC7PRI8lU9Sm9UPLkR1ILKQCoIgxi7RXXYNmIE2dPgI2z06pm
+Cu9wFIYiaYtUjG+u4N6heJSfDvJZbWX+c8Xhvy16u3i1M/xPhB2Sq/IgZQV7S+NK
+=0Skb
+-END PGP SIGNATURE-
diff -Nru pdns-4.0.3/debian/patches/series pdns-4.0.3/debian/patches/series
--- pdns-4.0.3/debian/patches/series2017-10-30 07:12:17.0 +
+++ pdns-4.0.3/debian/patches/series2017-11-27 22:02:24.0 +
@@ -1 +1,2 @@
869222-lowercase-qname-before-NSEC-generation.patch
+CVE-2017-15091-4.0.4.patch