[3.7] pdns-recursor: Multiple vulnerabilities (CVE-2017-15090, CVE-2017-15092, CVE-2017-15093, CVE-2017-15094)
CVE-2017-15090: Insufficient validation of DNSSEC signatures
Affects:
PowerDNS Recursor from 4.0.0 and up to and including 4.0.6
Not affected:
PowerDNS Recursor < 4.0.0, 4.0.7
References:
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html
http://openwall.com/lists/oss-security/2017/11/27/1
CVE-2017-15092: Cross-Site Scripting in the web interface
Affects:
PowerDNS Recursor from 4.0.0 up to and including 4.0.6
Not affected:
PowerDNS Recursor 4.0.7, 3.7.x
References:
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html
http://openwall.com/lists/oss-security/2017/11/27/1
CVE-2017-15093: Configuration file injection in the API
Affects:
PowerDNS Recursor up to and including 4.0.6, 3.7.4
Not affected:
PowerDNS Recursor 4.0.7
References:
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html
http://openwall.com/lists/oss-security/2017/11/27/1
CVE-2017-15094:
Memory leak in DNSSEC parsing
Affects:
PowerDNS Recursor from 4.0.0 up to and including 4.0.6
Not affected:
PowerDNS Recursor 4.0.7
References:
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html
http://openwall.com/lists/oss-security/2017/11/27/1
(from redmine: issue id 8254, created on 2017-12-07, closed on 2017-12-15)
- Relations:
- parent #8252 (closed)
- Changesets:
- Revision 0821b9aa by Francesco Colista on 2017-12-15T14:01:19Z:
community/pdns-recursor: security upgrade to 4.0.7 (CVE-2017-15090-15092-15093-15094). Fixes #8254