Bugzilla – Bug 1142810
VUL-1: CVE-2019-10203: pdns: PowerDNS Security Advisory 2019-06: Denial of service via crafted zone records
Last modified: 2022-03-29 09:40:11 UTC
now public through https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-06.html CVE: CVE-2019-10203 Date: July 30th, 2019 Affects: PowerDNS Authoritative 4.0.0 and up, when using the gpgsql (PostgreSQL) backend Not affected: 4.2.0, 4.1.11, 4.0.9 Severity: Low Impact: Denial of Service Exploit: This problem can be triggered via crafted records Risk of system compromise: No Solution: Update the database schema Workaround: run the process inside the guardian or inside a supervisor An issue has been found in PowerDNS Authoritative Server allowing an authorized user to cause the server to exit by inserting a crafted record in a MASTER type zone under their control. The issue is due to the fact that the Authoritative Server will exit when it tries to store the notified serial in the PostgreSQL database, if this serial cannot be represented in 31 bits. This issue has been assigned CVE-2019-10203. PowerDNS Authoritative up to and including 4.1.10 is affected. Please note that at the time of writing, PowerDNS Authoritative 3.4 and below are no longer supported, as described in https://doc.powerdns.com/authoritative/appendices/EOL.html. To fix the issue, run the following command against your PostgreSQL pdns database: ALTER TABLE domains ALTER notified_serial TYPE bigint USING CASE WHEN notified_serial >= 0 THEN notified_serial::bigint END;. No software changes are required. We would like to thank Klaus Darilion for finding and subsequently reporting this issue!
Fixes submitted to Factory and Leaps and Backports. Closing as resolved.
This is an autogenerated message for OBS integration: This bug (1142810) was mentioned in https://build.opensuse.org/request/show/720228 Factory / pdns https://build.opensuse.org/request/show/720229 15.0+15.1+Backports:SLE-12-SP1+Backports:SLE-15 / pdns
openSUSE-SU-2019:1904-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1138582,1142810 CVE References: CVE-2019-10162,CVE-2019-10163,CVE-2019-10203 Sources used: openSUSE Leap 15.1 (src): pdns-4.1.8-lp151.2.3.1 openSUSE Leap 15.0 (src): pdns-4.1.2-lp150.3.13.1 openSUSE Backports SLE-15 (src): pdns-4.1.2-bp150.2.9.1
openSUSE-SU-2019:1904-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1138582,1142810 CVE References: CVE-2019-10162,CVE-2019-10163,CVE-2019-10203 Sources used: openSUSE Leap 15.1 (src): pdns-4.1.8-lp151.2.3.1 openSUSE Leap 15.0 (src): pdns-4.1.2-lp150.3.13.1 openSUSE Backports SLE-15 (src): pdns-4.1.2-bp150.2.9.1 SUSE Package Hub for SUSE Linux Enterprise 12 (src): pdns-4.1.11-20.1
openSUSE-SU-2019:1921-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1138582,1142810 CVE References: CVE-2019-10162,CVE-2019-10163,CVE-2019-10203 Sources used: openSUSE Backports SLE-15-SP1 (src): pdns-4.1.8-bp151.3.3.1
This is an autogenerated message for OBS integration: This bug (1142810) was mentioned in https://build.opensuse.org/request/show/965583 Backports:SLE-12-SP4 / pdns