Bugzilla – Bug 1173302
VUL-1: CVE-2020-14196: pdns-recursor: access restriction bypass
Last modified: 2022-03-29 09:50:27 UTC
Reviewing the 4.1.16 version of the patch I noticed that it doesn't apply to the Devel:Cloud:8 & Devel:Cloud:9 4.1 based packages. Digging a little deeper I realised that this CVE is relevant to the pdns-recursor package which packages up the PowerDNS Recursor server as per https://doc.powerdns.com/recursor/changelog/4.1.html, and not the pdns package (included in SOC 8 & 9) which packages the PowerDNS Authoritative server as per https://doc.powerdns.com/authoritative/changelog/4.1.html. As such I'm not sure that any work needs to be undertaken for SOC 8 or 9.
Security, please review and see if more work is needed from the Cloud team
Now public through https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html
This is an autogenerated message for OBS integration: This bug (1173302) was mentioned in https://build.opensuse.org/request/show/818168 Factory / pdns-recursor
This is an autogenerated message for OBS integration: This bug (1173302) was mentioned in https://build.opensuse.org/request/show/818174 15.1+15.2+Backports:SLE-12-SP1+Backports:SLE-15-SP1 / pdns-recursor
Bug public. Security advisory for pdns-recursor. https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html PowerDNS Security Advisory 2020-04: Access restriction bypass CVE: CVE-2020-14196 Date: July 1st 2020 Affects: PowerDNS Recursor up to and including 4.3.1, 4.2.2 and 4.1.16 Not affected: 4.3.2, 4.2.3, 4.1.17 Severity: Low Impact: Access restriction bypass Exploit: This problem can be triggered by sending HTTP queries Risk of system compromise: No Solution: Upgrade to a non-affected version Workaround: Disable the webserver, set a password or an API key. Additionally, restrict the binding address using the webserver-address setting to local addresses only and/or use a firewall to disallow web requests from untrusted sources reaching the webserver listening address. An issue has been found in PowerDNS Recursor where the ACL applied to the internal web server via webserver-allow-from is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction. In the default configuration the API webserver is not enabled. Only installations using a non-default value for webserver and webserver-address are affected.
Bug fixes submitted to all maintained codestreams. Reassigning back to security-team for tracking.
ok, was reassigend to adam and he submitted ... back to us.
openSUSE-SU-2020:1005-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1173302 CVE References: CVE-2020-14196 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): pdns-recursor-4.1.17-22.1
openSUSE-SU-2020:1005-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1173302 CVE References: CVE-2020-14196 Sources used: openSUSE Leap 15.2 (src): pdns-recursor-4.3.2-lp152.2.3.1 openSUSE Leap 15.1 (src): pdns-recursor-4.1.12-lp151.3.6.1 openSUSE Backports SLE-15-SP1 (src): pdns-recursor-4.1.12-bp151.4.6.1 SUSE Package Hub for SUSE Linux Enterprise 12 (src): pdns-recursor-4.1.17-22.1
openSUSE-SU-2020:1055-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1173302 CVE References: CVE-2020-14196 JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): pdns-recursor-4.1.12-bp152.2.4.1
openSUSE-SU-2020:1101-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1173302 CVE References: CVE-2020-14196 JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): pdns-recursor-4.3.2-bp152.2.8.1
openSUSE-SU-2020:1687-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1173302,1177383 CVE References: CVE-2020-14196,CVE-2020-25829 JIRA References: Sources used: openSUSE Leap 15.2 (src): pdns-recursor-4.3.5-lp152.2.6.1 openSUSE Leap 15.1 (src): pdns-recursor-4.1.12-lp151.3.9.1 openSUSE Backports SLE-15-SP2 (src): pdns-recursor-4.3.5-bp152.2.12.1 openSUSE Backports SLE-15-SP1 (src): pdns-recursor-4.1.12-bp151.4.9.1
openSUSE-SU-2020:1687-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1173302,1177383 CVE References: CVE-2020-14196,CVE-2020-25829 JIRA References: Sources used: openSUSE Leap 15.2 (src): pdns-recursor-4.3.5-lp152.2.6.1 openSUSE Leap 15.1 (src): pdns-recursor-4.1.12-lp151.3.9.1 openSUSE Backports SLE-15-SP2 (src): pdns-recursor-4.3.5-bp152.2.12.1 openSUSE Backports SLE-15-SP1 (src): pdns-recursor-4.1.12-bp151.4.9.1 SUSE Package Hub for SUSE Linux Enterprise 12 (src): pdns-recursor-4.1.18-25.1
done
This is an autogenerated message for OBS integration: This bug (1173302) was mentioned in https://build.opensuse.org/request/show/965588 Backports:SLE-12-SP4 / pdns-recursor