Security update for pdns-recursor SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:0131-1 Final 1 1 2019-02-04T12:59:24Z current 2019-02-04T12:59:24Z 2019-02-04T12:59:24Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for pdns-recursor This update for pdns-recursor to version 4.1.10 fixes the following issues: Security issues fixed: - CVE-2019-3806: Fixed a case when Lua hooks are not called over TCP (boo#1121887) - CVE-2019-3807: Fixed an issue where DNSSEC validation was not performed for AA=0 responses (boo#1121889) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-131 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LWT54KXW3PC2R7C5X6T7EOO7G2AIPPBJ/#LWT54KXW3PC2R7C5X6T7EOO7G2AIPPBJ E-Mail link for openSUSE-SU-2019:0131-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1121887 SUSE Bug 1121887 https://bugzilla.suse.com/1121889 SUSE Bug 1121889 https://www.suse.com/security/cve/CVE-2019-3806/ SUSE CVE CVE-2019-3806 page https://www.suse.com/security/cve/CVE-2019-3807/ SUSE CVE CVE-2019-3807 page SUSE Package Hub 12 SP1 pdns-recursor-4.1.10-16.1 pdns-recursor-4.1.10-16.1 as a component of SUSE Package Hub 12 SP1 An issue has been found in PowerDNS Recursor versions after 4.1.3 before 4.1.9 where Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua. CVE-2019-3806 SUSE Package Hub 12 SP1:pdns-recursor-4.1.10-16.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LWT54KXW3PC2R7C5X6T7EOO7G2AIPPBJ/#LWT54KXW3PC2R7C5X6T7EOO7G2AIPPBJ https://www.suse.com/security/cve/CVE-2019-3806.html CVE-2019-3806 https://bugzilla.suse.com/1121887 SUSE Bug 1121887 An issue has been found in PowerDNS Recursor versions 4.1.x before 4.1.9 where records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation. CVE-2019-3807 SUSE Package Hub 12 SP1:pdns-recursor-4.1.10-16.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LWT54KXW3PC2R7C5X6T7EOO7G2AIPPBJ/#LWT54KXW3PC2R7C5X6T7EOO7G2AIPPBJ https://www.suse.com/security/cve/CVE-2019-3807.html CVE-2019-3807 https://bugzilla.suse.com/1121889 SUSE Bug 1121889