Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Dear Release Team,
Please unblock package pdns 4.1.6-3 which contains fixes for two CVEs:
CVE-2019-10162: Denial of service via crafted zone records
CVE-2019-10163: Denial of service via NOTIFY packets
Please find the debdiff from -2 below.
Thanks,
Chris
unblock pdns/4.1.6-3
diff -Nru pdns-4.1.6/debian/changelog pdns-4.1.6/debian/changelog
--- pdns-4.1.6/debian/changelog 2019-03-31 12:48:59.000000000 +0000
+++ pdns-4.1.6/debian/changelog 2019-06-21 19:07:07.000000000 +0000
@@ -1,3 +1,12 @@
+pdns (4.1.6-3) unstable; urgency=medium
+
+ * Fix Denial of service via crafted zone records (CVE-2019-10162)
+ using patch from upstream.
+ * Fix Denial of service via NOTIFY packets (CVE-2019-10163)
+ using patch from upstream.
+
+ -- Chris Hofstaedtler <z...@debian.org> Fri, 21 Jun 2019 19:07:07 +0000
+
pdns (4.1.6-2) unstable; urgency=high
[ Salvatore Bonaccorso ]
diff -Nru pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch
pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch
--- pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch
1970-01-01 00:00:00.000000000 +0000
+++ pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch
2019-06-21 19:07:07.000000000 +0000
@@ -0,0 +1,29 @@
+diff --git pdns-4.1.8/pdns/mastercommunicator.cc
pdns-4.1.8-invalidrecords/pdns/mastercommunicator.cc
+index 456957a..ce0355c 100644
+--- pdns-4.1.8/pdns/mastercommunicator.cc
++++ pdns-4.1.8-invalidrecords/pdns/mastercommunicator.cc
+@@ -50,6 +50,7 @@ void CommunicatorClass::queueNotifyDomain(const DomainInfo&
di, UeberBackend* B)
+ FindNS fns;
+
+
++ try {
+ if (d_onlyNotify.size()) {
+ B->lookup(QType(QType::NS), di.zone);
+ while(B->get(rr))
+@@ -77,6 +78,16 @@ void CommunicatorClass::queueNotifyDomain(const DomainInfo&
di, UeberBackend* B)
+ hasQueuedItem=true;
+ }
+ }
++ }
++ catch (PDNSException &ae) {
++ L << Logger::Error << "Error looking up name servers for " << di.zone <<
", cannot notify: " << ae.reason << endl;
++ return;
++ }
++ catch (std::exception &e) {
++ L << Logger::Error << "Error looking up name servers for " << di.zone <<
", cannot notify: " << e.what() << endl;
++ return;
++ }
++
+
+ set<string> alsoNotify(d_alsoNotify);
+ B->alsoNotifies(di.zone, &alsoNotify);
diff -Nru
pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch.asc
pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch.asc
--- pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch.asc
1970-01-01 00:00:00.000000000 +0000
+++ pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch.asc
2019-06-21 19:07:07.000000000 +0000
@@ -0,0 +1,12 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAl0I6mcaHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEZxXgf9G4rXQ3xmE6pPTnwkN+9P
+nrqhjIrbhIS8t2KNVqLjUADhxHOli8lLj84f/fLnJgRabA5mz7iFVhpcHmocJADI
+lldJsjke6qbG+oduP90TsOD0wTWvibdxpoyrQlE0KvZua7geI5nSudEAVFW/SdhQ
+ynWGCgEodG35QkLOYlF19iSkd7x52Hx8MvMUF3YDZU/IjAVIIVmS4ZdaYz32T3ih
+OfpMFcOsu7Lsk8RkecK9Hegkv9ohqXGGcfz8rGsyF0gBGqTOhZ2rPqEj66jG4x++
+wLNPOkFpJYKLW+tkPzj0ra56/zjmOPrWbZWlEORnlmrU9ZS9nYG5gfYJuPNAveCq
+Mw==
+=SR9f
+-----END PGP SIGNATURE-----
diff -Nru pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch
pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch
--- pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch
1970-01-01 00:00:00.000000000 +0000
+++ pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch
2019-06-21 19:07:07.000000000 +0000
@@ -0,0 +1,16 @@
+diff --git pdns-4.1.8/pdns/communicator.cc
pdns-4.1.8-busyloop/pdns/communicator.cc
+index 7db5a3e..7fd59e4 100644
+--- pdns-4.1.8/pdns/communicator.cc
++++ pdns-4.1.8-busyloop/pdns/communicator.cc
+@@ -136,7 +136,10 @@ void CommunicatorClass::mainloop(void)
+ if (extraSlaveRefresh)
+ slaveRefresh(&P);
+ }
+- else {
++ else {
++ // eat up extra posts to avoid busy looping if many posts were done
++ while (d_any_sem.tryWait() == 0) {
++ }
+ break; // something happened
+ }
+ // this gets executed at least once every second
diff -Nru pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch.asc
pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch.asc
--- pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch.asc
1970-01-01 00:00:00.000000000 +0000
+++ pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch.asc
2019-06-21 19:07:07.000000000 +0000
@@ -0,0 +1,12 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAl0I6mcaHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEZbcQf/XTC6bDxmwt4tEXXN6hXQ
++ArS6zRED2pbxCAipxvHtbj9xqhk343aNfrG4Y8kl32AmJuP76yGfNrFeiNtPWgA
+3zcuLxuyaCs/M7zMOtuYxcz6IhHBfZPZ+MixWSeJqsD5zV9kQT7LjvJR7ZeO87R5
+CBTz6vX4WzH0FW7aQnt3paYc0Rxn8H1LJQ8ytQCIch1kc2Xbn+qcW9velwP/hTPu
+iCgEHx4ntaQj4ohS2Ntd0CQa3NMKUyI17FybLfebUyNywWnh8NVU4hevgGOG3pCu
+oE7qe8+kms49hQiQPEGf5rst+MjVOrGwkiX7ydsT4udfHsH+F2Xb/qU1Tn20UjV4
+Bg==
+=bJOa
+-----END PGP SIGNATURE-----
diff -Nru pdns-4.1.6/debian/patches/series pdns-4.1.6/debian/patches/series
--- pdns-4.1.6/debian/patches/series 2019-03-31 12:48:59.000000000 +0000
+++ pdns-4.1.6/debian/patches/series 2019-06-21 19:07:07.000000000 +0000
@@ -1 +1,3 @@
CVE-2019-3871-auth-4.1.6.patch
+CVE-2019-10162-4.1.8-invalidrecords.patch
+CVE-2019-10163-4.1.8-busyloop.patch
