Arch Linux Security Advisory ASA-201901-13 ========================================== Severity: Medium Date : 2019-01-24 CVE-ID : CVE-2019-3806 CVE-2019-3807 Package : powerdns-recursor Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-856 Summary ======= The package powerdns-recursor before version 4.1.9-1 is vulnerable to multiple issues including insufficient validation and access restriction bypass. Resolution ========== Upgrade to 4.1.9-1. # pacman -Syu "powerdns-recursor>=4.1.9-1" The problems have been fixed upstream in version 4.1.9. Workaround ========== None. Description =========== - CVE-2019-3806 (access restriction bypass) An issue has been found in PowerDNS Recursor before 4.1.9 where Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua. - CVE-2019-3807 (insufficient validation) An issue has been found in PowerDNS Recursor before 4.1.9 where records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation. Impact ====== A remote attacker can bypass access restrictions by doing a TCP query or bypass DNSSEC validation for records where the AA flag was not set. References ========== https://blog.powerdns.com/2019/01/21/powerdns-recursor-4-1-9-released/ https://security.archlinux.org/CVE-2019-3806 https://security.archlinux.org/CVE-2019-3807