Bug#882959: marked as done (stretch-pu: package pdns/4.0.3-1+deb9u2)

[Debian Bug Tracking System]

Your message dated Sat, 09 Dec 2017 10:46:36 +0000
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882959,
regarding stretch-pu: package pdns/4.0.3-1+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882959: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882959
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Security update using upstream patch, for CVE-2017-15091.
DSA has marked this no-DSA but suggested that this should
be fixed via stable-updates.

4.0.3-1+deb9u1 is already in p-u, the attached debdiff is
against that version. Please let me know if this is bad.

Thanks,
Chris

diff -Nru pdns-4.0.3/debian/changelog pdns-4.0.3/debian/changelog
--- pdns-4.0.3/debian/changelog 2017-10-30 07:12:17.000000000 +0000
+++ pdns-4.0.3/debian/changelog 2017-11-27 22:02:24.000000000 +0000
@@ -1,3 +1,10 @@
+pdns (4.0.3-1+deb9u2) stretch; urgency=medium
+
+  * Add upstream patch fixing security issue:
+  * Missing check on API operations. CVE-2017-15091
+
+ -- Christian Hofstaedtler <z...@debian.org>  Mon, 27 Nov 2017 22:02:24 +0000
+
 pdns (4.0.3-1+deb9u1) stretch; urgency=medium
 
   * Fix incorrect qname casing in NSEC3 generation (Closes: #869222)
diff -Nru pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch 
pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch
--- pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch        1970-01-01 
00:00:00.000000000 +0000
+++ pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch        2017-11-27 
22:02:24.000000000 +0000
@@ -0,0 +1,30 @@
+diff -ru pdns-4.0.4.orig/pdns/ws-auth.cc pdns-4.0.4/pdns/ws-auth.cc
+--- pdns-4.0.4.orig/pdns/ws-auth.cc    2017-06-22 22:07:25.000000000 +0200
++++ pdns-4.0.4/pdns/ws-auth.cc 2017-11-02 18:07:20.986764858 +0100
+@@ -860,7 +860,7 @@
+ static void apiServerZoneAxfrRetrieve(HttpRequest* req, HttpResponse* resp) {
+   DNSName zonename = apiZoneIdToName(req->parameters["id"]);
+ 
+-  if(req->method != "PUT")
++  if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
+     throw HttpMethodNotAllowedException();
+ 
+   UeberBackend B;
+@@ -879,7 +879,7 @@
+ static void apiServerZoneNotify(HttpRequest* req, HttpResponse* resp) {
+   DNSName zonename = apiZoneIdToName(req->parameters["id"]);
+ 
+-  if(req->method != "PUT")
++  if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
+     throw HttpMethodNotAllowedException();
+ 
+   UeberBackend B;
+@@ -1191,7 +1191,7 @@
+ }
+ 
+ void apiServerCacheFlush(HttpRequest* req, HttpResponse* resp) {
+-  if(req->method != "PUT")
++  if(req->method != "PUT" || ::arg().mustDo("api-readonly"))
+     throw HttpMethodNotAllowedException();
+ 
+   DNSName canon = apiNameToDNSName(req->getvars["domain"]);
diff -Nru pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc 
pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc
--- pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc    1970-01-01 
00:00:00.000000000 +0000
+++ pdns-4.0.3/debian/patches/CVE-2017-15091-4.0.4.patch.asc    2017-11-27 
22:02:24.000000000 +0000
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFNBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAloStHQaHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEYtRgf3bMwaR4tdR0p5f0TMCuFN
+7QbOpyLFLhatNYQFhUEFXQ7nesgNtNObu6qLOTi9fxD4zpcvnkz/a22m5S9tkf0W
+Y6E2fMy9NoLysSvTwgBCrXKbqttzFvpYRCWVzKnWgz67hjF4U57Wp1rY88XWmVHE
+5T4unYv7Kn+C2mDfBl1cOnRO2Y1VeJ79hS802q1WrnqREJkIZrN+CzpXGX/512Tg
+PLQ6Dke25kvlqGqsC7PRI8lU9Sm9UPLkR1ILKQCoIgxi7RXXYNmIE2dPgI2z06pm
+Cu9wFIYiaYtUjG+u4N6heJSfDvJZbWX+c8Xhvy16u3i1M/xPhB2Sq/IgZQV7S+NK
+=0Skb
+-----END PGP SIGNATURE-----
diff -Nru pdns-4.0.3/debian/patches/series pdns-4.0.3/debian/patches/series
--- pdns-4.0.3/debian/patches/series    2017-10-30 07:12:17.000000000 +0000
+++ pdns-4.0.3/debian/patches/series    2017-11-27 22:02:24.000000000 +0000
@@ -1 +1,2 @@
 869222-lowercase-qname-before-NSEC-generation.patch
+CVE-2017-15091-4.0.4.patch

--- End Message ---

--- Begin Message ---

Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam

--- End Message ---