dgit.raspbian.org Git - pdns-recursor.git/commit

author	Otto Moerbeek <otto.moerbeek@open-xchange.com>
	Tue, 30 Jun 2020 11:46:54 +0000 (13:46 +0200)
committer	Daniel Leidert <dleidert@debian.org>
	Mon, 18 Mar 2024 22:34:27 +0000 (23:34 +0100)
commit	351482c9e9651eeb511cb57f21b238408e6fb50a
tree	27150d2f2fa26e6d41706151a581dc0315835c5c	tree \| snapshot
parent	f775768e5e52462be002c7e42a2dbbe017246ce4	commit \| diff

Backport of acl check to 4.1.x

An issue has been found in PowerDNS Recursor where the ACL applied to the
internal web server via `webserver-allow-from` is not properly enforced,
allowing a remote attacker to send HTTP queries to the internal web server,
bypassing the restriction.

Note that the web server is not enabled by default. Only installations using a
non-default value for `webserver` and `webserver-address` are affected.

Workarounds are: disable the webserver or set a password or an API key.
Additionally, restrict the binding address using the `webserver-address`
setting to local addresses only and/or use a firewall to disallow web requests
from untrusted sources reaching the webserver listening address.

Bug: https://www.openwall.com/lists/oss-security/2020/07/01/1
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964103
Origin: https://github.com/PowerDNS/pdns/commit/e81271189216dbf2850c6d4461dfc3f37c731ac8.patch
Reviewed-by: Daniel Leidert <dleidert@debian.org>
Gbp-Pq: Name CVE-2020-14196.patch

sstuff.hh		diff \| blob \| history
webserver.cc		diff \| blob \| history
webserver.hh		diff \| blob \| history
ws-recursor.cc		diff \| blob \| history
ws-recursor.hh		diff \| blob \| history