CVE-2019-3806

NameCVE-2019-3806
DescriptionAn issue has been found in PowerDNS Recursor versions after 4.1.3 before 4.1.9 where Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pdns-recursor (PTS)jessie, jessie (lts)3.6.2-2+deb8u4fixed
buster (security), buster, buster (lts)4.1.11-1+deb10u2fixed
bullseye4.4.2-3fixed
bookworm (security), bookworm4.8.8-1fixed
sid, trixie5.0.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pdns-recursorsourcewheezy(unfixed)end-of-life
pdns-recursorsourcejessie(not affected)
pdns-recursorsourcestretch(not affected)
pdns-recursorsource(unstable)4.1.9-1

Notes

[stretch] - pdns-recursor <not-affected> (Only affects 4.1.x)
[jessie] - pdns-recursor <not-affected> (Only affects 4.1.x)
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-01.html
Search for package or bug name: Reporting problems