CVE-2019-3871

NameCVE-2019-3871
DescriptionA vulnerability was found in PowerDNS Authoritative Server before 4.0.7 and before 4.1.7. An insufficient validation of data coming from the user when building a HTTP request from a DNS query in the HTTP Connector of the Remote backend, allowing a remote user to cause a denial of service by making the server connect to an invalid endpoint, or possibly information disclosure by making the server connect to an internal endpoint and somehow extracting meaningful information about the response
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1737-1, DSA-4424-1
Debian Bugs924966

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pdns (PTS)jessie, jessie (lts)3.4.1-4+deb8u10fixed
stretch (security), stretch (lts), stretch4.0.3-1+deb9u5fixed
buster4.1.6-3+deb10u1fixed
bullseye4.4.1-1fixed
bookworm4.7.3-2fixed
sid, trixie4.9.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pdnssourcewheezy(unfixed)end-of-life
pdnssourcejessie3.4.1-4+deb8u9DLA-1737-1
pdnssourcestretch4.0.3-1+deb9u4DSA-4424-1
pdnssource(unstable)4.1.6-2924966

Notes

https://github.com/PowerDNS/pdns/issues/7573
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html
Patches: https://downloads.powerdns.com/patches/2019-03/
Search for package or bug name: Reporting problems