Bug 14695

Summary: pdns-recursor new security issue CVE-2014-8601
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: herman.viaene, oe, olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/625777/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: pdns-recursor-3.5.3-2.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-11-30 17:39:37 CET 
Oden has packaged pdns-recursor 3.6.2 as an update for Mageia 4.  We'll need an advisory so that we can assign it to QA.

Note that the security issue fixed in 3.6.1 didn't affect us as it only affected 3.6.0.

Here's the release announcements for the versions since the 3.5.3 that we currently have:
http://blog.powerdns.com/2014/06/20/recursor-3-6-0-released/
http://blog.powerdns.com/2014/09/10/security-update-powerdns-recursor-3-6-1/
http://blog.powerdns.com/2014/10/30/recursor-3-6-2/

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-12-09 01:21:50 CET 
It was announced today that pdns-recursor 3.6.2 fixed a previously unannounced security issue:
http://openwall.com/lists/oss-security/2014/12/08/9

The upstream advisory is here:
http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/

Advisory:
========================

Updated pdns-recursor package fixes security vulnerability:

PowerDNS Recursor before version 3.6.2, could be negatively impacted by
specially configured, hard to resolve domain names. A remote attacker, by
sending a query for such a domain name, could cause severe performance
degradation in PowerDNS Recursor, causing a denial of service (CVE-2014-8601).

The pdns-recursor package has been updated to version 3.6.2, fixing this issue
and several other bugs, as well as providing additional features.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8601
http://blog.powerdns.com/2014/06/20/recursor-3-6-0-released/
http://blog.powerdns.com/2014/09/10/security-update-powerdns-recursor-3-6-1/
http://blog.powerdns.com/2014/10/30/recursor-3-6-2/
http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/
========================

Updated packages in core/updates_testing:
========================
pdns-recursor-3.6.2-1.mga4

from pdns-recursor-3.6.2-1.mga4.src.rpm

CC: (none) => oe
Component: RPM Packages => Security
Assignee: oe => qa-bugs
Summary: pdns-recursor 3.6.2 => pdns-recursor new security issue CVE-2014-8601
QA Contact: (none) => security
Severity: normal => major

Comment 2 claire robinson 2014-12-09 14:13:09 CET 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=13521#c2

Whiteboard: (none) => has_procedure

Comment 3 olivier charles 2014-12-09 15:39:35 CET 
Testing on Mageia 4x32, real hardware, following procedure mentionned in Comment 2 (omitted what seems relevant to pdns service in that procedure). I ended with a problem with testing package :

With current package :
--------------------
pdns-recursor-3.5.3-2.1.mga4.i586

# systemctl status -l pdns-recursor
pdns-recursor.service - PowerDNS recursing nameserver
   Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; enabled)
   Active: active (running) since mar. 2014-12-09 15:01:05 CET; 6s ago
  Process: 9086 ExecStart=/usr/sbin/pdns_recursor --daemon (code=exited, status=0/SUCCESS)
 Main PID: 9087 (pdns_recursor)
   CGroup: /system.slice/pdns-recursor.service
           ââ9087 /usr/sbin/pdns_recursor --daemon

# netstat -pantu | grep 5300
tcp        0      0 127.0.0.1:5300              0.0.0.0:*                   LISTEN      9087/pdns_recursor  
udp        0      0 127.0.0.1:5300              0.0.0.0:*                               9087/pdns_recursor

$ dig mageia.org @127.0.0.1 -p 5300

; <<>> DiG 9.9.4-P2 <<>> mageia.org @127.0.0.1 -p 5300
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25927
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mageia.org.                    IN      A

;; ANSWER SECTION:
mageia.org.             1800    IN      A       217.70.188.116

;; Query time: 394 msec
;; SERVER: 127.0.0.1#5300(127.0.0.1)
;; WHEN: mar. déc. 09 15:16:48 CET 2014
;; MSG SIZE  rcvd: 44

That seems fine.

Updating to testing package :
---------------------------
pdns-recursor-3.6.2-1.mga4.i586

Could not start pdns-recursor service (even after disable/enable, or reboot)

# systemctl status -l pdns-recursor
pdns-recursor.service - PowerDNS recursing nameserver
   Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; disabled)
   Active: failed (Result: exit-code) since mar. 2014-12-09 15:31:39 CET; 3s ago
  Process: 10722 ExecStart=/usr/sbin/pdns_recursor --daemon (code=exited, status=1/FAILURE)

déc. 09 15:31:39 localhost pdns_recursor[10722]: Dec 09 15:31:39 Exception: Trying to set unknown parameter 'aaaa-additional-processing'
déc. 09 15:31:39 localhost systemd[1]: pdns-recursor.service: control process exited, code=exited status=1
déc. 09 15:31:39 localhost systemd[1]: Failed to start PowerDNS recursing nameserver.
déc. 09 15:31:39 localhost systemd[1]: Unit pdns-recursor.service entered failed state.

I checked recursor.conf (in /etc/powerdns/) :

socket-dir=/run/powerdns/
soa-minimum-ttl=0
soa-serial-offset=0
aaaa-additional-processing=off
local-port=5300
local-address=127.0.0.1
trace=off
daemon=yes
quiet=on
setgid=powerdns
setuid=powerdns

aaaa-additional-processing is set to off by default but starting pdns-recursor service complains about it.

CC: (none) => olchal

claire robinson 2014-12-09 15:43:08 CET

Whiteboard: has_procedure => has_procedure feedback

Comment 4 Herman Viaene 2014-12-09 17:24:35 CET 
MGA-4-64 on HP Probook 6555b
Confirm Olivier' findings on 
systemctl status -l pdns-recursor

CC: (none) => herman.viaene

Comment 5 David Walser 2014-12-09 17:44:44 CET 
Thanks.  Fixed in pdns-recursor-3.6.2-2.mga5 and pdns-recursor-3.6.2-1.1.mga4.

Whiteboard: has_procedure feedback => has_procedure

David Walser 2014-12-09 18:41:55 CET

Severity: major => critical

Comment 6 olivier charles 2014-12-09 20:51:15 CET 
Testing new version of updated package on Mageia4x32 :

pdns-recursor-3.6.2-1.1.mga4

following procedure mentionned in Comment 2.

OK this time.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 7 Herman Viaene 2014-12-10 09:46:50 CET 
MGA-4-64 on HP Probook 6555b
Installed new pdns-recursor-3.6.2-1.1.mga4, and rebooted.
Procedure in Comment 2 now OK

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 8 claire robinson 2014-12-10 09:50:58 CET 
Validating. Advisory uploaded.

Please push to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2014-12-10 21:10:24 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0522.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-12-11 17:52:43 CET

URL: (none) => http://lwn.net/Vulnerabilities/625777/