Bug 15206

Summary: maradns new DoS security issue
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: olchal, remco, sysadmin-bugs, wilcal.int
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/635767/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: maradns-1.4.14-1.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-02-05 18:07:14 CET 
Upstream has issued an advisory on January 25:
http://samiam.org/blog/2015-01-25.html

The CERT issue referenced there is here:
https://www.kb.cert.org/vuls/id/264212

which is the same as the CVE-2014-8500 issue that affected BIND.

The issue is fixed upstream in 1.4.15, but there was a regression in the fix, so a really fixed 1.4.16 version is pending:
http://samiam.org/blog/2015-01-29.html

Mageia 4 is also affected.

As the upstream advisory states that 1.4.x will be EOL in June, Cauldron should be updated to 2.0.11, or the package should be dropped.

Fedora has issued an advisory for this on January 27:
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149138.html

Reproducible: 

Steps to Reproduce:
David Walser 2015-02-05 18:07:39 CET

CC: (none) => makowski.mageia
Blocks: (none) => 14674
Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-02-09 21:04:16 CET 
LWN gave maradns its own entry for this (since it wouldn't technically be the same CVE, as it's different software).  The BIND CVE-2014-8500 one was here:
http://lwn.net/Vulnerabilities/625159/

URL: http://lwn.net/Vulnerabilities/625159/ => http://lwn.net/Vulnerabilities/632576/
Summary: maradns new security issue CVE-2014-8500 => maradns new DoS security issue

Comment 2 David Walser 2015-02-10 01:28:56 CET 
LWN moved the maradns ones to both be on the BIND vuln entry.

URL: http://lwn.net/Vulnerabilities/632576/ => http://lwn.net/Vulnerabilities/625159/

Remco Rijnders 2015-02-10 13:07:32 CET

Status: NEW => ASSIGNED

Philippe Makowski 2015-02-21 19:03:29 CET

CC: makowski.mageia => (none)

Comment 3 David Walser 2015-02-23 14:47:16 CET 
Dropped from Cauldron for now.  Feel free to resubmit it to Mageia 5 once it has been updated to 2.0.x.

Version: Cauldron => 4
Blocks: 14674 => (none)
Whiteboard: MGA4TOO => (none)

Comment 4 Remco Rijnders 2015-03-03 13:57:54 CET 
1.4.16 is available in core/updates_testing.

No testing procedure is available, but I think verifying that the package installs and runs (see: https://wiki.mageia.org/en/QA_procedure:Maradns ) should suffice.

CC: (none) => remco
Assignee: remco => qa-bugs

Comment 5 David Walser 2015-03-03 15:33:08 CET 
Thanks Remmy!

That will suffice as a testing procedure.

Could you write an advisory for this one?

Whiteboard: (none) => has_procedure

Comment 6 olivier charles 2015-03-03 16:07:12 CET 
Testing on Mageia4x64 real hardware

From current package :
--------------------
maradns-1.4.14-1.1.mga4.x86_64

# systemctl start maradns 
didn't work as it complained port 53 was already in use.
Had to reboot to start maradns
Followed procedure mentionned in comment 4.
OK

maradns-1.4.16-1.1.mga4.x86_64
Rebooted
# systemctl status -l maradns
maradns.service - MaraDNS secure Domain Name Server (DNS)
   Loaded: loaded (/usr/lib/systemd/system/maradns.service; enabled)
   Active: active (running) since mar. 2015-03-03 16:02:19 CET; 42s ago
 Main PID: 1759 (maradns)
   CGroup: /system.slice/maradns.service
           ââ1759 /usr/sbin/maradns -f /etc/maradns/mararc.recursive

Followed same procedure
OK

CC: (none) => olchal
Whiteboard: has_procedure => has_procedure MGA4-64-OK

Comment 7 William Kenney 2015-03-04 20:43:05 CET 
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
maradns

default install of maradns

[root@localhost wilcal]# urpmi maradns
Package maradns-1.4.14-1.1.mga4.i586 is already installed

[root@localhost wilcal]# systemctl start maradns
seemed to start ok

install maradns from updates_testing

[root@localhost wilcal]# urpmi maradns
Package maradns-1.4.16-1.1.mga4.i586 is already installed

Seemed to install, stop and restart just fine.

[root@localhost wilcal]# systemctl status -l maradns
maradns.service - MaraDNS secure Domain Name Server (DNS)
   Loaded: loaded (/usr/lib/systemd/system/maradns.service; enabled)
   Active: active (running) since Wed 2015-03-04 11:37:59 PST; 3min 18s ago
 Main PID: 13017 (maradns)
   CGroup: /system.slice/maradns.service
           ââ13017 /usr/sbin/maradns -f /etc/maradns/mararc.recursive

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 8 William Kenney 2015-03-04 20:43:58 CET 
Looks ok. Your call olivier.
Comment 9 olivier charles 2015-03-04 22:33:53 CET 
Testing on Mageia4x32 real hardware,

maradns-1.4.16-1.1.mga4 testing package

I had same good results as William

Configured as a recursive dns server, maradns worked well.

OK then.

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 10 Remco Rijnders 2015-03-05 07:33:42 CET 
Thanks for testing guys!

Advisory:
=========
maradns versions prior to 1.4.16 are vulnerable to a DoS-vulnerability through which a malicious authorative DNS-server can cause an infinite chain of referrals.

For further details on the vulnerability, see https://www.kb.cert.org/vuls/id/264212

This update closes mga#15206
Comment 11 claire robinson 2015-03-05 17:48:01 CET 
Validating. Advisory uploaded without CVE reference.

Do you want to add one?

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 12 David Walser 2015-03-05 17:49:32 CET 
Technically this one doesn't have its own CVE.
Comment 13 Mageia Robot 2015-03-05 20:35:01 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0092.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 14 David Walser 2015-03-06 22:34:29 CET 
LWN created this entry:
http://lwn.net/Vulnerabilities/635767/

Not sure if they'll keep it or merge it back into the BIND one.  I gave them a heads up.  Our advisory should grouped with the Fedora maradns ones, one way or another.
Comment 15 David Walser 2015-03-09 21:40:23 CET 
Yep, they grouped the Fedora maradns advisories with ours, so maradns will keep its own page, which makes sense.

URL: http://lwn.net/Vulnerabilities/625159/ => http://lwn.net/Vulnerabilities/635767/