| Summary: | pdns, pdns-recursor new security issue CVE-2015-1868 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | oe, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/641758/ | ||
| Whiteboard: | has_procedure advisory mga4-32-ok mga4-64-ok | ||
| Source RPM: | pdns-recursor-3.6.2-2.mga5.src.rpm, pdns-3.3.1-11.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-04-23 13:40:56 CEST
David Walser
2015-04-23 13:41:02 CEST
Whiteboard:
(none) =>
MGA5TOO, MGA4TOO The upstream advisory now indicates that pdns is also vulnerable, and it is fixed in 3.4.4. We currently have 3.3.1 in Cauldron. pdns-recursor-3.6.3-1.mga5 has been uploaded for Cauldron. I'll leave this for Oden to decide whether to update pdns and whether to issue updates for Mageia 4. The pdns changelog: https://doc.powerdns.com/md/changelog/ says that upgrading pdns from 3.3.1 to 3.4.4 requires a mandatory SQL schema upgrade. It might be better to backport the patches (upstream commits linked from the changelog) to fix the security issue. URL:
(none) =>
http://lwn.net/Vulnerabilities/641758/ Upstream has announced that actually all platforms are affected by this issue, and they have released pdns 3.3.2 to fix the issue without requiring the difficult update to 3.4.4: http://blog.powerdns.com/2015/05/01/important-update-for-security-advisory-2015-01/ Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated pdns and pdns-recursor packages fix security vulnerability: A bug was discovered in the label decompression code in PowerDNS and PowerDNS Recursor, making it possible for names to refer to themselves, thus causing a loop during decompression. On some platforms, this bug can be abused to cause crashes. On all platforms, this bug can be abused to cause service-affecting CPU spikes (CVE-2015-1868). The pdns package has been updated to version 3.3.2 and the pdns-recursor package has been updated to version 3.6.3 to fix this issue and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1868 http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ http://blog.powerdns.com/2015/05/01/important-update-for-security-advisory-2015-01/ https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-332 https://doc.powerdns.com/md/changelog/#powerdns-recursor-363 ======================== Updated packages in core/updates_testing: ======================== pdns-3.3.2-1.mga4 pdns-backend-pipe-3.3.2-1.mga4 pdns-backend-mysql-3.3.2-1.mga4 pdns-backend-pgsql-3.3.2-1.mga4 pdns-backend-ldap-3.3.2-1.mga4 pdns-backend-sqlite-3.3.2-1.mga4 pdns-backend-geo-3.3.2-1.mga4 pdns-recursor-3.6.3-1.mga4 from SRPMS: pdns-3.3.2-1.mga4.src.rpm pdns-recursor-3.6.3-1.mga4.src.rpm CC:
(none) =>
oe Testing 32 & 64bit Testing complete mga4 32 & 64 using the procedure in comment 4 Whiteboard:
has_procedure =>
has_procedure mga4-32-ok mga4-64-ok Validating. Advisory uploaded. Please push to 4 updates Thanks! Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0189.html Status:
NEW =>
RESOLVED |