| Summary: | pdns, pdns-recursor incomplete fix for security issue CVE-2015-1868 (CVE-2015-5470) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, lewyssmith, oe, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/652011/ | ||
| Whiteboard: | MGA4TOO has_procedure MGA4-64-OK advisory MGA4-32-OK mga5-64-ok | ||
| Source RPM: | pdns-recursor-3.6.3-1.mga5.src.rpm, pdns-3.3.2-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-07-07 15:11:23 CEST
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13521#c2 Whiteboard:
(none) =>
MGA4TOO has_procedure Advisory committed to svn. CC:
(none) =>
davidwhodgins Debian has issued advisories for this on July 9: https://www.debian.org/security/2015/dsa-3306 https://www.debian.org/security/2015/dsa-3307 CVE-2015-5470 has been assigned for the incomplete fix: http://openwall.com/lists/oss-security/2015/07/10/8 Please update the advisory in SVN. Advisory: ======================== Updated pdns and pdns-recursor packages fix security vulnerability: In MGASA-2015-0189, the pdns and pdns-recursor packages were updated to fix a denial of service issue (CVE-2015-1868). The fix was incomplete (CVE-2015-5470). The packages have been updated again to versions 3.3.3 and 3.6.4, respectively, to completely fix this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5470 http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ http://blog.powerdns.com/2015/06/09/authoritative-server-3-4-5-3-3-3-and-recursor-3-7-3-3-6-4-released/ http://advisories.mageia.org/MGASA-2015-0189.html http://openwall.com/lists/oss-security/2015/07/10/8 Whiteboard:
MGA4TOO has_procedure advisory =>
MGA4TOO has_procedure Advisory in svn updated. Testing MGA4 x64 Used the excellent procedure (thanks again Claire) in: https://bugs.mageia.org/show_bug.cgi?id=13521#c2 I did not have nor install dnsmasq. The 'service' commands are now: # systemctl start pdns.service [or stop] # systemctl status -l pdns.service # systemctl start pdns-recursor.service [or stop] # systemctl status -l pdns-recursor.service I could not see the port number 53 or 5300 in either of the 'status -l' outputs, so changed the netstat command to: # netstat -pantu | grep pdns BEFORE: Installed: pdns-recursor-3.6.3-1.mga4 pdns-3.3.2-1.mga4 The output was as shown in the procedure, with the interesting caveat that both 'status' outputs included the line "PowerDNS Security Update Mandatory: Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/" # netstat -pantu | grep pdns tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 16598/pdns_recursor tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 14435/pdns_server-i udp 0 0 0.0.0.0:53 0.0.0.0:* 14435/pdns_server-i udp 0 0 127.0.0.1:5300 0.0.0.0:* 16598/pdns_recursor $ dig mageia.org @127.0.0.1 -p 53 ; <<>> DiG 9.9.7-P1 <<>> mageia.org @127.0.0.1 -p 53 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 7042 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 2800 ;; QUESTION SECTION: ;mageia.org. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Llu Gor 20 21:14:28 CEST 2015 ;; MSG SIZE rcvd: 39 $ dig mageia.org @127.0.0.1 -p 5300 ; <<>> DiG 9.9.7-P1 <<>> mageia.org @127.0.0.1 -p 5300 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53323 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 217.70.188.116 ;; Query time: 623 msec ;; SERVER: 127.0.0.1#5300(127.0.0.1) ;; WHEN: Llu Gor 20 21:15:02 CEST 2015 ;; MSG SIZE rcvd: 44 Stopped both services. AFTER: Updated from Updates Testing to: pdns-recursor-3.6.4-1.mga4 pdns-3.3.3-1.mga4 Re-started both services, repeated the procedure: # systemctl start pdns.service # systemctl status -l pdns.service # systemctl start pdns-recursor.service # systemctl status -l pdns-recursor.service This time the update warning was *not* present in the 'status -l' outputs. # netstat -pantu | grep pdns $ dig mageia.org @127.0.0.1 -p 53 $ dig mageia.org @127.0.0.1 -p 5300 The outputs from these commands was essentially identical to previously. Update deemed OK. Whiteboard:
MGA4TOO has_procedure =>
MGA4TOO has_procedure MGA4-64-OK OpenSuSE has issued an advisory for this today (July 22): http://lists.opensuse.org/opensuse-updates/2015-07/msg00049.html Summary:
pdns, pdns-recursor incomplete fix for security issue CVE-2015-1868 =>
pdns, pdns-recursor incomplete fix for security issue CVE-2015-1868 (CVE-2015-5470) Reference from comment 7 added to advisory in svn. Whiteboard:
MGA4TOO has_procedure MGA4-64-OK =>
MGA4TOO has_procedure MGA4-64-OK advisory MGA-32 on Acer D620 Xfce. Installed new packages on system without previous versions of pdns. Confirm outputs of test commands as per Comment 6 above, so OK for me. CC:
(none) =>
herman.viaene Testing complete mga5 64 Noted the update removes the message about a mandatory upgrade in the service status. Whiteboard:
MGA4TOO has_procedure MGA4-64-OK advisory MGA4-32-OK =>
MGA4TOO has_procedure MGA4-64-OK advisory MGA4-32-OK mga5-64-ok Validating. Please push for mga4 & 5. Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0301.html Status:
NEW =>
RESOLVED |