| Summary: | pdns-recursor new security issue CVE-2016-7068 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | lewyssmith, sysadmin-bugs, tarazed25 |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lwn.net/Vulnerabilities/711776/ | ||
| Whiteboard: | has_procedure MGA5-64-OK advisory MGA5-32-OK | ||
| Source RPM: | pdns-recursor-3.6.4-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-01-15 18:59:58 CET
Patched package uploaded for Mageia 5. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13521#c2 Advisory: ======================== Updated pdns-recursor package fixes security vulnerability: Florian Heinz and Martin Kluge reported that pdns-recursor parses all records present in a query regardless of whether they are needed or even legitimate, allowing a remote, unauthenticated attacker to cause an abnormal CPU usage load on the pdns server, resulting in a partial denial of service if the system becomes overloaded (CVE-2016-7068). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7068 https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://www.debian.org/security/2017/dsa-3763 ======================== Updated packages in core/updates_testing: ======================== pdns-recursor-3.6.4-1.1.mga5 from pdns-recursor-3.6.4-1.1.mga5.src.rpm Assignee:
bugsquad =>
qa-bugs
David Walser
2017-01-15 19:23:59 CET
Whiteboard:
(none) =>
has_procedure
David Walser
2017-01-16 18:51:24 CET
URL:
(none) =>
https://lwn.net/Vulnerabilities/711776/ Testing M5_64 Already had this installed & tested, so straight to update: pdns-recursor-3.6.4-1.1.mga5 pdns-3.3.3-1.3.mga5 Using https://bugs.mageia.org/show_bug.cgi?id=13521#c2 with some qualifications: # systemctl stop dnsmasq [but it was not loaded] # systemctl start pdns # systemctl start pdns-recursor # systemctl -l status pdns-recursor ... Listening for UDP queries on 127.0.0.1:5300 [Same as previously] ... Listening for TCP queries on 127.0.0.1:5300 [Same as previously] ... ]# netstat -pantu | grep pdns tcp 0 0 127.0.0.1:2000 0.0.0.0:* LISTEN 30019/pdns_server-i tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 30486/pdns_recursor udp 0 0 127.0.0.1:5300 0.0.0.0:* 30486/pdns_recursor udp 0 0 127.0.0.1:2000 0.0.0.0:* 30019/pdns_server-i For pdns-recursor ---------------- $ dig mageia.org @127.0.0.1 -p 5300 ; <<>> DiG 9.10.3-P4 <<>> mageia.org @127.0.0.1 -p 5300 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54402 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 217.70.188.116 ;; Query time: 254 msec ;; SERVER: 127.0.0.1#5300(127.0.0.1) ;; WHEN: Sul Ion 22 21:05:54 CET 2017 ;; MSG SIZE rcvd: 44 Which accords with the given test result. Whiteboard:
has_procedure =>
has_procedure MGA5-64-OK
Lewis Smith
2017-01-22 21:47:48 CET
Whiteboard:
has_procedure MGA5-64-OK =>
has_procedure MGA5-64-OK advisory Testing i586 version in virtualbox
pdns-recursor had been tested before updating with the updated pdns server so going straight on to updating.
Thought this was going to be simple, but...
Restarted pdns and started pdns-recursor.
# systemctl -l status pdns-recursor
â pdns-recursor.service - PowerDNS recursing nameserver
Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; enabled)
Active: active (running) since Wed 2017-02-01 18:23:33 GMT; 24s ago
Process: 22488 ExecStart=/usr/sbin/pdns_recursor --daemon (code=exited, status=0/SUCCESS)
Main PID: 22490 (pdns_recursor)
CGroup: /system.slice/pdns-recursor.service
ââ22490 /usr/sbin/pdns_recursor --daemon
Feb 01 18:23:33 shaula pdns_recursor[22490]: Set effective user id to 975
Feb 01 18:23:33 shaula pdns_recursor[22490]: Raised soft limit on number of filedescriptors to 4096 to match max-mthreads and threads settings
Feb 01 18:23:33 shaula pdns_recursor[22490]: Launching 2 threads
Feb 01 18:23:33 shaula pdns_recursor[22490]: Done priming cache with root hints
Feb 01 18:23:33 shaula pdns_recursor[22490]: Done priming cache with root hints
Feb 01 18:23:33 shaula pdns_recursor[22490]: Enabled 'epoll' multiplexer
Feb 01 18:23:33 shaula pdns_recursor[22488]: Feb 01 18:23:33 Calling daemonize, going to background
Feb 01 18:23:34 shaula pdns_recursor[22490]: Refreshed . records
Feb 01 18:23:34 shaula pdns_recursor[22490]: Refreshed . records
Feb 01 18:23:34 shaula pdns_recursor[22490]: PowerDNS Security Update Mandatory: Patch now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/
# systemctl -l status pdns
â pdns.service - PowerDNS Authoritative Server
Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled)
Active: active (running) since Wed 2017-02-01 18:23:11 GMT; 4min 16s ago
Process: 22446 ExecStart=/usr/sbin/pdns_server --daemon --guardian=yes (code=exited, status=0/SUCCESS)
Main PID: 22454 (pdns_server)
CGroup: /system.slice/pdns.service
ââ22454 /usr/sbin/pdns_server --daemon --guardian=yes
ââ22457 /usr/sbin/pdns_server-instance --daemon --guardian=yes
Feb 01 18:23:11 shaula pdns[22454]: Listening on controlsocket in '/run/powerdns/pdns.controlsocket'
Feb 01 18:23:11 shaula pdns[22457]: Guardian is launching an instance
Feb 01 18:23:11 shaula pdns[22457]: Reading random entropy from '/dev/urandom'
Feb 01 18:23:11 shaula pdns[22457]: This is a guarded instance of pdns
Feb 01 18:23:11 shaula pdns[22457]: UDP server bound to 0.0.0.0:53
Feb 01 18:23:11 shaula pdns[22457]: TCP server bound to 0.0.0.0:53
Feb 01 18:23:11 shaula pdns[22457]: PowerDNS Authoritative Server 3.3.3 (jenkins@autotest.powerdns.com) (C) 2001-2015 PowerDNS.COM BV
Feb 01 18:23:11 shaula pdns[22457]: Using 32-bits mode. Built on 20170115181759 by iurt@ecosse.mageia.org, gcc 4.9.2.
Feb 01 18:23:11 shaula pdns[22457]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Feb 01 18:23:11 shaula pdns[22457]: PowerDNS Security Update Mandatory: Patch now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/3/security/powerdns-advi" "sory-2016-05/
Feb 01 18:23:11 shaula pdns[22457]: Creating backend connection for TCP
Feb 01 18:23:11 shaula pdns[22457]: About to create 3 backend threads for UDP
Feb 01 18:23:11 shaula pdns[22457]: Done launching threads, ready to distribute questions
which is bizarre.CC:
(none) =>
tarazed25 However: # netstat -pantu | grep pdns tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 22490/pdns_recursor tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 22457/pdns_server-i udp 0 0 0.0.0.0:53 0.0.0.0:* 22457/pdns_server-i udp 0 0 127.0.0.1:5300 0.0.0.0:* 22490/pdns_recursor $ dig mageia.org @127.0.0.1 -p 5300 ; <<>> DiG 9.10.3-P4 <<>> mageia.org @127.0.0.1 -p 5300 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28089 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 217.70.188.116 ;; Query time: 390 msec ;; SERVER: 127.0.0.1#5300(127.0.0.1) ;; WHEN: Wed Feb 01 19:00:31 GMT 2017 ;; MSG SIZE rcvd: 44 Maybe those "patch now" notices appeared in the previous test of pdns - not recorded. So it passes.
Len Lawrence
2017-02-01 22:49:00 CET
Whiteboard:
has_procedure MGA5-64-OK advisory =>
has_procedure MGA5-64-OK advisory MGA5-32-OK
Len Lawrence
2017-02-02 13:21:17 CET
CC:
(none) =>
sysadmin-bugs Would sysadmins please push this to core updates. An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0036.html Resolution:
(none) =>
FIXED |