| Summary: | pdns-recursor new security issue CVE-2018-1000003 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | mitya, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | pdns-recursor-4.1.0-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-04-21 23:37:58 CEST
David Walser
2018-04-21 23:38:08 CEST
Whiteboard:
(none) =>
MGA6TOO Hi Dmitry, I see you're working on this. There's a 4.1.2 bugfix release upstream, so I recommend updating to that as openSUSE did.
David Walser
2018-05-04 08:28:52 CEST
Status comment:
(none) =>
Fixed upstream in 4.1.1 pdns-recursor-4.1.2-1.mga7 uploaded for Cauldron by Dmitry, fixing this. However it needs to be rebuilt so it's release tag is at least as high as the package just pushed for Mageia 6, which is: pdns-recursor-4.1.2-3.mga6 Version:
Cauldron =>
6 Release announcement: https://blog.powerdns.com/2018/03/29/powerdns-recursor-4-1-2-released/ (In reply to David Walser from comment #2) > pdns-recursor-4.1.2-1.mga7 uploaded for Cauldron by Dmitry, fixing this. > However it needs to be rebuilt so it's release tag is at least as high as > the package just pushed for Mageia 6, which is: > pdns-recursor-4.1.2-3.mga6 Done. (reassign to QA team?) Thanks! Advisory: ======================== Updated pdns-recursor package fixes security vulnerability: An issue has been found in the DNSSEC validation component of PowerDNS Recursor, allowing an ancestor delegation NSEC or NSEC3 record to be used to wrongfully prove the non-existence of a RR below the owner name of that record. This would allow an attacker in position of man-in-the-middle to send a NXDOMAIN answer for a name that does exist (CVE-2018-1000003). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000003 https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html https://blog.powerdns.com/2018/03/29/powerdns-recursor-4-1-2-released/ https://lists.opensuse.org/opensuse-updates/2018-04/msg00033.html CC:
(none) =>
mitya Testing M6/64
BEFORE update: pdns-recursor-4.1.0-1.mga6
# systemctl stop pdns
# systemctl start pdns-recursor
# systemctl -l status pdns-recursor
● pdns-recursor.service - PowerDNS Recursor
Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; disabled; vend
Active: active (running) since Mer 2018-05-23 21:16:24 CEST; 32s ago
Docs: man:pdns_recursor(1)
man:rec_control(1)
https://doc.powerdns.com
Main PID: 24611 (pdns_recursor)
CGroup: /system.slice/pdns-recursor.service
└─24611 /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no
ns_recursor[24611]: Listening for UDP queries on 127.0.0.1:53
ns_recursor[24611]: Enabled TCP data-ready filter for (slight) DoS protection
ns_recursor[24611]: Listening for TCP queries on 127.0.0.1:53
ns_recursor[24611]: Launching 3 threads
stemd[1]: Started PowerDNS Recursor.
ns_recursor[24611]: Done priming cache with root hints
ns_recursor[24611]: Done priming cache with root hints
ns_recursor[24611]: Done priming cache with root hints
ns_recursor[24611]: Enabled 'epoll' multiplexer
ns_recursor[24611]: PowerDNS Security Update Mandatory: Upgrade now, see https:/
# netstat -pantu | grep pdns_recursor
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 24611/pdns_recursor
udp 0 0 127.0.0.1:53 0.0.0.0:* 24611/pdns_recursor
$ dig mageia.org @127.0.0.1 -p 53
; <<>> DiG 9.10.6-P1 <<>> mageia.org @127.0.0.1 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14259
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mageia.org. IN A
;; ANSWER SECTION:
mageia.org. 1800 IN A 163.172.148.228
;; Query time: 148 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mer Mai 23 21:22:45 CEST 2018
;; MSG SIZE rcvd: 55
======================================
UPDATED to: pdns-recursor-4.1.2-3.mga6
# systemctl start pdns-recursor
# systemctl -l status pdns-recursor
...[as previously]
ns_recursor[345]: Enabled TCP data-ready filter for (slight) DoS protection
ns_recursor[345]: Listening for TCP queries on 127.0.0.1:5300
ns_recursor[345]: Set effective group id to 957
stemd[1]: Started PowerDNS Recursor.
ns_recursor[345]: Set effective user id to 966
ns_recursor[345]: Launching 3 threads
ns_recursor[345]: Done priming cache with root hints
ns_recursor[345]: Done priming cache with root hints
ns_recursor[345]: Done priming cache with root hints
ns_recursor[345]: Enabled 'epoll' multiplexer
Note the changed port number 53->5300 (which it used to be in the past).
This enables pdns-recursor(5300) to co-exist again with pdns(53).
# netstat -pantu | grep pdns_recursor
tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 345/pdns_recursor
udp 0 0 127.0.0.1:5300 0.0.0.0:* 345/pdns_recursor
$ dig mageia.org @127.0.0.1 -p 5300
; <<>> DiG 9.10.6-P1 <<>> mageia.org @127.0.0.1 -p 5300
...
Same as previously except for id and port number.
Update looks OK.Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0252.html Status:
NEW =>
RESOLVED |