| Summary: | Updated Powerdns package to fix CVE-2012-0206 and other bugs | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Funda Wang <fundawang> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, geiger.david68210, sysadmin-bugs, tmb |
| Version: | 1 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://www.powerdns.com/news/powerdns-security-advisory-2012-01.html | ||
| Whiteboard: | |||
| Source RPM: | pdns-2.9.22.5-1.mga1 | CVE: | |
| Status comment: | |||
| Attachments: |
pdns.conf changed
mararc.recursive changed |
||
|
Description
Funda Wang
2012-01-13 05:06:36 CET
Testing complete on i586 for the srpm pdns-2.9.22.5-1.mga1.src.rpm For testing, I added recursor=8.8.8.8 to /etc/powerdns/pdns.conf then, after "service powerdns start" used "dig @127.0.0.1 www.yahoo.com". CC:
(none) =>
davidwhodgins Testing complete for the srpm pdns-2.9.22.5-1.mga1.src.rpm on Mageia release 1 (Official) for x86_64 ,works for me too. (In reply to comment #1) > For testing, I added > recursor=8.8.8.8 > to /etc/powerdns/pdns.conf > then, after "service powerdns start" used "dig @127.0.0.1 www.yahoo.com". Here the result : # service powerdns start Starting PowerDNS authoritative nameserver: started # dig @127.0.0.1 www.yahoo.com ; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 www.yahoo.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30915 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.yahoo.com. IN A ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Jan 14 13:44:15 2012 ;; MSG SIZE rcvd: 31 CC:
(none) =>
geiger.david68210 That's strange. I'm wondering if the service really started. Do you have any other dns software such as bind, or maradns installed? When testing maradns for bug 4118 I had to edit /etc/maradns/mararc.recursive and set recursive_acl = "192.168.1.0/16, 127.0.0.1/8" For powerdns, the only change I made was to add the line recursor=8.8.8.8 to /etc/powerdns/pdns.conf before starting the server. From dig, I get ;; ANSWER SECTION: www.yahoo.com. 285 IN CNAME fp3.wg1.b.yahoo.com. fp3.wg1.b.yahoo.com. 44 IN CNAME any-fp3-lfb.wa1.b.yahoo.com. any-fp3-lfb.wa1.b.yahoo.com. 284 IN CNAME any-fp3-real.wa1.b.yahoo.com. any-fp3-real.wa1.b.yahoo.com. 44 IN A 98.139.180.149 Yes I have also maradns installed (just this one). I attach the 2 files changed : pdns.conf and marac.recursive Maybe I made ââa mistake in the configuration? Dave ,Can you see if it's correct or not? Created attachment 1363 [details]
pdns.conf changed
Created attachment 1364 [details]
mararc.recursive changed
David GEIGER
2012-01-15 09:02:52 CET
Attachment 1364 description:
marac.recursive changed =>
mararc.recursive changed
David GEIGER
2012-01-15 09:03:25 CET
Attachment 1364 mime type:
application/octet-stream =>
text/plain Comment on attachment 1363 [details]
pdns.conf changed
$ rpm -qa | grep bind
rpcbind-0.2.0-4.mga1
qtscriptbindings-0.1.0-8.mga1
bind-utils-9.8.1P1-1.mga1
First the configuration files need some changes. In pdns.conf, the line #recursor=8.8.8.8 has to be changed to recursor=8.8.8.8 as anything after a # is treated as a comment. In mararc.recursive, the line recursive_acl = "10.0.0.0/8" should be changed to #recursive_acl = "10.0.0.0/8" (i.e. comment it out), and the line #recursive_acl = "192.168.1.0/16, 127.0.0.1 / 8" needs to be changed to recursive_acl = "192.168.1.0/16, 127.0.0.1/8" assuming you are using a router that gives addresses in the 192.168.*.* range. If you're not using a router (i.e. using a publically accessible ip address), it should be changed to something like recursive_acl = "216.240.14.62/32, 127.0.0.1/8" with the proper ip address. Second, only one of the name servers can be responding to name queries, so for testing powerdns you should run service maradns stop service powerdns start For testing maradns (with today's update) service powerdns stop service maradns start Ok, thank you Dave for the good explanation So here the result (for powerdns-using a publically accessible ip address) after : # service powerdns start # dig @127.0.0.1 www.yahoo.com ; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 www.yahoo.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58867 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.yahoo.com. IN A ;; ANSWER SECTION: www.yahoo.com. 275 IN CNAME fp3.wg1.b.yahoo.com. fp3.wg1.b.yahoo.com. 21 IN CNAME eu-fp3-lfb.wa1.b.yahoo.com. eu-fp3-lfb.wa1.b.yahoo.com. 261 IN CNAME eu-fp3.wa1.b.yahoo.com. eu-fp3.wa1.b.yahoo.com. 21 IN A 87.248.112.181 eu-fp3.wa1.b.yahoo.com. 21 IN A 87.248.122.122 ;; Query time: 130 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Jan 15 17:53:14 2012 ;; MSG SIZE rcvd: 137 I think it's better that way ? Testing complete for the srpm pdns-2.9.22.5-1.mga1.src.rpm on Mageia release 1 (Official) for x86_64. Validating the update. Could someone from the sysadmin team push the srpm pdns-2.9.22.5-1.mga1.src.rpm from Core Updates Testing to Core Updates. Advisory: This security update for powerdns corrects CVE-2012-0206. Affected versions of the PowerDNS Authoritative Server can be made to respond to DNS responses, thus enabling an attacker to setup a packet loop between two PowerDNS servers, perpetually answering each other's answers. In some scenarios, a server could also be made to talk to itself, achieving the same effect. The powerdns package has been updated the latest version of 2.9.22 series to fix this issue, plus other bug fixes, as suggested upstream. https://bugs.mageia.org/show_bug.cgi?id=4107 Keywords:
(none) =>
validated_update update pushed. Status:
NEW =>
RESOLVED |