Fedora has issued an advisory on December 3: https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123393.html The issue is fixed upstream in 1.4.13. Mageia 3 is also affected. Reproducible: Steps to Reproduce:
CC: (none) => dmorganec, fundawang, remcoWhiteboard: (none) => MGA3TOO
Status: NEW => ASSIGNEDAssignee: bugsquad => remco
Blocks: (none) => 11726
Suggested advisory: ======================== Updated maradns packages This update fixes possible blind spoof attack vulnerability. See http://samiam.org/blog/20131202.html for more details. Updated packages in core/updates_testing: ======================== maradns-1.4.13-1.mga3 Source RPMs: maradns-1.4.13-1.mga3.src.rpm Freeze push asked for mga4
CC: (none) => makowski.mageia
Assignee: remco => qa-bugs
Thanks Philippe! Just making some formatting changes to the advisory. I'll change the version assignment for 3, but leave it as blocking the tracker until it's pushed in Cauldron. Advisory: ======================== Updated maradns package fixes security vulnerability: This update fixes a possible blind spoof attack vulnerability. References: http://samiam.org/blog/20131202.html https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123393.html ======================== Updated packages in core/updates_testing: ======================== maradns-1.4.13-1.mga3 from maradns-1.4.13-1.mga3.src.rpm
Version: Cauldron => 3Whiteboard: MGA3TOO => (none)
maradns-1.4.13-2.mga4 uploaded for Cauldron.
Blocks: 11726 => (none)
Basic testing procedure from https://bugs.mageia.org/show_bug.cgi?id=4118#c1 (I don't know if the first part is still necessary) After installing, edit /etc/maradns/mararc.recursive and set recursive_acl = "192.168.1.0/16, 127.0.0.1/8" Then, after "service maradns start" "dig @127.0.0.1 www.mageia.org" returns the ip, with a second run returning the value from the cache.
CC: (none) => stormiWhiteboard: (none) => has_procedure
Please hold on this update. A new security fix has just been announced, and I'd hate for QA to having to validate this more than once. http://woodlane.webconquest.com/pipermail/list/2014-February/001210.html
Whiteboard: has_procedure => has_procedure feedback
There will be an update for Mageia 4 too I reckon.
Here's the blog version of that link: http://www.samiam.org/blog/2014-02-12.html The issue is fixed in 1.4.14.
Version: 3 => 4Summary: maradns blind spoofing attack => maradns blind spoofing attack and denial of service issuesWhiteboard: has_procedure feedback => MGA3TOO has_procedure feedback
I've just uploaded 1.4.14 to updates testing. Please test using testprocedure as above. Thanks! Advisory: ======================== Updated maradns package fixes several security vulnerabilities: - This update fixes a possible blind spoof attack vulnerability. - This update fixes a possible denial of service (DOS) vulnerability. References: http://samiam.org/blog/20131202.html https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123393.html http://www.samiam.org/blog/2014-02-12.html ======================== Updated packages in core/updates_testing: ======================== maradns-1.4.14-1.mga3 from maradns-1.4.14-1.mga3.src.rpm maradns-1.4.14-1.mga4 from maradns-1.4.14-1.mga4.src.rpm
Thanks Remco. Procedure in comment 4 Are there any CVE's for this?
Whiteboard: MGA3TOO has_procedure feedback => MGA3TOO has_procedure
@MrsB: No, I haven't seen any mention of them.
Thanks Remco. I haven't seen any CVE requests for this that I can remember. The blind spoofing attack thing is already fixed in mga4, so we actually need two advisories. Advisory (Mageia 3): ======================== Updated maradns package fixes security vulnerabilities: This update fixes a possible blind spoof attack vulnerability and a possible denial of service (DoS) vulnerability. References: http://samiam.org/blog/20131202.html http://www.samiam.org/blog/2014-02-12.html https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123393.html ======================== Updated packages in core/updates_testing: ======================== maradns-1.4.14-1.mga3 from maradns-1.4.14-1.mga3.src.rpm Advisory (Mageia 4): ======================== Updated maradns package fixes security vulnerability: This update fixes a possible denial of service (DoS) vulnerability. References: http://www.samiam.org/blog/2014-02-12.html https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123393.html ======================== Updated packages in core/updates_testing: ======================== maradns-1.4.14-1.mga4 from maradns-1.4.14-1.mga4.src.rpm
Fedora has issued an advisory for the DoS issue today (February 14): https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128231.html from http://lwn.net/Vulnerabilities/586324/ Updating the advisories. Advisory (Mageia 3): ======================== Updated maradns package fixes security vulnerabilities: This update fixes a possible blind spoof attack vulnerability and a possible denial of service (DoS) vulnerability. References: http://samiam.org/blog/20131202.html http://www.samiam.org/blog/2014-02-12.html https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123393.html https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128231.html ======================== Updated packages in core/updates_testing: ======================== maradns-1.4.14-1.mga3 from maradns-1.4.14-1.mga3.src.rpm Advisory (Mageia 4): ======================== Updated maradns package fixes security vulnerability: This update fixes a possible denial of service (DoS) vulnerability. References: http://www.samiam.org/blog/2014-02-12.html https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128231.html ======================== Updated packages in core/updates_testing: ======================== maradns-1.4.14-1.mga4 from maradns-1.4.14-1.mga4.src.rpm
I don't understand how maradns can even start. There is a typo in the systemd unit related to the config file. I guess that means noone is actually using this package on MGA3 or MGA4! I'll fix the bug for MGA3 and MGA4 and Cauldron.
CC: (none) => mageia
Updated packages pushed to all three.
Testing complete for maradns-1.4.14-1.1.mga4 on Mageia release 4 for x86_64 using procedure in #c4
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK
Testing complete for maradns-1.4.14-1.1.mga3 on Mageia release 3 for x86_64 using procedure in #c4
Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA3-64-OK
Testing complete for maradns-1.4.14-1.1.mga4 on Mageia 4 i586 using procedure from comment 4.
CC: (none) => remiWhiteboard: MGA3TOO has_procedure MGA4-64-OK MGA3-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-32-OK MGA4-64-OK
Testing complete for maradns-1.4.14-1.1.mga3 on Mageia 3 i586 using procedure from comment 4.
CC: (none) => pierre-malo.denielouWhiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-32-OK MGA4-64-OK MGA3-32-OK
Validating update, both advisories have been uploaded. Please push to 3 & 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-32-OK MGA4-64-OK MGA3-32-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-32-OK MGA4-64-OK MGA3-32-OK advisoryCC: (none) => sysadmin-bugs
Mga3 update pushed: http://advisories.mageia.org/MGASA-2014-0078.html Mga4 update pused: http://advisories.mageia.org/MGASA-2014-0079.html
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
CVE request for denial of service issue: http://openwall.com/lists/oss-security/2014/02/18/6
Two CVEs were assigned for the denial of service issue: http://openwall.com/lists/oss-security/2014/02/19/15 They are CVE-2014-2031 and CVE-2014-2032.