Bug 11958 - maradns blind spoofing attack and denial of service issues
Summary: maradns blind spoofing attack and denial of service issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/576604/
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-12-11 21:05 CET by David Walser
Modified: 2014-02-20 01:13 CET (History)
10 users (show)

See Also:
Source RPM: maradns-1.4.12-5.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-12-11 21:05:24 CET
Fedora has issued an advisory on December 3:
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123393.html

The issue is fixed upstream in 1.4.13.

Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2013-12-11 21:05:53 CET

CC: (none) => dmorganec, fundawang, remco
Whiteboard: (none) => MGA3TOO

Remco Rijnders 2013-12-12 07:10:23 CET

Status: NEW => ASSIGNED
Assignee: bugsquad => remco

Dave Hodgins 2013-12-12 22:36:35 CET

Blocks: (none) => 11726

Comment 1 Philippe Makowski 2014-01-07 21:45:28 CET
Suggested advisory:
========================

Updated maradns packages

This update fixes possible blind spoof attack vulnerability. See http://samiam.org/blog/20131202.html for more details.


Updated packages in core/updates_testing:
========================
maradns-1.4.13-1.mga3

Source RPMs: 
maradns-1.4.13-1.mga3.src.rpm


Freeze push asked for mga4

CC: (none) => makowski.mageia

Philippe Makowski 2014-01-07 21:46:57 CET

Assignee: remco => qa-bugs

Comment 2 David Walser 2014-01-07 21:52:40 CET
Thanks Philippe!

Just making some formatting changes to the advisory.  I'll change the version assignment for 3, but leave it as blocking the tracker until it's pushed in Cauldron.

Advisory:
========================

Updated maradns package fixes security vulnerability:

This update fixes a possible blind spoof attack vulnerability.

References:
http://samiam.org/blog/20131202.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123393.html
========================

Updated packages in core/updates_testing:
========================
maradns-1.4.13-1.mga3

from maradns-1.4.13-1.mga3.src.rpm

Version: Cauldron => 3
Whiteboard: MGA3TOO => (none)

Comment 3 David Walser 2014-01-09 15:04:47 CET
maradns-1.4.13-2.mga4 uploaded for Cauldron.

Blocks: 11726 => (none)

Comment 4 Samuel Verschelde 2014-02-10 16:55:56 CET
Basic testing procedure from https://bugs.mageia.org/show_bug.cgi?id=4118#c1 (I don't know if the first part is still necessary)

After installing, edit /etc/maradns/mararc.recursive and set
recursive_acl = "192.168.1.0/16, 127.0.0.1/8"

Then, after "service maradns start"
"dig @127.0.0.1 www.mageia.org" returns the ip, with a second run
returning the value from the cache.

CC: (none) => stormi
Whiteboard: (none) => has_procedure

Comment 5 Remco Rijnders 2014-02-12 19:23:45 CET
Please hold on this update. A new security fix has just been announced, and I'd hate for QA to having to validate this more than once.

http://woodlane.webconquest.com/pipermail/list/2014-February/001210.html
claire robinson 2014-02-12 19:48:12 CET

Whiteboard: has_procedure => has_procedure feedback

Comment 6 Samuel Verschelde 2014-02-12 19:55:30 CET
There will be an update for Mageia 4 too I reckon.
Comment 7 David Walser 2014-02-12 20:02:02 CET
Here's the blog version of that link:
http://www.samiam.org/blog/2014-02-12.html

The issue is fixed in 1.4.14.

Version: 3 => 4
Summary: maradns blind spoofing attack => maradns blind spoofing attack and denial of service issues
Whiteboard: has_procedure feedback => MGA3TOO has_procedure feedback

Comment 8 Remco Rijnders 2014-02-13 06:59:35 CET
I've just uploaded 1.4.14 to updates testing. Please test using testprocedure as above. Thanks!

Advisory:
========================

Updated maradns package fixes several security vulnerabilities:

- This update fixes a possible blind spoof attack vulnerability.
- This update fixes a possible denial of service (DOS) vulnerability.

References:
http://samiam.org/blog/20131202.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123393.html
http://www.samiam.org/blog/2014-02-12.html
========================

Updated packages in core/updates_testing:
========================
maradns-1.4.14-1.mga3

from maradns-1.4.14-1.mga3.src.rpm

maradns-1.4.14-1.mga4

from maradns-1.4.14-1.mga4.src.rpm
Comment 9 claire robinson 2014-02-13 08:50:52 CET
Thanks Remco. Procedure in comment 4

Are there any CVE's for this?

Whiteboard: MGA3TOO has_procedure feedback => MGA3TOO has_procedure

Comment 10 Remco Rijnders 2014-02-13 08:59:10 CET
@MrsB: No, I haven't seen any mention of them.
Comment 11 David Walser 2014-02-13 17:36:03 CET
Thanks Remco.

I haven't seen any CVE requests for this that I can remember.

The blind spoofing attack thing is already fixed in mga4, so we actually need two advisories.

Advisory (Mageia 3):
========================

Updated maradns package fixes security vulnerabilities:

This update fixes a possible blind spoof attack vulnerability and a possible
denial of service (DoS) vulnerability.

References:
http://samiam.org/blog/20131202.html
http://www.samiam.org/blog/2014-02-12.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123393.html
========================

Updated packages in core/updates_testing:
========================
maradns-1.4.14-1.mga3

from maradns-1.4.14-1.mga3.src.rpm


Advisory (Mageia 4):
========================

Updated maradns package fixes security vulnerability:

This update fixes a possible denial of service (DoS) vulnerability.

References:
http://www.samiam.org/blog/2014-02-12.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123393.html
========================

Updated packages in core/updates_testing:
========================
maradns-1.4.14-1.mga4

from maradns-1.4.14-1.mga4.src.rpm
Comment 12 David Walser 2014-02-14 18:42:51 CET
Fedora has issued an advisory for the DoS issue today (February 14):
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128231.html

from http://lwn.net/Vulnerabilities/586324/

Updating the advisories.

Advisory (Mageia 3):
========================

Updated maradns package fixes security vulnerabilities:

This update fixes a possible blind spoof attack vulnerability and a possible
denial of service (DoS) vulnerability.

References:
http://samiam.org/blog/20131202.html
http://www.samiam.org/blog/2014-02-12.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123393.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128231.html
========================

Updated packages in core/updates_testing:
========================
maradns-1.4.14-1.mga3

from maradns-1.4.14-1.mga3.src.rpm


Advisory (Mageia 4):
========================

Updated maradns package fixes security vulnerability:

This update fixes a possible denial of service (DoS) vulnerability.

References:
http://www.samiam.org/blog/2014-02-12.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128231.html
========================

Updated packages in core/updates_testing:
========================
maradns-1.4.14-1.mga4

from maradns-1.4.14-1.mga4.src.rpm
Comment 13 Colin Guthrie 2014-02-15 13:31:01 CET
I don't understand how maradns can even start. There is a typo in the systemd unit related to the config file.

I guess that means noone is actually using this package on MGA3 or MGA4!

I'll fix the bug for MGA3 and MGA4 and Cauldron.

CC: (none) => mageia

Comment 14 Colin Guthrie 2014-02-15 13:40:22 CET
Updated packages pushed to all three.
Comment 15 Philippe Makowski 2014-02-15 15:00:04 CET
Testing complete for maradns-1.4.14-1.1.mga4 on Mageia release 4 for x86_64
using procedure in #c4

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK

Comment 16 Colin Guthrie 2014-02-15 15:55:58 CET
Testing complete for maradns-1.4.14-1.1.mga3 on Mageia release 3 for x86_64
using procedure in #c4

Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA3-64-OK

Comment 17 Rémi Verschelde 2014-02-16 13:45:45 CET
Testing complete for maradns-1.4.14-1.1.mga4 on Mageia 4 i586 using procedure from comment 4.

CC: (none) => remi
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA3-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 18 Malo Deniélou 2014-02-16 16:09:28 CET
Testing complete for maradns-1.4.14-1.1.mga3 on Mageia 3 i586 using procedure from comment 4.

CC: (none) => pierre-malo.denielou
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-32-OK MGA4-64-OK MGA3-32-OK

Comment 19 Rémi Verschelde 2014-02-16 17:42:32 CET
Validating update, both advisories have been uploaded. Please push to 3 & 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-32-OK MGA4-64-OK MGA3-32-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-32-OK MGA4-64-OK MGA3-32-OK advisory
CC: (none) => sysadmin-bugs

Comment 20 Thomas Backlund 2014-02-17 01:34:09 CET
Mga3 update pushed:
http://advisories.mageia.org/MGASA-2014-0078.html

Mga4 update pused:
http://advisories.mageia.org/MGASA-2014-0079.html

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 21 David Walser 2014-02-18 19:56:32 CET
CVE request for denial of service issue:
http://openwall.com/lists/oss-security/2014/02/18/6
Comment 22 David Walser 2014-02-20 01:13:46 CET
Two CVEs were assigned for the denial of service issue:
http://openwall.com/lists/oss-security/2014/02/19/15

They are CVE-2014-2031 and CVE-2014-2032.

Note You need to log in before you can comment on or make changes to this bug.