Upstream announced on February 6 that a DoS issue is being actively exploited: http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/ Oden has applied the upstream patch to fix this. Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated pdns and pdns-recursor packages fix security vulnerability: PowerDNS and PowerDNS recursor are vulnerable to a denial of service due to a bug that causes them to exhaust the maximum number of file descriptors that are available to a process. The pdns and pdns-recursor packages have been patched to fix this issue. References: http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/ ======================== Updated packages in core/updates_testing: ======================== pdns-3.3.1-1.2.mga3 pdns-backend-pipe-3.3.1-1.2.mga3 pdns-backend-mysql-3.3.1-1.2.mga3 pdns-backend-pgsql-3.3.1-1.2.mga3 pdns-backend-ldap-3.3.1-1.2.mga3 pdns-backend-sqlite-3.3.1-1.2.mga3 pdns-backend-geo-3.3.1-1.2.mga3 pdns-recursor-3.5.1-1.1.mga3 pdns-3.3.1-2.1.mga4 pdns-backend-pipe-3.3.1-2.1.mga4 pdns-backend-mysql-3.3.1-2.1.mga4 pdns-backend-pgsql-3.3.1-2.1.mga4 pdns-backend-ldap-3.3.1-2.1.mga4 pdns-backend-sqlite-3.3.1-2.1.mga4 pdns-backend-geo-3.3.1-2.1.mga4 pdns-recursor-3.5.3-2.1.mga4 from SRPMS: pdns-3.3.1-1.2.mga3.src.rpm pdns-recursor-3.5.1-1.1.mga3.src.rpm pdns-3.3.1-2.1.mga4.src.rpm pdns-recursor-3.5.3-2.1.mga4.src.rpm Reproducible: Steps to Reproduce:
CC: (none) => oeWhiteboard: (none) => MGA3TOO
Fedora has issued an advisory for this on February 22: https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128851.html A CVE has just been requested for this: http://openwall.com/lists/oss-security/2014/06/13/8 Note that an upstream developer said pdns itself isn't affected: https://bugzilla.redhat.com/show_bug.cgi?id=1109231
Testing complete mga4 64 # service dnsmasq stop # service pdns start # service pdns status -l had some issues with a stary dnsmasq using port 53 so pdns was unable to bind to it, suspect it has something to do with libvirtd so stopped libvirtd and used killall dnsmasq, then pdns started ok. # service pdns-recursor start # service pdns-recursor status -l Noted from the status messages it is using port 5300 # netstat -pantu | grep 53 tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 9251/pdns_recursor tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 8982/pdns_server-in udp 0 0 0.0.0.0:53 0.0.0.0:* 8982/pdns_server-in udp 0 0 127.0.0.1:5300 0.0.0.0:* 9251/pdns_recursor $ dig mageia.org @127.0.0.1 -p 53 ; <<>> DiG 9.9.4-P2 <<>> mageia.org @127.0.0.1 -p 53 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36588 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1680 ;; QUESTION SECTION: ;mageia.org. IN A ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jun 20 14:36:00 BST 2014 ;; MSG SIZE rcvd: 39 Recursion is disabled by default, as it should be. $ dig mageia.org @127.0.0.1 -p 5300 ; <<>> DiG 9.9.4-P2 <<>> mageia.org @127.0.0.1 -p 5300 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14256 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 217.70.188.116 ;; Query time: 227 msec ;; SERVER: 127.0.0.1#5300(127.0.0.1) ;; WHEN: Fri Jun 20 14:20:45 BST 2014 ;; MSG SIZE rcvd: 44 Noted when restarting pdns-recursor with the update installed.. pdns_recursor[9907]: Raised soft limit on number of filedescriptors to 4096 to match max-mthreads and threads settings Remember to restart dnsmasq after pdns* is removed.
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
s/stary/stray/
Thanks. Just a reminder that I'll need to update the advisory to reflect that the upstream developer said that only pdns-recursor is affected. As Oden noted to me in IRC, both contain the affected code, so we can still update both packages just in case. The CVE request hasn't received a response yet, so I'll wait to update the advisory for now, but if it gets validated, we can issue the update (especially considering Fedora did it 4 months ago).
Testing complete mga3 64 It's simple enough to test David, I'll do the others too in a second.
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok
Testing complete mga3 32 and mga4 32
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Assuming the CVE request doesn't get answered, here's an updated advisory. Advisory: ======================== Updated pdns and pdns-recursor packages fix security vulnerability: PowerDNS recursor is vulnerable to a denial of service due to a bug that causes it to exhaust the maximum number of file descriptors that are available to a process. The pdns and pdns-recursor packages have been patched to fix this issue. References: http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-configuration-file-guidance/ https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128851.html
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0272.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/603225/