Debian has issued an advisory today (July 18): https://lists.debian.org/debian-security-announce/2014/msg00163.html The issue was fixed upstream in version 1.3.8: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02 https://polarssl.org/tech-updates/releases/polarssl-1.3.8-released Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Real DSA link: https://www.debian.org/security/2014/dsa-2981
Fixed with polarssl-1.3.8-1.mga3, polarssl-1.3.8-1.mga4 & polarssl-1.3.8-1.mga5. NOTE. pdns is being rebuilt due to a soname major bump from 5 to 7 in polarssl-1.3.8, so you need to push pdns as well.
Thanks Oden! Advisory: ======================== Updated polarssl packages fix security vulnerability: A flaw was discovered in PolarSSL, a lightweight crypto and SSL/TLS library, which can be exploited by a remote unauthenticated attacker to mount a denial of service against PolarSSL servers that offer GCM ciphersuites. Potentially clients are affected too if a malicious server decides to execute the denial of service attack against its clients (CVE-2014-4911). The pdns package has been rebuilt against the updated polarssl library. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4911 https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02 https://polarssl.org/tech-updates/releases/polarssl-1.3.8-released https://www.debian.org/security/2014/dsa-2981 ======================== Updated packages in core/updates_testing: ======================== polarssl-1.3.8-1.mga3 libpolarssl7-1.3.8-1.mga3 libpolarssl-devel-1.3.8-1.mga3 pdns-3.3.1-1.3.mga3 pdns-backend-pipe-3.3.1-1.3.mga3 pdns-backend-mysql-3.3.1-1.3.mga3 pdns-backend-pgsql-3.3.1-1.3.mga3 pdns-backend-ldap-3.3.1-1.3.mga3 pdns-backend-sqlite-3.3.1-1.3.mga3 pdns-backend-geo-3.3.1-1.3.mga3 polarssl-1.3.8-1.mga4 libpolarssl7-1.3.8-1.mga4 libpolarssl-devel-1.3.8-1.mga4 pdns-3.3.1-2.2.mga4 pdns-backend-pipe-3.3.1-2.2.mga4 pdns-backend-mysql-3.3.1-2.2.mga4 pdns-backend-pgsql-3.3.1-2.2.mga4 pdns-backend-ldap-3.3.1-2.2.mga4 pdns-backend-sqlite-3.3.1-2.2.mga4 pdns-backend-geo-3.3.1-2.2.mga4 from SRPMS: polarssl-1.3.8-1.mga3.src.rpm pdns-3.3.1-1.3.mga3.src.rpm polarssl-1.3.8-1.mga4.src.rpm pdns-3.3.1-2.2.mga4.src.rpm
CC: (none) => oeVersion: Cauldron => 4Assignee: oe => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOOSeverity: normal => major
There's a procedure in bug 11459#c7.
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure
Above link should be bug 11459 comment 7.
Testing complete Mageia 4 32bit, following the procedure linked in comment 5. All tested passed with polarssl-selftest. I configured /etc/powerdns/pdns.conf with local-address=127.0.0.1 local-port=2000 The dig call gives: $ dig www.example.com A @127.0.0.1 -p 2000 ; <<>> DiG 9.9.4-P2 <<>> www.example.com A @127.0.0.1 -p 2000 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7915 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 2800 ;; QUESTION SECTION: ;www.example.com. IN A ;; Query time: 1 msec ;; SERVER: 127.0.0.1#2000(127.0.0.1) ;; WHEN: lun. août 04 21:41:33 CEST 2014 ;; MSG SIZE rcvd: 44
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK
Testing complete Mageia 4 64bit.
Whiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK
Advisory uploaded.
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK advisory
Testing complete mga3 64 # polarssl-selftest | tail PBKDF2 (SHA1) #5: passed TIMING tests note: will take some time! TIMING test #1 (m_sleep / get_timer): passed TIMING test #2 (set_alarm / get_timer): passed TIMING test #3 (hardclock / get_timer): passed TIMING test #4 (net_usleep/ get_timer): passed [ All tests passed ] Added these in /etc/powerdns/pdns.conf allow-recursion=127.0.0.1 local-address=0.0.0.0 local-port=2000 recursor=8.8.8.8 Start the service # service pdns start # dig mageia.org A @127.0.0.1 -p 2000 ; <<>> DiG 9.9.4-P2 <<>> mageia.org A @127.0.0.1 -p 2000 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63464 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 866 IN A 217.70.188.116 ...etc
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK advisory => MGA3TOO has_procedure mga3-64-ok MGA4-32-OK MGA4-64-OK advisory
Testing complete mga3 32 Validating. Advisory already uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-64-ok MGA4-32-OK MGA4-64-OK advisory => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OK advisoryCC: (none) => sysadmin-bugs
Update pushed. http://advisories.mageia.org/MGASA-2014-0315.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED