Oden has packaged pdns-recursor 3.6.2 as an update for Mageia 4. We'll need an advisory so that we can assign it to QA. Note that the security issue fixed in 3.6.1 didn't affect us as it only affected 3.6.0. Here's the release announcements for the versions since the 3.5.3 that we currently have: http://blog.powerdns.com/2014/06/20/recursor-3-6-0-released/ http://blog.powerdns.com/2014/09/10/security-update-powerdns-recursor-3-6-1/ http://blog.powerdns.com/2014/10/30/recursor-3-6-2/ Reproducible: Steps to Reproduce:
It was announced today that pdns-recursor 3.6.2 fixed a previously unannounced security issue: http://openwall.com/lists/oss-security/2014/12/08/9 The upstream advisory is here: http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/ Advisory: ======================== Updated pdns-recursor package fixes security vulnerability: PowerDNS Recursor before version 3.6.2, could be negatively impacted by specially configured, hard to resolve domain names. A remote attacker, by sending a query for such a domain name, could cause severe performance degradation in PowerDNS Recursor, causing a denial of service (CVE-2014-8601). The pdns-recursor package has been updated to version 3.6.2, fixing this issue and several other bugs, as well as providing additional features. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8601 http://blog.powerdns.com/2014/06/20/recursor-3-6-0-released/ http://blog.powerdns.com/2014/09/10/security-update-powerdns-recursor-3-6-1/ http://blog.powerdns.com/2014/10/30/recursor-3-6-2/ http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/ ======================== Updated packages in core/updates_testing: ======================== pdns-recursor-3.6.2-1.mga4 from pdns-recursor-3.6.2-1.mga4.src.rpm
CC: (none) => oeComponent: RPM Packages => SecurityAssignee: oe => qa-bugsSummary: pdns-recursor 3.6.2 => pdns-recursor new security issue CVE-2014-8601QA Contact: (none) => securitySeverity: normal => major
Procedure: https://bugs.mageia.org/show_bug.cgi?id=13521#c2
Whiteboard: (none) => has_procedure
Testing on Mageia 4x32, real hardware, following procedure mentionned in Comment 2 (omitted what seems relevant to pdns service in that procedure). I ended with a problem with testing package : With current package : -------------------- pdns-recursor-3.5.3-2.1.mga4.i586 # systemctl status -l pdns-recursor pdns-recursor.service - PowerDNS recursing nameserver Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; enabled) Active: active (running) since mar. 2014-12-09 15:01:05 CET; 6s ago Process: 9086 ExecStart=/usr/sbin/pdns_recursor --daemon (code=exited, status=0/SUCCESS) Main PID: 9087 (pdns_recursor) CGroup: /system.slice/pdns-recursor.service ââ9087 /usr/sbin/pdns_recursor --daemon # netstat -pantu | grep 5300 tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 9087/pdns_recursor udp 0 0 127.0.0.1:5300 0.0.0.0:* 9087/pdns_recursor $ dig mageia.org @127.0.0.1 -p 5300 ; <<>> DiG 9.9.4-P2 <<>> mageia.org @127.0.0.1 -p 5300 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25927 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 217.70.188.116 ;; Query time: 394 msec ;; SERVER: 127.0.0.1#5300(127.0.0.1) ;; WHEN: mar. déc. 09 15:16:48 CET 2014 ;; MSG SIZE rcvd: 44 That seems fine. Updating to testing package : --------------------------- pdns-recursor-3.6.2-1.mga4.i586 Could not start pdns-recursor service (even after disable/enable, or reboot) # systemctl status -l pdns-recursor pdns-recursor.service - PowerDNS recursing nameserver Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; disabled) Active: failed (Result: exit-code) since mar. 2014-12-09 15:31:39 CET; 3s ago Process: 10722 ExecStart=/usr/sbin/pdns_recursor --daemon (code=exited, status=1/FAILURE) déc. 09 15:31:39 localhost pdns_recursor[10722]: Dec 09 15:31:39 Exception: Trying to set unknown parameter 'aaaa-additional-processing' déc. 09 15:31:39 localhost systemd[1]: pdns-recursor.service: control process exited, code=exited status=1 déc. 09 15:31:39 localhost systemd[1]: Failed to start PowerDNS recursing nameserver. déc. 09 15:31:39 localhost systemd[1]: Unit pdns-recursor.service entered failed state. I checked recursor.conf (in /etc/powerdns/) : socket-dir=/run/powerdns/ soa-minimum-ttl=0 soa-serial-offset=0 aaaa-additional-processing=off local-port=5300 local-address=127.0.0.1 trace=off daemon=yes quiet=on setgid=powerdns setuid=powerdns aaaa-additional-processing is set to off by default but starting pdns-recursor service complains about it.
CC: (none) => olchal
Whiteboard: has_procedure => has_procedure feedback
MGA-4-64 on HP Probook 6555b Confirm Olivier' findings on systemctl status -l pdns-recursor
CC: (none) => herman.viaene
Thanks. Fixed in pdns-recursor-3.6.2-2.mga5 and pdns-recursor-3.6.2-1.1.mga4.
Whiteboard: has_procedure feedback => has_procedure
Severity: major => critical
Testing new version of updated package on Mageia4x32 : pdns-recursor-3.6.2-1.1.mga4 following procedure mentionned in Comment 2. OK this time.
Whiteboard: has_procedure => has_procedure MGA4-32-OK
MGA-4-64 on HP Probook 6555b Installed new pdns-recursor-3.6.2-1.1.mga4, and rebooted. Procedure in Comment 2 now OK
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0522.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/625777/
More details have been released about this issue: http://openwall.com/lists/oss-security/2014/12/12/9 http://www.ssi.gouv.fr/en/the-anssi/events/vulnerabilty-disclosure-the-infinitely-delegating-name-servers-idns-attack.html