Upstream has issued an advisory on January 25: http://samiam.org/blog/2015-01-25.html The CERT issue referenced there is here: https://www.kb.cert.org/vuls/id/264212 which is the same as the CVE-2014-8500 issue that affected BIND. The issue is fixed upstream in 1.4.15, but there was a regression in the fix, so a really fixed 1.4.16 version is pending: http://samiam.org/blog/2015-01-29.html Mageia 4 is also affected. As the upstream advisory states that 1.4.x will be EOL in June, Cauldron should be updated to 2.0.11, or the package should be dropped. Fedora has issued an advisory for this on January 27: https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149138.html Reproducible: Steps to Reproduce:
CC: (none) => makowski.mageiaBlocks: (none) => 14674Whiteboard: (none) => MGA4TOO
LWN gave maradns its own entry for this (since it wouldn't technically be the same CVE, as it's different software). The BIND CVE-2014-8500 one was here: http://lwn.net/Vulnerabilities/625159/
URL: http://lwn.net/Vulnerabilities/625159/ => http://lwn.net/Vulnerabilities/632576/Summary: maradns new security issue CVE-2014-8500 => maradns new DoS security issue
LWN moved the maradns ones to both be on the BIND vuln entry.
URL: http://lwn.net/Vulnerabilities/632576/ => http://lwn.net/Vulnerabilities/625159/
Status: NEW => ASSIGNED
CC: makowski.mageia => (none)
Dropped from Cauldron for now. Feel free to resubmit it to Mageia 5 once it has been updated to 2.0.x.
Version: Cauldron => 4Blocks: 14674 => (none)Whiteboard: MGA4TOO => (none)
1.4.16 is available in core/updates_testing. No testing procedure is available, but I think verifying that the package installs and runs (see: https://wiki.mageia.org/en/QA_procedure:Maradns ) should suffice.
CC: (none) => remcoAssignee: remco => qa-bugs
Thanks Remmy! That will suffice as a testing procedure. Could you write an advisory for this one?
Whiteboard: (none) => has_procedure
Testing on Mageia4x64 real hardware From current package : -------------------- maradns-1.4.14-1.1.mga4.x86_64 # systemctl start maradns didn't work as it complained port 53 was already in use. Had to reboot to start maradns Followed procedure mentionned in comment 4. OK maradns-1.4.16-1.1.mga4.x86_64 Rebooted # systemctl status -l maradns maradns.service - MaraDNS secure Domain Name Server (DNS) Loaded: loaded (/usr/lib/systemd/system/maradns.service; enabled) Active: active (running) since mar. 2015-03-03 16:02:19 CET; 42s ago Main PID: 1759 (maradns) CGroup: /system.slice/maradns.service ââ1759 /usr/sbin/maradns -f /etc/maradns/mararc.recursive Followed same procedure OK
CC: (none) => olchalWhiteboard: has_procedure => has_procedure MGA4-64-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: maradns default install of maradns [root@localhost wilcal]# urpmi maradns Package maradns-1.4.14-1.1.mga4.i586 is already installed [root@localhost wilcal]# systemctl start maradns seemed to start ok install maradns from updates_testing [root@localhost wilcal]# urpmi maradns Package maradns-1.4.16-1.1.mga4.i586 is already installed Seemed to install, stop and restart just fine. [root@localhost wilcal]# systemctl status -l maradns maradns.service - MaraDNS secure Domain Name Server (DNS) Loaded: loaded (/usr/lib/systemd/system/maradns.service; enabled) Active: active (running) since Wed 2015-03-04 11:37:59 PST; 3min 18s ago Main PID: 13017 (maradns) CGroup: /system.slice/maradns.service ââ13017 /usr/sbin/maradns -f /etc/maradns/mararc.recursive Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
Looks ok. Your call olivier.
Testing on Mageia4x32 real hardware, maradns-1.4.16-1.1.mga4 testing package I had same good results as William Configured as a recursive dns server, maradns worked well. OK then.
Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK
Thanks for testing guys! Advisory: ========= maradns versions prior to 1.4.16 are vulnerable to a DoS-vulnerability through which a malicious authorative DNS-server can cause an infinite chain of referrals. For further details on the vulnerability, see https://www.kb.cert.org/vuls/id/264212 This update closes mga#15206
Validating. Advisory uploaded without CVE reference. Do you want to add one? Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
Technically this one doesn't have its own CVE.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0092.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
LWN created this entry: http://lwn.net/Vulnerabilities/635767/ Not sure if they'll keep it or merge it back into the BIND one. I gave them a heads up. Our advisory should grouped with the Fedora maradns ones, one way or another.
Yep, they grouped the Fedora maradns advisories with ours, so maradns will keep its own page, which makes sense.
URL: http://lwn.net/Vulnerabilities/625159/ => http://lwn.net/Vulnerabilities/635767/