Bug 15754 - pdns, pdns-recursor new security issue CVE-2015-1868
Summary: pdns, pdns-recursor new security issue CVE-2015-1868
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/641758/
Whiteboard: has_procedure advisory mga4-32-ok mga...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-04-23 13:40 CEST by David Walser
Modified: 2015-05-05 15:37 CEST (History)
2 users (show)

See Also:
Source RPM: pdns-recursor-3.6.2-2.mga5.src.rpm, pdns-3.3.1-11.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-04-23 13:40:56 CEST
Upstream has issued an advisory today (April 23):
http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/

It's not clear whether we're affected, but the issue is fixed in 3.6.3.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-23 13:41:02 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-24 16:32:43 CEST
The upstream advisory now indicates that pdns is also vulnerable, and it is fixed in 3.4.4.  We currently have 3.3.1 in Cauldron.

pdns-recursor-3.6.3-1.mga5 has been uploaded for Cauldron.

I'll leave this for Oden to decide whether to update pdns and whether to issue updates for Mageia 4.

The pdns changelog:
https://doc.powerdns.com/md/changelog/

says that upgrading pdns from 3.3.1 to 3.4.4 requires a mandatory SQL schema upgrade.  It might be better to backport the patches (upstream commits linked from the changelog) to fix the security issue.

URL: (none) => http://lwn.net/Vulnerabilities/641758/
Summary: pdns-recursor new security issue CVE-2015-1868 => pdns, pdns-recursor new security issue CVE-2015-1868
Source RPM: pdns-recursor-3.6.2-2.mga5.src.rpm => pdns-recursor-3.6.2-2.mga5.src.rpm, pdns-3.3.1-11.mga5.src.rpm

Comment 2 David Walser 2015-05-01 14:38:21 CEST
Upstream has announced that actually all platforms are affected by this issue, and they have released pdns 3.3.2 to fix the issue without requiring the difficult update to 3.4.4:
http://blog.powerdns.com/2015/05/01/important-update-for-security-advisory-2015-01/
Comment 3 David Walser 2015-05-01 21:37:52 CEST
Updated packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated pdns and pdns-recursor packages fix security vulnerability:

A bug was discovered in the label decompression code in PowerDNS and PowerDNS
Recursor, making it possible for names to refer to themselves, thus causing a
loop during decompression. On some platforms, this bug can be abused to cause
crashes. On all platforms, this bug can be abused to cause service-affecting
CPU spikes (CVE-2015-1868).

The pdns package has been updated to version 3.3.2 and the pdns-recursor
package has been updated to version 3.6.3 to fix this issue and other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1868
http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/
http://blog.powerdns.com/2015/05/01/important-update-for-security-advisory-2015-01/
https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-332
https://doc.powerdns.com/md/changelog/#powerdns-recursor-363
========================

Updated packages in core/updates_testing:
========================
pdns-3.3.2-1.mga4
pdns-backend-pipe-3.3.2-1.mga4
pdns-backend-mysql-3.3.2-1.mga4
pdns-backend-pgsql-3.3.2-1.mga4
pdns-backend-ldap-3.3.2-1.mga4
pdns-backend-sqlite-3.3.2-1.mga4
pdns-backend-geo-3.3.2-1.mga4
pdns-recursor-3.6.3-1.mga4

from SRPMS:
pdns-3.3.2-1.mga4.src.rpm
pdns-recursor-3.6.3-1.mga4.src.rpm

CC: (none) => oe
Version: Cauldron => 4
Assignee: oe => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 4 claire robinson 2015-05-02 20:57:50 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=13521#c2

Whiteboard: (none) => has_procedure

Comment 5 claire robinson 2015-05-05 11:23:24 CEST
Testing 32 & 64bit
Comment 6 claire robinson 2015-05-05 12:16:54 CEST
Testing complete mga4 32 & 64 using the procedure in comment 4

Whiteboard: has_procedure => has_procedure mga4-32-ok mga4-64-ok

Comment 7 claire robinson 2015-05-05 12:21:48 CEST
Validating. Advisory uploaded.

Please push to 4 updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-05-05 15:37:37 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0189.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.