Upstream has issued an advisory today (April 23): http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ It's not clear whether we're affected, but the issue is fixed in 3.6.3. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
The upstream advisory now indicates that pdns is also vulnerable, and it is fixed in 3.4.4. We currently have 3.3.1 in Cauldron. pdns-recursor-3.6.3-1.mga5 has been uploaded for Cauldron. I'll leave this for Oden to decide whether to update pdns and whether to issue updates for Mageia 4. The pdns changelog: https://doc.powerdns.com/md/changelog/ says that upgrading pdns from 3.3.1 to 3.4.4 requires a mandatory SQL schema upgrade. It might be better to backport the patches (upstream commits linked from the changelog) to fix the security issue.
URL: (none) => http://lwn.net/Vulnerabilities/641758/Summary: pdns-recursor new security issue CVE-2015-1868 => pdns, pdns-recursor new security issue CVE-2015-1868Source RPM: pdns-recursor-3.6.2-2.mga5.src.rpm => pdns-recursor-3.6.2-2.mga5.src.rpm, pdns-3.3.1-11.mga5.src.rpm
Upstream has announced that actually all platforms are affected by this issue, and they have released pdns 3.3.2 to fix the issue without requiring the difficult update to 3.4.4: http://blog.powerdns.com/2015/05/01/important-update-for-security-advisory-2015-01/
Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated pdns and pdns-recursor packages fix security vulnerability: A bug was discovered in the label decompression code in PowerDNS and PowerDNS Recursor, making it possible for names to refer to themselves, thus causing a loop during decompression. On some platforms, this bug can be abused to cause crashes. On all platforms, this bug can be abused to cause service-affecting CPU spikes (CVE-2015-1868). The pdns package has been updated to version 3.3.2 and the pdns-recursor package has been updated to version 3.6.3 to fix this issue and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1868 http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ http://blog.powerdns.com/2015/05/01/important-update-for-security-advisory-2015-01/ https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-332 https://doc.powerdns.com/md/changelog/#powerdns-recursor-363 ======================== Updated packages in core/updates_testing: ======================== pdns-3.3.2-1.mga4 pdns-backend-pipe-3.3.2-1.mga4 pdns-backend-mysql-3.3.2-1.mga4 pdns-backend-pgsql-3.3.2-1.mga4 pdns-backend-ldap-3.3.2-1.mga4 pdns-backend-sqlite-3.3.2-1.mga4 pdns-backend-geo-3.3.2-1.mga4 pdns-recursor-3.6.3-1.mga4 from SRPMS: pdns-3.3.2-1.mga4.src.rpm pdns-recursor-3.6.3-1.mga4.src.rpm
CC: (none) => oeVersion: Cauldron => 4Assignee: oe => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
Procedure: https://bugs.mageia.org/show_bug.cgi?id=13521#c2
Whiteboard: (none) => has_procedure
Testing 32 & 64bit
Testing complete mga4 32 & 64 using the procedure in comment 4
Whiteboard: has_procedure => has_procedure mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Please push to 4 updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0189.html
Status: NEW => RESOLVEDResolution: (none) => FIXED