+++ This bug was initially created as a clone of Bug #15754 +++ Upstream has issued an advisory on April 23 and updated it today (July 7): http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ The previous fix was incomplete and the issue has been fixed again in pdns 3.3.3 and pdns-recursor 3.6.4: http://blog.powerdns.com/2015/06/09/authoritative-server-3-4-5-3-3-3-and-recursor-3-7-3-3-6-4-released/ Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated pdns and pdns-recursor packages fix security vulnerability: In MGASA-2015-0189, the pdns and pdns-recursor packages were updated to fix a denial of service issue (CVE-2015-1868). The fix was incomplete. The packages have been updated again to versions 3.3.3 and 3.6.4, respectively, to completely fix this issue. References: http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ http://blog.powerdns.com/2015/06/09/authoritative-server-3-4-5-3-3-3-and-recursor-3-7-3-3-6-4-released/ http://advisories.mageia.org/MGASA-2015-0189.html ======================== Updated packages in core/updates_testing: ======================== pdns-3.3.3-1.mga4 pdns-backend-pipe-3.3.3-1.mga4 pdns-backend-mysql-3.3.3-1.mga4 pdns-backend-pgsql-3.3.3-1.mga4 pdns-backend-ldap-3.3.3-1.mga4 pdns-backend-sqlite-3.3.3-1.mga4 pdns-backend-geo-3.3.3-1.mga4 pdns-recursor-3.6.4-1.mga4 pdns-3.3.3-1.mga5 pdns-backend-pipe-3.3.3-1.mga5 pdns-backend-mysql-3.3.3-1.mga5 pdns-backend-pgsql-3.3.3-1.mga5 pdns-backend-ldap-3.3.3-1.mga5 pdns-backend-sqlite-3.3.3-1.mga5 pdns-backend-geo-3.3.3-1.mga5 pdns-recursor-3.6.4-1.mga5 from SRPMS: pdns-3.3.3-1.mga4.src.rpm pdns-recursor-3.6.4-1.mga4.src.rpm pdns-3.3.3-1.mga5.src.rpm pdns-recursor-3.6.4-1.mga5.src.rpm
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13521#c2
Whiteboard: (none) => MGA4TOO has_procedure
Advisory committed to svn.
CC: (none) => davidwhodginsWhiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure advisory
Debian has issued advisories for this on July 9: https://www.debian.org/security/2015/dsa-3306 https://www.debian.org/security/2015/dsa-3307
CVE-2015-5470 has been assigned for the incomplete fix: http://openwall.com/lists/oss-security/2015/07/10/8 Please update the advisory in SVN. Advisory: ======================== Updated pdns and pdns-recursor packages fix security vulnerability: In MGASA-2015-0189, the pdns and pdns-recursor packages were updated to fix a denial of service issue (CVE-2015-1868). The fix was incomplete (CVE-2015-5470). The packages have been updated again to versions 3.3.3 and 3.6.4, respectively, to completely fix this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5470 http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ http://blog.powerdns.com/2015/06/09/authoritative-server-3-4-5-3-3-3-and-recursor-3-7-3-3-6-4-released/ http://advisories.mageia.org/MGASA-2015-0189.html http://openwall.com/lists/oss-security/2015/07/10/8
Whiteboard: MGA4TOO has_procedure advisory => MGA4TOO has_procedure
Advisory in svn updated.
Testing MGA4 x64 Used the excellent procedure (thanks again Claire) in: https://bugs.mageia.org/show_bug.cgi?id=13521#c2 I did not have nor install dnsmasq. The 'service' commands are now: # systemctl start pdns.service [or stop] # systemctl status -l pdns.service # systemctl start pdns-recursor.service [or stop] # systemctl status -l pdns-recursor.service I could not see the port number 53 or 5300 in either of the 'status -l' outputs, so changed the netstat command to: # netstat -pantu | grep pdns BEFORE: Installed: pdns-recursor-3.6.3-1.mga4 pdns-3.3.2-1.mga4 The output was as shown in the procedure, with the interesting caveat that both 'status' outputs included the line "PowerDNS Security Update Mandatory: Upgrade now, see https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/" # netstat -pantu | grep pdns tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 16598/pdns_recursor tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 14435/pdns_server-i udp 0 0 0.0.0.0:53 0.0.0.0:* 14435/pdns_server-i udp 0 0 127.0.0.1:5300 0.0.0.0:* 16598/pdns_recursor $ dig mageia.org @127.0.0.1 -p 53 ; <<>> DiG 9.9.7-P1 <<>> mageia.org @127.0.0.1 -p 53 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 7042 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 2800 ;; QUESTION SECTION: ;mageia.org. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Llu Gor 20 21:14:28 CEST 2015 ;; MSG SIZE rcvd: 39 $ dig mageia.org @127.0.0.1 -p 5300 ; <<>> DiG 9.9.7-P1 <<>> mageia.org @127.0.0.1 -p 5300 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53323 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 217.70.188.116 ;; Query time: 623 msec ;; SERVER: 127.0.0.1#5300(127.0.0.1) ;; WHEN: Llu Gor 20 21:15:02 CEST 2015 ;; MSG SIZE rcvd: 44 Stopped both services. AFTER: Updated from Updates Testing to: pdns-recursor-3.6.4-1.mga4 pdns-3.3.3-1.mga4 Re-started both services, repeated the procedure: # systemctl start pdns.service # systemctl status -l pdns.service # systemctl start pdns-recursor.service # systemctl status -l pdns-recursor.service This time the update warning was *not* present in the 'status -l' outputs. # netstat -pantu | grep pdns $ dig mageia.org @127.0.0.1 -p 53 $ dig mageia.org @127.0.0.1 -p 5300 The outputs from these commands was essentially identical to previously. Update deemed OK.
Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure MGA4-64-OKCC: (none) => lewyssmith
OpenSuSE has issued an advisory for this today (July 22): http://lists.opensuse.org/opensuse-updates/2015-07/msg00049.html
Summary: pdns, pdns-recursor incomplete fix for security issue CVE-2015-1868 => pdns, pdns-recursor incomplete fix for security issue CVE-2015-1868 (CVE-2015-5470)URL: http://lwn.net/Vulnerabilities/641758/ => http://lwn.net/Vulnerabilities/652011/
Reference from comment 7 added to advisory in svn.
Whiteboard: MGA4TOO has_procedure MGA4-64-OK => MGA4TOO has_procedure MGA4-64-OK advisory
MGA-32 on Acer D620 Xfce. Installed new packages on system without previous versions of pdns. Confirm outputs of test commands as per Comment 6 above, so OK for me.
CC: (none) => herman.viaeneWhiteboard: MGA4TOO has_procedure MGA4-64-OK advisory => MGA4TOO has_procedure MGA4-64-OK advisory MGA4-32-OK
Testing complete mga5 64 Noted the update removes the message about a mandatory upgrade in the service status.
Whiteboard: MGA4TOO has_procedure MGA4-64-OK advisory MGA4-32-OK => MGA4TOO has_procedure MGA4-64-OK advisory MGA4-32-OK mga5-64-ok
Validating. Please push for mga4 & 5. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0301.html
Status: NEW => RESOLVEDResolution: (none) => FIXED