Fedora has issued an advisory on August 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WTT7ILQWU5FKY4GLFZV4V7B4VEUXETKL/ This is a very minor issue. I've pushed the fix in Cauldron and committed the fix in Mageia 5 SVN.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Upstream has issued an advisory today (September 9): https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/ That (and CVE-2016-6172) are fixed in 3.4.10, currently awaiting a freeze push in Cauldron. The patch for 3.3.3 in Mageia 5 is committed and will be pushed and built soon.
Summary: pdns new security issue CVE-2016-6172 => pdns new security issues CVE-2016-6172, CVE-2016-5426, and CVE-2016-5427Severity: normal => major
Patched package uploaded for Mageia 5. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13521#c2 Advisory: ======================== Updated pdns packages fix security vulnerabilities: PowerDNS Authoritative Server accepts queries with a qname's length larger than 255 bytes (CVE-2016-5426). PowerDNS Authoritative Server does not properly handle dot inside labels (CVE-2016-5427). These issues allow a remote, unauthenticated attacker to cause an abnormal load on the PowerDNS backend by sending crafted DNS queries, which might result in a partial denial of service if the backend becomes overloaded. It was found that PowerDNS does not implement reasonable restrictions for zone sizes. This allows an explicitly configured primary DNS server for a zone to crash a secondary DNS server, affecting service of other zones hosted on the same secondary server (CVE-2016-6172). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5426 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5427 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6172 https://doc.powerdns.com/md/security/powerdns-advisory-2016-01/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WTT7ILQWU5FKY4GLFZV4V7B4VEUXETKL/ ======================== Updated packages in core/updates_testing: ======================== pdns-3.3.3-1.2.mga5 pdns-backend-pipe-3.3.3-1.2.mga5 pdns-backend-mysql-3.3.3-1.2.mga5 pdns-backend-pgsql-3.3.3-1.2.mga5 pdns-backend-ldap-3.3.3-1.2.mga5 pdns-backend-sqlite-3.3.3-1.2.mga5 pdns-backend-geo-3.3.3-1.2.mga5 from pdns-3.3.3-1.2.mga5.src.rpm
Assignee: pkg-bugs => qa-bugsWhiteboard: (none) => has_procedure
LWN reference for CVE-2016-5426 and CVE-2016-5427: http://lwn.net/Vulnerabilities/700386/ Debian has issued an advisory for this on September 10: https://www.debian.org/security/2016/dsa-3664
Testing MGA5 x64 real hardware. Using my earlier test sequence https://bugs.mageia.org/show_bug.cgi?id=16320#c6 (an update of that given in Comment 3). I had none of the 'backends' installed. Nor initially pdns-recursor, which I suspect is unnecessary for this test; but I installed if for compatabilty with the procedure. BEFORE update: # systemctl stop dnsmasq.service # systemctl start pdns.service # systemctl status -l pdns.service [for confirmation; quite a lot of output] # systemctl start pdns-recursor.service [doubt if needed] # systemctl status -l pdns-recursor.service [for confirmation; quite a lot of output] # netstat -pantu | grep pdns tcp 0 0 127.0.0.1:2000 0.0.0.0:* LISTEN 2025/pdns_server-in tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 24536/pdns_recursor udp 0 0 127.0.0.1:5300 0.0.0.0:* 24536/pdns_recursor udp 0 0 127.0.0.1:2000 0.0.0.0:* 2025/pdns_server-in In the following 'dig' commands, I used the 2000 then 5300 parameters. # dig mageia.org @127.0.0.1 -p 2000 ; <<>> DiG 9.10.3-P4 <<>> mageia.org @127.0.0.1 -p 2000 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 58576 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 2800 ;; QUESTION SECTION: ;mageia.org. IN A ;; Query time: 1 msec ;; SERVER: 127.0.0.1#2000(127.0.0.1) ;; WHEN: Sul Med 18 21:51:35 CEST 2016 ;; MSG SIZE rcvd: 39 # dig mageia.org @127.0.0.1 -p 5300 ; <<>> DiG 9.10.3-P4 <<>> mageia.org @127.0.0.1 -p 5300 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28059 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1475 IN A 217.70.188.116 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#5300(127.0.0.1) ;; WHEN: Sul Med 18 21:51:42 CEST 2016 ;; MSG SIZE rcvd: 44 # systemctl stop pdns.service # systemctl stop pdns-recursor.service ------------------------------------- AFTER update to: pdns-3.3.3-1.2.mga5, during which I chose to discard rpmnew. # systemctl start pdns.service # systemctl status -l pdns.service [for confirmation; quite a lot of output] # systemctl start pdns-recursor.service [doubt if needed] # systemctl status -l pdns-recursor.service [for confirmation; quite a lot of output] # netstat -pantu | grep pdns O/P essentially the same, except re 2000: 2025 -> 423, re 5300: 24536 -> 3153 # dig mageia.org @127.0.0.1 -p 2000 O/P essentially identical. # dig mageia.org @127.0.0.1 -p 5300 O/P essentially the same, except re id 28059 -> 63683, in ANSWER 14715 -> 1800 # systemctl stop pdns.service # systemctl stop pdns-recursor.service # systemctl start dnsmasq.service This update looks OK.
CC: (none) => lewyssmithWhiteboard: has_procedure => has_procedure MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0324.html
Status: NEW => RESOLVEDResolution: (none) => FIXED