Debian has issued an advisory on January 13: https://www.debian.org/security/2017/dsa-3764 Upstream has published details today (January 15): http://openwall.com/lists/oss-security/2017/01/15/2 Patches can be obtained from a link in the message above.
Patched package uploaded for Mageia 5. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13521#c2 Advisory: ======================== Updated pdns packages fix security vulnerabilities: Mathieu Lafon discovered that pdns does not properly validate records in zones. An authorized user can take advantage of this flaw to crash server by inserting a specially crafted record in a zone under their control and then sending a DNS query for that record (CVE-2016-2120). Florian Heinz and Martin Kluge reported that pdns parses all records present in a query regardless of whether they are needed or even legitimate, allowing a remote, unauthenticated attacker to cause an abnormal CPU usage load on the pdns server, resulting in a partial denial of service if the system becomes overloaded (CVE-2016-7068). Mongo discovered that the webserver in pdns is susceptible to a denial-of-service vulnerability. A remote, unauthenticated attacker to cause a denial of service by opening a large number of f TCP connections to the web server (CVE-2016-7072). Mongo discovered that pdns does not sufficiently validate TSIG signatures, allowing an attacker in position of man-in-the-middle to alter the content of an AXFR (CVE-2016-7073, CVE-2016-7074). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2120 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7068 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7072 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7073 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7074 https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/md/security/powerdns-advisory-2016-05/ https://www.debian.org/security/2017/dsa-3764 ======================== Updated packages in core/updates_testing: ======================== pdns-3.3.3-1.3.mga5 pdns-backend-pipe-3.3.3-1.3.mga5 pdns-backend-mysql-3.3.3-1.3.mga5 pdns-backend-pgsql-3.3.3-1.3.mga5 pdns-backend-ldap-3.3.3-1.3.mga5 pdns-backend-sqlite-3.3.3-1.3.mga5 pdns-backend-geo-3.3.3-1.3.mga5 from pdns-3.3.3-1.3.mga5.src.rpm
Assignee: bugsquad => qa-bugs
Whiteboard: (none) => has_procedure
URL: (none) => https://lwn.net/Vulnerabilities/711776/
Testing M5_64 Already had this installed & tested, so straight to update: pdns-recursor-3.6.4-1.1.mga5 pdns-3.3.3-1.3.mga5 Using https://bugs.mageia.org/show_bug.cgi?id=13521#c2 with some qualifications: # systemctl stop dnsmasq [but it was not loaded] # systemctl start pdns # systemctl start pdns-recursor # systemctl -l status pdns ... UDP server bound to 127.0.0.1:2000 [NOT 53] TCP server bound to 127.0.0.1:2000 [NOT 53] ... ]# netstat -pantu | grep pdns tcp 0 0 127.0.0.1:2000 0.0.0.0:* LISTEN 30019/pdns_server-i tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 30486/pdns_recursor udp 0 0 127.0.0.1:5300 0.0.0.0:* 30486/pdns_recursor udp 0 0 127.0.0.1:2000 0.0.0.0:* 30019/pdns_server-i For pdns -------- $ dig mageia.org @127.0.0.1 -p 2000 ; <<>> DiG 9.10.3-P4 <<>> mageia.org @127.0.0.1 -p 2000 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 17102 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 2800 ;; QUESTION SECTION: ;mageia.org. IN A ;; Query time: 1 msec ;; SERVER: 127.0.0.1#2000(127.0.0.1) ;; WHEN: Sul Ion 22 21:04:29 CET 2017 ;; MSG SIZE rcvd: 39 Which accords with the given test result. OK.
Whiteboard: has_procedure => has_procedure MGA5-64-OKCC: (none) => lewyssmith
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory
Testing on i586 virtualbox. Installed all the pre-update packages and pdns-recursor. Followed the recipe in comment 2. dnsmasq was not running. systemctl -l status pdns รข pdns.service - PowerDNS Authoritative Server Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled) Active: active (running) since Wed 2017-02-01 18:09:53 GMT; 2min 1s ago ................................................ Feb 01 18:09:53 localhost pdns[10071]: Listening on controlsocket in '/run/powerdns/pdns.controlsocket' Feb 01 18:09:53 localhost pdns[10073]: Guardian is launching an instance Feb 01 18:09:53 localhost pdns[10073]: Reading random entropy from '/dev/urandom' Feb 01 18:09:53 localhost pdns[10073]: This is a guarded instance of pdns Feb 01 18:09:53 localhost pdns[10073]: UDP server bound to 0.0.0.0:53 Feb 01 18:09:53 localhost pdns[10073]: TCP server bound to 0.0.0.0:53 # netstat -pantu | grep pdns tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 10096/pdns_recursor tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 10073/pdns_server-i udp 0 0 0.0.0.0:53 0.0.0.0:* 10073/pdns_server-i udp 0 0 127.0.0.1:5300 0.0.0.0:* 10096/pdns_recursor $ dig mageia.org @127.0.0.1 -p 53 ; <<>> DiG 9.10.3-P4 <<>> mageia.org @127.0.0.1 -p 53 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 55651 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 2800 ;; QUESTION SECTION: ;mageia.org. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 01 18:20:05 GMT 2017 ;; MSG SIZE rcvd: 39 $ dig mageia.org @127.0.0.1 -p 5300 ; <<>> DiG 9.10.3-P4 <<>> mageia.org @127.0.0.1 -p 5300 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24658 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 217.70.188.116 ;; Query time: 140 msec ;; SERVER: 127.0.0.1#5300(127.0.0.1) ;; WHEN: Wed Feb 01 18:23:27 GMT 2017 ;; MSG SIZE rcvd: 44 This agrees with the output posted by Claire and Lewis.
CC: (none) => tarazed25
Updated the seven packages but left pdns-recursor alone. Restarted the pdns and pdns-recursor services and followed the earlier procedure from comment 2. UDP and TCP servers bound to port 53 # netstat -pantu | grep pdns tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 11405/pdns_recursor tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 11381/pdns_server-i udp 0 0 0.0.0.0:53 0.0.0.0:* 11381/pdns_server-i udp 0 0 127.0.0.1:5300 0.0.0.0:* 11405/pdns_recursor The commands $ dig mageia.org @127.0.0.1 -p 53 and $ dig mageia.org @127.0.0.1 -p 5300 received the same information as before so all looks OK.
Whiteboard: has_procedure MGA5-64-OK advisory => has_procedure MGA5-64-OK advisory MGA5-32-OK
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0033.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED