Debian has issued an advisory on January 13: https://www.debian.org/security/2017/dsa-3763 Upstream has published details today (January 15): http://openwall.com/lists/oss-security/2017/01/15/2 Patches can be obtained from a link in the message above.
Patched package uploaded for Mageia 5. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13521#c2 Advisory: ======================== Updated pdns-recursor package fixes security vulnerability: Florian Heinz and Martin Kluge reported that pdns-recursor parses all records present in a query regardless of whether they are needed or even legitimate, allowing a remote, unauthenticated attacker to cause an abnormal CPU usage load on the pdns server, resulting in a partial denial of service if the system becomes overloaded (CVE-2016-7068). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7068 https://doc.powerdns.com/md/security/powerdns-advisory-2016-02/ https://www.debian.org/security/2017/dsa-3763 ======================== Updated packages in core/updates_testing: ======================== pdns-recursor-3.6.4-1.1.mga5 from pdns-recursor-3.6.4-1.1.mga5.src.rpm
Assignee: bugsquad => qa-bugs
Whiteboard: (none) => has_procedure
URL: (none) => https://lwn.net/Vulnerabilities/711776/
Testing M5_64 Already had this installed & tested, so straight to update: pdns-recursor-3.6.4-1.1.mga5 pdns-3.3.3-1.3.mga5 Using https://bugs.mageia.org/show_bug.cgi?id=13521#c2 with some qualifications: # systemctl stop dnsmasq [but it was not loaded] # systemctl start pdns # systemctl start pdns-recursor # systemctl -l status pdns-recursor ... Listening for UDP queries on 127.0.0.1:5300 [Same as previously] ... Listening for TCP queries on 127.0.0.1:5300 [Same as previously] ... ]# netstat -pantu | grep pdns tcp 0 0 127.0.0.1:2000 0.0.0.0:* LISTEN 30019/pdns_server-i tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 30486/pdns_recursor udp 0 0 127.0.0.1:5300 0.0.0.0:* 30486/pdns_recursor udp 0 0 127.0.0.1:2000 0.0.0.0:* 30019/pdns_server-i For pdns-recursor ---------------- $ dig mageia.org @127.0.0.1 -p 5300 ; <<>> DiG 9.10.3-P4 <<>> mageia.org @127.0.0.1 -p 5300 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54402 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 217.70.188.116 ;; Query time: 254 msec ;; SERVER: 127.0.0.1#5300(127.0.0.1) ;; WHEN: Sul Ion 22 21:05:54 CET 2017 ;; MSG SIZE rcvd: 44 Which accords with the given test result.
Whiteboard: has_procedure => has_procedure MGA5-64-OKCC: (none) => lewyssmith
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory
Testing i586 version in virtualbox pdns-recursor had been tested before updating with the updated pdns server so going straight on to updating. Thought this was going to be simple, but... Restarted pdns and started pdns-recursor. # systemctl -l status pdns-recursor â pdns-recursor.service - PowerDNS recursing nameserver Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; enabled) Active: active (running) since Wed 2017-02-01 18:23:33 GMT; 24s ago Process: 22488 ExecStart=/usr/sbin/pdns_recursor --daemon (code=exited, status=0/SUCCESS) Main PID: 22490 (pdns_recursor) CGroup: /system.slice/pdns-recursor.service ââ22490 /usr/sbin/pdns_recursor --daemon Feb 01 18:23:33 shaula pdns_recursor[22490]: Set effective user id to 975 Feb 01 18:23:33 shaula pdns_recursor[22490]: Raised soft limit on number of filedescriptors to 4096 to match max-mthreads and threads settings Feb 01 18:23:33 shaula pdns_recursor[22490]: Launching 2 threads Feb 01 18:23:33 shaula pdns_recursor[22490]: Done priming cache with root hints Feb 01 18:23:33 shaula pdns_recursor[22490]: Done priming cache with root hints Feb 01 18:23:33 shaula pdns_recursor[22490]: Enabled 'epoll' multiplexer Feb 01 18:23:33 shaula pdns_recursor[22488]: Feb 01 18:23:33 Calling daemonize, going to background Feb 01 18:23:34 shaula pdns_recursor[22490]: Refreshed . records Feb 01 18:23:34 shaula pdns_recursor[22490]: Refreshed . records Feb 01 18:23:34 shaula pdns_recursor[22490]: PowerDNS Security Update Mandatory: Patch now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ # systemctl -l status pdns â pdns.service - PowerDNS Authoritative Server Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled) Active: active (running) since Wed 2017-02-01 18:23:11 GMT; 4min 16s ago Process: 22446 ExecStart=/usr/sbin/pdns_server --daemon --guardian=yes (code=exited, status=0/SUCCESS) Main PID: 22454 (pdns_server) CGroup: /system.slice/pdns.service ââ22454 /usr/sbin/pdns_server --daemon --guardian=yes ââ22457 /usr/sbin/pdns_server-instance --daemon --guardian=yes Feb 01 18:23:11 shaula pdns[22454]: Listening on controlsocket in '/run/powerdns/pdns.controlsocket' Feb 01 18:23:11 shaula pdns[22457]: Guardian is launching an instance Feb 01 18:23:11 shaula pdns[22457]: Reading random entropy from '/dev/urandom' Feb 01 18:23:11 shaula pdns[22457]: This is a guarded instance of pdns Feb 01 18:23:11 shaula pdns[22457]: UDP server bound to 0.0.0.0:53 Feb 01 18:23:11 shaula pdns[22457]: TCP server bound to 0.0.0.0:53 Feb 01 18:23:11 shaula pdns[22457]: PowerDNS Authoritative Server 3.3.3 (jenkins@autotest.powerdns.com) (C) 2001-2015 PowerDNS.COM BV Feb 01 18:23:11 shaula pdns[22457]: Using 32-bits mode. Built on 20170115181759 by iurt@ecosse.mageia.org, gcc 4.9.2. Feb 01 18:23:11 shaula pdns[22457]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2. Feb 01 18:23:11 shaula pdns[22457]: PowerDNS Security Update Mandatory: Patch now, see https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ https://doc.powerdns.com/3/security/powerdns-advi" "sory-2016-05/ Feb 01 18:23:11 shaula pdns[22457]: Creating backend connection for TCP Feb 01 18:23:11 shaula pdns[22457]: About to create 3 backend threads for UDP Feb 01 18:23:11 shaula pdns[22457]: Done launching threads, ready to distribute questions which is bizarre.
CC: (none) => tarazed25
However: # netstat -pantu | grep pdns tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 22490/pdns_recursor tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 22457/pdns_server-i udp 0 0 0.0.0.0:53 0.0.0.0:* 22457/pdns_server-i udp 0 0 127.0.0.1:5300 0.0.0.0:* 22490/pdns_recursor $ dig mageia.org @127.0.0.1 -p 5300 ; <<>> DiG 9.10.3-P4 <<>> mageia.org @127.0.0.1 -p 5300 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28089 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 217.70.188.116 ;; Query time: 390 msec ;; SERVER: 127.0.0.1#5300(127.0.0.1) ;; WHEN: Wed Feb 01 19:00:31 GMT 2017 ;; MSG SIZE rcvd: 44 Maybe those "patch now" notices appeared in the previous test of pdns - not recorded. So it passes.
Whiteboard: has_procedure MGA5-64-OK advisory => has_procedure MGA5-64-OK advisory MGA5-32-OK
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Would sysadmins please push this to core updates.
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0036.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED