openSUSE has issued an advisory on April 16: https://lists.opensuse.org/opensuse-updates/2018-04/msg00033.html The issue was fixed upstream in 4.1.1. Upstream advisory: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Hi Dmitry, I see you're working on this. There's a 4.1.2 bugfix release upstream, so I recommend updating to that as openSUSE did.
Status comment: (none) => Fixed upstream in 4.1.1
pdns-recursor-4.1.2-1.mga7 uploaded for Cauldron by Dmitry, fixing this. However it needs to be rebuilt so it's release tag is at least as high as the package just pushed for Mageia 6, which is: pdns-recursor-4.1.2-3.mga6
Version: Cauldron => 6Status comment: Fixed upstream in 4.1.1 => (none)Whiteboard: MGA6TOO => (none)
Release announcement: https://blog.powerdns.com/2018/03/29/powerdns-recursor-4-1-2-released/
(In reply to David Walser from comment #2) > pdns-recursor-4.1.2-1.mga7 uploaded for Cauldron by Dmitry, fixing this. > However it needs to be rebuilt so it's release tag is at least as high as > the package just pushed for Mageia 6, which is: > pdns-recursor-4.1.2-3.mga6 Done. (reassign to QA team?)
Thanks! Advisory: ======================== Updated pdns-recursor package fixes security vulnerability: An issue has been found in the DNSSEC validation component of PowerDNS Recursor, allowing an ancestor delegation NSEC or NSEC3 record to be used to wrongfully prove the non-existence of a RR below the owner name of that record. This would allow an attacker in position of man-in-the-middle to send a NXDOMAIN answer for a name that does exist (CVE-2018-1000003). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000003 https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html https://blog.powerdns.com/2018/03/29/powerdns-recursor-4-1-2-released/ https://lists.opensuse.org/opensuse-updates/2018-04/msg00033.html
CC: (none) => mityaAssignee: mitya => qa-bugs
Testing M6/64 BEFORE update: pdns-recursor-4.1.0-1.mga6 # systemctl stop pdns # systemctl start pdns-recursor # systemctl -l status pdns-recursor ● pdns-recursor.service - PowerDNS Recursor Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; disabled; vend Active: active (running) since Mer 2018-05-23 21:16:24 CEST; 32s ago Docs: man:pdns_recursor(1) man:rec_control(1) https://doc.powerdns.com Main PID: 24611 (pdns_recursor) CGroup: /system.slice/pdns-recursor.service └─24611 /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no ns_recursor[24611]: Listening for UDP queries on 127.0.0.1:53 ns_recursor[24611]: Enabled TCP data-ready filter for (slight) DoS protection ns_recursor[24611]: Listening for TCP queries on 127.0.0.1:53 ns_recursor[24611]: Launching 3 threads stemd[1]: Started PowerDNS Recursor. ns_recursor[24611]: Done priming cache with root hints ns_recursor[24611]: Done priming cache with root hints ns_recursor[24611]: Done priming cache with root hints ns_recursor[24611]: Enabled 'epoll' multiplexer ns_recursor[24611]: PowerDNS Security Update Mandatory: Upgrade now, see https:/ # netstat -pantu | grep pdns_recursor tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 24611/pdns_recursor udp 0 0 127.0.0.1:53 0.0.0.0:* 24611/pdns_recursor $ dig mageia.org @127.0.0.1 -p 53 ; <<>> DiG 9.10.6-P1 <<>> mageia.org @127.0.0.1 -p 53 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14259 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 163.172.148.228 ;; Query time: 148 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mer Mai 23 21:22:45 CEST 2018 ;; MSG SIZE rcvd: 55 ====================================== UPDATED to: pdns-recursor-4.1.2-3.mga6 # systemctl start pdns-recursor # systemctl -l status pdns-recursor ...[as previously] ns_recursor[345]: Enabled TCP data-ready filter for (slight) DoS protection ns_recursor[345]: Listening for TCP queries on 127.0.0.1:5300 ns_recursor[345]: Set effective group id to 957 stemd[1]: Started PowerDNS Recursor. ns_recursor[345]: Set effective user id to 966 ns_recursor[345]: Launching 3 threads ns_recursor[345]: Done priming cache with root hints ns_recursor[345]: Done priming cache with root hints ns_recursor[345]: Done priming cache with root hints ns_recursor[345]: Enabled 'epoll' multiplexer Note the changed port number 53->5300 (which it used to be in the past). This enables pdns-recursor(5300) to co-exist again with pdns(53). # netstat -pantu | grep pdns_recursor tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 345/pdns_recursor udp 0 0 127.0.0.1:5300 0.0.0.0:* 345/pdns_recursor $ dig mageia.org @127.0.0.1 -p 5300 ; <<>> DiG 9.10.6-P1 <<>> mageia.org @127.0.0.1 -p 5300 ... Same as previously except for id and port number. Update looks OK.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA6-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0252.html
Status: NEW => RESOLVEDResolution: (none) => FIXED