Upstream has issued an advisory today (May 9): http://openwall.com/lists/oss-security/2018/05/09/2 https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-02.html The issue is fixed upstream in 4.1.2. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 4.1.2
*** Bug 23040 has been marked as a duplicate of this bug. ***
CC: (none) => mitya
Release announcement: https://blog.powerdns.com/2018/05/08/authoritative-server-4-1-2-released/ Dmitry already built this update, but I missed it. pdns-4.1.2-1.mga6 from pdns-4.1.2-1.mga6.src.rpm
Version: Cauldron => 6Status comment: Fixed upstream in 4.1.2 => (none)Assignee: mitya => qa-bugsWhiteboard: MGA6TOO => (none)
https://bugs.mageia.org/show_bug.cgi?id=20126#c2 gives a test procedure. BEFORE update: pdns-4.1.0-1.mga6 (+ pdns-recursor-4.1.0-1.mga6) But I cannot get pdns to work at all (even after re-installing it): # systemctl start pdns Job for pdns.service failed because the control process exited with error code. # systemctl -l status pdns ● pdns.service - PowerDNS Authoritative Server Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: enabled) Active: activating (auto-restart) (Result: exit-code) since Sul 2018-05-20 Docs: man:pdns_server(1) man:pdns_control(1) https://doc.powerdns.com Process: 15825 ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no -- Main PID: 15825 (code=exited, status=1/FAILURE) Mai 20 08:34:48 localhost.localdomain systemd[1]: pdns.service: Main process exited, code=exited, status=1/FAILURE Mai 20 08:34:48 localhost.localdomain systemd[1]: Failed to start PowerDNS Authoritative Server. Mai 20 08:34:48 localhost.localdomain systemd[1]: pdns.service: Unit entered failed state. Mai 20 08:34:48 localhost.localdomain systemd[1]: pdns.service: Failed with result 'exit-code'. I cannot hence test this (yet). Am asking on qa-discuss.
@David: advisory please; otherwise I can make one up from the info in the bug.
CC: (none) => lewyssmith
Advisory: ======================== Updated pdns package fixes security vulnerability: A stack-based buffer overflow in the dnsreplay tool occurring when replaying a specially crafted PCAP file with the `--ecs-stamp` option enabled, leading to a denial of service or potentially arbitrary code execution (CVE-2018-1046). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1046 http://openwall.com/lists/oss-security/2018/05/09/2 https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2018-02.html https://blog.powerdns.com/2018/05/08/authoritative-server-4-1-2-released/
(In reply to Lewis Smith from comment #3) Lewis, Maybe you've got a stale config file from a previous install (with some obsolete/invalid option). Could you please try to uninstall pdns, remove /etc/powerdns completely and reinstall? If that doesn't help, please show us what do "systemctl status pdns" and "journalctl -u pdns" say. Thanks!
@Dimitrri : thanks for your interest. > uninstall pdns # urpme pdns wrthi'n tynnu pdns-4.1.0-1.mga6.x86_64 ... > remove /etc/powerdns completely # rm -rf /etc/powerdns # ls -l /etc/powerdns ls: cannot access '/etc/powerdns': No such file or directory > reinstall # urpmi pdns $MIRRORLIST: media/core/updates/pdns-4.1.0-1.mga6.x86_64.rpm wrthi'n gosod pdns-4.1.0-1.mga6.x86_64.rpm o /var/cache/urpmi/rpms ... ---------------------------------------------------------------------- Recursion was removed from the PowerDNS Authoritative Server in version 4.1.0. Please consult the docs for migration options: https://doc.powerdns.com/authoritative/guides/recursion.html ---------------------------------------------------------------------- ------------------------- # systemctl stop dnsmasq Failed to stop dnsmasq.service: Unit dnsmasq.service not loaded. # systemctl start pdns Job for pdns.service failed because the control process exited with error code. See "systemctl status pdns.service" and "journalctl -xe" for details. # systemctl -l status pdns.service ● pdns.service - PowerDNS Authoritative Server Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: enabled) Active: activating (auto-restart) (Result: exit-code) since Sul 2018-05-20 20:09:16 CEST; 106ms ago Docs: man:pdns_server(1) man:pdns_control(1) https://doc.powerdns.com Process: 14495 ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no (code=exited, status=1/FAIURE)L Main PID: 14495 (code=exited, status=1/FAILURE) Mai 20 20:09:17 localhost.localdomain systemd[1]: Starting PowerDNS Authoritative Server... Mai 20 20:09:18 localhost.localdomain pdns_server[14502]: Reading random entropy from '/dev/urandom' Mai 20 20:09:18 localhost.localdomain pdns_server[14502]: This is a standalone pdns Mai 20 20:09:18 localhost.localdomain pdns_server[14502]: Listening on controlsocket in '/run/powerdns/pdns.controlsocket' Mai 20 20:09:18 localhost.localdomain pdns_server[14502]: Unable to bind UDP socket Mai 20 20:09:18 localhost.localdomain pdns_server[14502]: Fatal error: Unable to bind to UDP socket Mai 20 20:09:18 localhost.localdomain systemd[1]: pdns.service: Main process exited, code=exited, status=1/FAILURE Mai 20 20:09:18 localhost.localdomain systemd[1]: Failed to start PowerDNS Authoritative Server. Mai 20 20:09:18 localhost.localdomain systemd[1]: pdns.service: Unit entered failed state. Mai 20 20:09:18 localhost.localdomain systemd[1]: pdns.service: Failed with result 'exit-code'. Mai 20 20:09:19 localhost.localdomain systemd[1]: pdns.service: Service hold-off time over, scheduling restart. Mai 20 20:09:19 localhost.localdomain systemd[1]: Stopped PowerDNS Authoritative Server. Mai 20 20:09:19 localhost.localdomain systemd[1]: Starting PowerDNS Authoritative Server... Mai 20 20:09:19 localhost.localdomain pdns_server[14507]: Reading random entropy from '/dev/urandom' Mai 20 20:09:19 localhost.localdomain pdns_server[14507]: This is a standalone pdns Mai 20 20:09:19 localhost.localdomain pdns_server[14507]: Listening on controlsocket in '/run/powerdns/pdns.controlsocket' Mai 20 20:09:19 localhost.localdomain pdns_server[14507]: Unable to bind UDP socket to '0.0.0.0:53': Address already in use Mai 20 20:09:19 localhost.localdomain pdns_server[14507]: Fatal error: Unable to bind to UDP socket Mai 20 20:09:19 localhost.localdomain systemd[1]: pdns.service: Main process exited, code=exited, status=1/FAILURE repeated. --------------------- # journalctl -u pdns [without leading date, time, localhost.localdomain] systemd[1]: Stopped PowerDNS Authoritative Server. systemd[1]: Starting PowerDNS Authoritative Server... systemd[1]: pdns.service: Main process exited, code=exited, status=1/FAILURE pdns_server[2579]: Reading random entropy from '/dev/urandom' pdns_server[2579]: This is a standalone pdns pdns_server[2579]: Listening on controlsocket in '/run/powerdns/pdns.controls pdns_server[2579]: Unable to bind UDP socket to '0.0.0.0:53': Address already pdns_server[2579]: Fatal error: Unable to bind to UDP socket systemd[1]: Failed to start PowerDNS Authoritative Server. systemd[1]: pdns.service: Unit entered failed state. systemd[1]: pdns.service: Failed with result 'exit-code'. systemd[1]: pdns.service: Service hold-off time over, scheduling restart. systemd[1]: Stopped PowerDNS Authoritative Server. systemd[1]: Starting PowerDNS Authoritative Server... pdns_server[2586]: Reading random entropy from '/dev/urandom' pdns_server[2586]: This is a standalone pdns pdns_server[2586]: Listening on controlsocket in '/run/powerdns/pdns.controls pdns_server[2586]: Unable to bind UDP socket to '0.0.0.0:53': Address already pdns_server[2586]: Fatal error: Unable to bind to UDP socket systemd[1]: pdns.service: Main process exited, code=exited, status=1/FAILURE systemd[1]: Failed to start PowerDNS Authoritative Server. systemd[1]: pdns.service: Unit entered failed state. systemd[1]: pdns.service: Failed with result 'exit-code'. systemd[1]: pdns.service: Service hold-off time over, scheduling restart. systemd[1]: Stopped PowerDNS Authoritative Server. repeated. Hope this helps.
MGA6-32 on IBM Thinkpad R50e Xfce No installation issues. pdns was not installed before in this laptop. # systemctl start pdns # systemctl -l status pdns ● pdns.service - PowerDNS Authoritative Server Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: enabled) Active: active (running) since ma 2018-05-21 16:13:41 CEST; 20s ago Docs: man:pdns_server(1) man:pdns_control(1) https://doc.powerdns.com Main PID: 21319 (pdns_server) CGroup: /system.slice/pdns.service └─21319 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no mei 21 16:13:39 xxx.yyy.zzz pdns_server[21319]: TCP server bound to 0.0.0.0:53 mei 21 16:13:39 xxx.yyy.zzz pdns_server[21319]: TCPv6 server bound to [::]:53 mei 21 16:13:39 xxx.yyy.zzz pdns_server[21319]: PowerDNS Authoritative Server 4.1.2 (C) 2001-20 mei 21 16:13:39 xxx.yyy.zzz pdns_server[21319]: Using 32-bits mode. Built using gcc 5.4.0. mei 21 16:13:39 xxx.yyy.zzz pdns_server[21319]: PowerDNS comes with ABSOLUTELY NO WARRANTY. Thi mei 21 16:13:41 xxx.yyy.zzz pdns_server[21319]: Polled security status of version 4.1.2 at star mei 21 16:13:41 xxx.yyy.zzz pdns_server[21319]: Creating backend connection for TCP mei 21 16:13:41 xxx.yyy.zzz pdns_server[21319]: About to create 3 backend threads for UDP mei 21 16:13:41 xxx.yyy.zzz systemd[1]: Started PowerDNS Authoritative Server. mei 21 16:13:41 xxx.yyy.zzz pdns_server[21319]: Done launching threads, ready to distribute que And refering to bug 20126 Comment 3 $ dig mageia.org @127.0.0.1 -p 53 ; <<>> DiG 9.10.6-P1 <<>> mageia.org @127.0.0.1 -p 53 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 56058 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1680 ;; QUESTION SECTION: ;mageia.org. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: ma mei 21 16:24:32 CEST 2018 ;; MSG SIZE rcvd: 39 Seems OK to me. @ Lewis: did you remove this /run/powerdns/pdns.controls when you uninstalled the previous version?
CC: (none) => herman.viaene
(In reply to Lewis Smith from comment #7) Lewis, Seems like your port 53 is already bound by another process, which prevents pdns from starting. You can determine the process by running the following command: netstat -tuln | grep ":53" and then terminate the process and try starting pdns again.
(In reply to Dimitri Jakov from comment #9) > Seems like your port 53 is already bound by another process, which prevents > pdns from starting. You can determine the process by running the following > command: > netstat -tuln | grep ":53" > and then terminate the process and try starting pdns again. # netstat -tuln | grep ":53" tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN tcp6 0 0 ::1:53 :::* LISTEN udp 0 0 127.0.0.1:53 0.0.0.0:* udp6 0 0 ::1:53 :::* Looks a bit radical to kill tcp & udp! Do not know why they have port 53. # ps -ax | grep tcp 1782 tty1 Ssl+ 0:21 /usr/libexec/Xorg -nolisten tcp -auth /var/run/sdd # ps -ax | grep udp # From Herman: > did you remove this /run/powerdns/pdns.controls when you uninstalled > the previous version? I did not, but... # ls -l /run/powerdns/pdns.controls ls: cannot access '/run/powerdns/pdns.controls': No such file or directory both before & after trying to start pdns. However: # ls -l /run/powerdns/* srw-rw---- 1 root powerdns 0 Mai 21 19:15 /run/powerdns/pdns.controlsocket= Deleting that had no effect - it gets re-created when next starting pdns. =================================================================== Re-running the whole lot, abbreviated where O/P same as before: # systemctl stop pdns # urpme pdns # rm -rf /etc/powerdns # rm -rf /run/powerdns/ # urpmi pdns # rpm -q pdns pdns-4.1.0-1.mga6 # netstat -tuln | grep ":53" (again tcp[6] LISTEN, & udp[6]) # systemctl start pdns Job for pdns.service failed because the control process exited with error code. Still blocked!
You need to add a p to your netstat options for it to tell you which process has the sicket. Run it as root.
Thanks; before starting pdns: # netstat -ptuln | grep ":53" tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1426/pdns_recursor tcp6 0 0 ::1:53 :::* LISTEN 1602/named udp 0 0 127.0.0.1:53 0.0.0.0:* 1426/pdns_recursor udp6 0 0 ::1:53 :::* 1602/named ----------- # systemctl stop pdns_recursor Failed to stop pdns_recursor.service: Unit pdns_recursor.service not loaded. Using MCC-System-Services, pdns was already stopped, pdns-recursor shown running; both to start at startup. Stopped pdns-recursor. # systemctl start pdns Job for pdns.service failed because the control process exited with error code. # netstat -ptuln | grep ":53 " tcp6 0 0 ::1:53 :::* LISTEN 1602/named udp6 0 0 ::1:53 :::* 1602/named # systemctl status pdns usual O/P as previously. Uninstalled, cleaned up, re-installed pdns as in c10. "Recursion was removed from the PowerDNS Authoritative Server in version 4.1.0" Does that have a bearing? # systemctl status pdns ● pdns.service - PowerDNS Authoritative Server Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: Active: inactive (dead) (Result: exit-code) since Mer 2018-05-23 09:14:35 CES Docs: man:pdns_server(1) man:pdns_control(1) https://doc.powerdns.com Main PID: 12422 (code=exited, status=1/FAILURE) Mai 23 09:14:34 localhost.localdomain systemd[1]: pdns.service: Main process exi Mai 23 09:14:34 localhost.localdomain systemd[1]: Failed to start PowerDNS Autho Mai 23 09:14:34 localhost.localdomain systemd[1]: pdns.service: Unit entered fai Mai 23 09:14:34 localhost.localdomain systemd[1]: pdns.service: Failed with resu Mai 23 09:14:35 localhost.localdomain systemd[1]: Stopped PowerDNS Authoritative so it was started in principle at installation. And because pdns-recursor was not running, # netstat -ptuln | grep ":53 " showed just tcp6 & udp6 both for 'named' as above. Nothing for plain port 53. This must be something stupidly simple. I shall ask another person to try x64.
(In reply to Lewis Smith from comment #12) Lewis, Seems like you have BIND installed, which causes port conflict. Could you please stop it with "systemctl stop named" and try pdns again?
Dimitri - that was it! Stopped named, pdns started OK - but NOT at the same time pdns-recursor, which used to work once (now does again after update 22935). BEFORE update: pdns-4.1.0-1.mga6 # systemctl start pdns # systemctl -l status pdns ● pdns.service - PowerDNS Authoritative Server Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: Active: active (running) since Mer 2018-05-23 20:44:26 CEST; 4min 26s ago Docs: man:pdns_server(1) man:pdns_control(1) https://doc.powerdns.com Main PID: 5749 (pdns_server) CGroup: /system.slice/pdns.service └─5749 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-sysl then just as in comment 8 (except for 64-bit) # netstat -pantu | grep pdns tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 5749/pdns_server tcp6 0 0 :::53 :::* LISTEN 5749/pdns_server udp 0 0 0.0.0.0:53 0.0.0.0:* 5749/pdns_server udp6 0 0 :::53 :::* 5749/pdns_server $ dig mageia.org @127.0.0.1 -p 53 ; <<>> DiG 9.10.6-P1 <<>> mageia.org @127.0.0.1 -p 53 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 12557 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1680 ;; QUESTION SECTION: ;mageia.org. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mer Mai 23 20:51:47 CEST 2018 ;; MSG SIZE rcvd: 39 ======================================= UPDATE to: pdns-4.1.2-1.mga6 which noted "recursion removed". # systemctl start pdns # systemctl -l status pdns as before except for process numbers. # netstat -pantu | grep pdns as before except for process numbers. $ dig mageia.org @127.0.0.1 -p 53 identical to before except for id number. Update looks 64-bit OK. Adding a 32-bit OK for Herman c8. Advisory from comment 5 + RPMs page.
Whiteboard: (none) => MGA6-64-OK MGA6-32-OKKeywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0255.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED