Bug 23814 - pdns new security issues CVE-2018-10851, CVE-2018-14626
Summary: pdns new security issues CVE-2018-10851, CVE-2018-14626
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2018-11-07 11:14 CET by David Walser
Modified: 2019-01-05 19:31 CET (History)
4 users (show)

See Also:
Source RPM: pdns-4.1.4-2.mga7.src.rpm
Status comment:


Description David Walser 2018-11-07 11:14:09 CET
Advisories have been issued on November 6:

The issues are fixed upstream in 4.1.5 and 4.0.6.

Mageia 6 is also affected.
David Walser 2018-11-07 11:14:21 CET

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-11-20 23:49:54 CET
Fedora has issued an advisory for this on November 16:
Comment 2 David Walser 2019-01-01 02:01:50 CET
pdns-4.1.5-1.mga7 uploaded for Cauldron.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 3 David Walser 2019-01-01 20:54:26 CET

Updated pdns packages fix security vulnerabilities:

A vulnerability was in found in PowerDNS Authoritative Server. The issue is a
memory leak occurring while parsing some malformed records, due to the fact
that some memory is allocated parsing a record and is not always properly
released if the record is not valid. It allows an authorized user to cause a
denial of service by inserting specially crafted records in a zone under their
control, then sending DNS queries for that zone (CVE-2018-10851).

An issue has been found in PowerDNS Authoritative Server allowing a remote
user to craft a DNS query that will cause an answer without DNSSEC records to
be inserted into the packet cache and be returned to clients asking for DNSSEC
records, thus hiding the presence of DNSSEC signatures for a specific qname and
qtype. For a DNSSEC-signed domain, this means that DNSSEC validating clients
will consider the answer to be bogus until it expires from the packet cache,
leading to a denial of service (CVE-2018-14626).


Updated packages in core/updates_testing:

from pdns-4.1.5-1.mga6.src.rpm

Assignee: mitya => qa-bugs
CC: (none) => mitya

Comment 4 Herman Viaene 2019-01-02 15:34:59 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Installed pdns over previous 4.1.2 installation, but cann't get pdns starting: Unable to acquire TCPv6 socket.
This issue has been reported on previous update bugs, but none of the checks in those resolve the problem now: there is no dnsmasq or named or pdns_recursor running. Checking further later on.

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2019-01-03 11:08:07 CET
Googled and found https://github.com/PowerDNS/pdns/issues/4568
So as root opened /etc/powerdns/pdns.conf and added line
Comment 6 Herman Viaene 2019-01-03 11:16:07 CET
Now at CLI as root:
# systemctl start pdns
# systemctl -l status pdns
● pdns.service - PowerDNS Authoritative Server
   Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: enabled)
   Active: active (running) since do 2019-01-03 10:58:45 CET; 16s ago
     Docs: man:pdns_server(1)
 Main PID: 29180 (pdns_server)
   CGroup: /system.slice/pdns.service
           └─29180 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no -

jan 03 10:58:45 xxx.yyy.zzz pdns_server[29180]: UDP server bound to
jan 03 10:58:45 xxx.yyy.zzz pdns_server[29180]: TCP server bound to
jan 03 10:58:45 xxx.yyy.zzz pdns_server[29180]: PowerDNS Authoritative Server 4.1.5 (C) 2001-201
jan 03 10:58:45 xxx.yyy.zzz pdns_server[29180]: Using 32-bits mode. Built using gcc 5.5.0.
jan 03 10:58:45 xxx.yyy.zzz pdns_server[29180]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This
jan 03 10:58:45 xxx.yyy.zzz pdns_server[29180]: Polled security status of version 4.1.5 at start
jan 03 10:58:45 xxx.yyy.zzz pdns_server[29180]: Creating backend connection for TCP
jan 03 10:58:45 xxx.yyy.zzz pdns_server[29180]: About to create 3 backend threads for UDP
jan 03 10:58:45 xxx.yyy.zzz systemd[1]: Started PowerDNS Authoritative Server.
jan 03 10:58:46 xxx.yyy.zzz pdns_server[29180]: Done launching threads, ready to distribute ques
# netstat -pantu | grep pdns
tcp        0      0    *               LISTEN      29180/pdns_server   
udp        0      0    *                           29180/pdns_server 
Ref bug 20126 Comment 3
$ dig mageia.org @

; <<>> DiG 9.10.8-P1 <<>> mageia.org @
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 50081
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

; EDNS: version: 0, flags:; udp: 1680
;mageia.org.			IN	A

;; Query time: 205 msec
;; WHEN: do jan 03 11:03:04 CET 2019
;; MSG SIZE  rcvd: 39

Seems OK to me.

Whiteboard: (none) => MGA6-32-OK

Comment 7 Lewis Smith 2019-01-03 20:21:41 CET
Thanks Herman for your detective work. Validating, advisory from comment3.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 8 Mageia Robot 2019-01-05 19:31:48 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.