Advisories have been issued today (January 21): https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-01.html https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-02.html The issues are fixed upstream in 4.1.9. Updated packages uploaded for Mageia 6 and Cauldron. Advisory: ======================== Updated pdns-recursor package fixes security vulnerabilities: An issue has been found in PowerDNS Recursor where Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua (CVE-2019-3806). An issue has been found in PowerDNS Recursor where records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation (CVE-2019-3807). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3806 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3807 https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-01.html https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-02.html ======================== Updated packages in core/updates_testing: ======================== pdns-recursor-4.1.9-1.mga6 from pdns-recursor-4.1.9-1.mga6.src.rpm
MGA6-32 MATE on IBM Thinkpad R50e No installation issues, added pdns to system. Ref bug23815 and bug13521 for tests. At CLI: # systemctl stop dnsmasq Failed to stop dnsmasq.service: Unit dnsmasq.service not loaded. Just to make sure it does not interfere with pdns # systemctl start pdns # systemctl -l status pdns ● pdns.service - PowerDNS Authoritative Server Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: enabled) Active: active (running) since di 2019-01-22 11:48:45 CET; 15s ago Docs: man:pdns_server(1) man:pdns_control(1) https://doc.powerdns.com Main PID: 18637 (pdns_server) CGroup: /system.slice/pdns.service └─18637 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no jan 22 11:48:45 mach6.hviaene.thuis pdns_server[18637]: TCP server bound to 0.0.0.0:53 jan 22 11:48:45 mach6.hviaene.thuis pdns_server[18637]: TCPv6 server bound to [::]:53 jan 22 11:48:45 mach6.hviaene.thuis pdns_server[18637]: PowerDNS Authoritative Server 4.1.5 (C) 2001-20 jan 22 11:48:45 mach6.hviaene.thuis pdns_server[18637]: Using 32-bits mode. Built using gcc 5.5.0. jan 22 11:48:45 mach6.hviaene.thuis pdns_server[18637]: PowerDNS comes with ABSOLUTELY NO WARRANTY. Thi jan 22 11:48:45 mach6.hviaene.thuis pdns_server[18637]: Polled security status of version 4.1.5 at star jan 22 11:48:45 mach6.hviaene.thuis pdns_server[18637]: Creating backend connection for TCP jan 22 11:48:45 mach6.hviaene.thuis pdns_server[18637]: About to create 3 backend threads for UDP jan 22 11:48:45 mach6.hviaene.thuis systemd[1]: Started PowerDNS Authoritative Server. jan 22 11:48:45 mach6.hviaene.thuis pdns_server[18637]: Done launching threads, ready to distribute que # systemctl start pdns-recursor # systemctl -l status pdns-recursor ● pdns-recursor.service - PowerDNS Recursor Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; enabled; vendor preset: enabled) Active: active (running) since di 2019-01-22 11:50:03 CET; 13s ago Docs: man:pdns_recursor(1) man:rec_control(1) https://doc.powerdns.com Main PID: 18702 (pdns_recursor) CGroup: /system.slice/pdns-recursor.service └─18702 /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp= jan 22 11:50:03 mach6.hviaene.thuis pdns_recursor[18702]: Listening for TCP queries on 127.0.0.1:5300 jan 22 11:50:03 mach6.hviaene.thuis pdns_recursor[18702]: Set effective group id to 969 jan 22 11:50:03 mach6.hviaene.thuis systemd[1]: Started PowerDNS Recursor. jan 22 11:50:03 mach6.hviaene.thuis pdns_recursor[18702]: Set effective user id to 969 jan 22 11:50:03 mach6.hviaene.thuis pdns_recursor[18702]: Launching 3 threads jan 22 11:50:03 mach6.hviaene.thuis pdns_recursor[18702]: Done priming cache with root hints jan 22 11:50:03 mach6.hviaene.thuis pdns_recursor[18702]: Done priming cache with root hints jan 22 11:50:03 mach6.hviaene.thuis pdns_recursor[18702]: Enabled 'epoll' multiplexer jan 22 11:50:03 mach6.hviaene.thuis pdns_recursor[18702]: Done priming cache with root hints jan 22 11:50:03 mach6.hviaene.thuis pdns_recursor[18702]: Done priming cache with root hints # netstat -pantu | grep pdns tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 18702/pdns_recursor tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 18637/pdns_server tcp6 0 0 :::53 :::* LISTEN 18637/pdns_server udp 0 0 0.0.0.0:53 0.0.0.0:* 18637/pdns_server udp 0 0 127.0.0.1:5300 0.0.0.0:* 18702/pdns_recursor udp6 0 0 :::53 :::* 18637/pdns_server then as normal user check dns resolution $ dig mageia.org @127.0.0.1 -p 53 ; <<>> DiG 9.10.8-P1 <<>> mageia.org @127.0.0.1 -p 53 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 4625 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1680 ;; QUESTION SECTION: ;mageia.org. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: di jan 22 11:51:19 CET 2019 ;; MSG SIZE rcvd: 39 $ dig mageia.org @127.0.0.1 -p 5300 ; <<>> DiG 9.10.8-P1 <<>> mageia.org @127.0.0.1 -p 5300 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29453 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 163.172.148.228 ;; Query time: 167 msec ;; SERVER: 127.0.0.1#5300(127.0.0.1) ;; WHEN: di jan 22 11:52:27 CET 2019 ;; MSG SIZE rcvd: 55 Looks OK then stop pdns and pdns-recursor # systemctl stop pdns-recursor # systemctl stop pdns and check again $ nslookup mageia.org Server: 192.168.2.1 Address: 192.168.2.1#53 Non-authoritative answer: Name: mageia.org Address: 163.172.148.228 All looks OK.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Thank you Herman. Validating, advisory from comment 0.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0051.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED