Upstream has issued an advisory on March 18: https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html The issue is fixed upstream in 4.1.7. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 4.1.7
Assigning to the registered maintainer, but CC'ing all packagers collectively, in case the maintainer is unavailable. (He might not have pushed anything since 10 months ago.)
Assignee: bugsquad => mityaCC: (none) => marja11, pkg-bugs
Advisory: ======================== Updated pdns packages fix security vulnerability: An issue has been found in PowerDNS Authoritative Server when the HTTP remote backend is used in RESTful mode (without post=1 set), allowing a remote user to cause the HTTP backend to connect to an attacker-specified host instead of the configured one, via a crafted DNS query. This can be used to cause a denial of service by preventing the remote backend from getting a response, content spoofing if the attacker can time its own query so that subsequent queries will use an attacker-controlled HTTP server instead of the configured one, and possibly information disclosure if the Authoritative Server has access to internal servers (CVE-2019-3871). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3871 https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html ======================== Updated packages in core/updates_testing: ======================== pdns-4.1.7-1.mga6 pdns-backend-pipe-4.1.7-1.mga6 pdns-backend-mysql-4.1.7-1.mga6 pdns-backend-pgsql-4.1.7-1.mga6 pdns-backend-ldap-4.1.7-1.mga6 pdns-backend-sqlite-4.1.7-1.mga6 pdns-backend-geoip-4.1.7-1.mga6 from pdns-4.1.7-1.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6CC: (none) => mityaAssignee: mitya => qa-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Ref to bug 23814 Comment 4 5 and 6 Made change to /etc/powerdns/pdns.conf and then at CLI: # systemctl start pdns Job for pdns.service failed because the control process exited with error code. See "systemctl status pdns.service" and "journalctl -xe" for details. # systemctl -l status pdns ● pdns.service - PowerDNS Authoritative Server Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: enabled) Active: activating (auto-restart) (Result: exit-code) since do 2019-03-21 10:37:30 CET; 891ms ago Docs: man:pdns_server(1) man:pdns_control(1) https://doc.powerdns.com Process: 6803 ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --writ Main PID: 6803 (code=exited, status=1/FAILURE) mrt 21 10:37:32 mach6.hviaene.thuis systemd[1]: Starting PowerDNS Authoritative Server... mrt 21 10:37:32 mach6.hviaene.thuis pdns_server[6812]: Reading random entropy from '/dev/urandom' mrt 21 10:37:32 mach6.hviaene.thuis pdns_server[6812]: This is a standalone pdns mrt 21 10:37:32 mach6.hviaene.thuis pdns_server[6812]: Listening on controlsocket in '/run/powerdns/pdns.controlsock mrt 21 10:37:32 mach6.hviaene.thuis pdns_server[6812]: Unable to bind UDP socket to '0.0.0.0:53': Address already in use mrt 21 10:37:32 mach6.hviaene.thuis pdns_server[6812]: Fatal error: Unable to bind to UDP socket mrt 21 10:37:32 mach6.hviaene.thuis systemd[1]: pdns.service: Main process exited, code=exited, status=1/FAILURE mrt 21 10:37:32 mach6.hviaene.thuis systemd[1]: Failed to start PowerDNS Authoritative Server. mrt 21 10:37:32 mach6.hviaene.thuis systemd[1]: pdns.service: Unit entered failed state. mrt 21 10:37:32 mach6.hviaene.thuis systemd[1]: pdns.service: Failed with result 'exit-code'. Googled a bit and found pointers to dnsmasq # netstat -apn|grep 53 tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 1748/systemd-resolv tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1753/dnsmasq tcp6 0 0 :::5355 :::* LISTEN 1748/systemd-resolv tcp6 0 0 :::53 :::* LISTEN 1753/dnsmasq udp 0 0 192.168.122.1:53 0.0.0.0:* 2640/dnsmasq udp 0 0 0.0.0.0:53 0.0.0.0:* 1753/dnsmasq udp 0 0 0.0.0.0:5355 0.0.0.0:* 1748/systemd-resolv udp6 0 0 :::53 :::* 1753/dnsmasq udp6 0 0 :::5355 :::* 1748/systemd-resolv and some more...... # systemctl stop dnsmasq # systemctl -l status dnsmasq ● dnsmasq.service - DNS caching server. Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled) Active: inactive (dead) since do 2019-03-21 10:42:36 CET; # systemctl start pdns Job for pdns.service failed because the control process exited with error code. See "systemctl status pdns.service" and "journalctl -xe" for details. # systemctl -l status pdns ● pdns.service - PowerDNS Authoritative Server Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: enabled) Active: activating (auto-restart) (Result: exit-code) since do 2019-03-21 10:54:45 CET; 120ms ago Docs: man:pdns_server(1) man:pdns_control(1) https://doc.powerdns.com Process: 12346 ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --wri Main PID: 12346 (code=exited, status=1/FAILURE) mrt 21 10:54:45 mach6.hviaene.thuis systemd[1]: pdns.service: Unit entered failed state. mrt 21 10:54:45 mach6.hviaene.thuis systemd[1]: pdns.service: Failed with result 'exit-code'. check on dnsmasq again # netstat -apn|grep 53 tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 12074/systemd-resol tcp6 0 0 :::5355 :::* LISTEN 12074/systemd-resol udp 0 0 192.168.122.1:53 0.0.0.0:* 2640/dnsmasq Beats me....
CC: (none) => herman.viaene
You need to stop systemd-resolved. You can only run one DNS server at a time.
# systemctl stop dnsmasq # systemctl stop systemd-resolved # systemctl start pdns Job for pdns.service failed because the control process exited with error code. See "systemctl status pdns.service" and "journalctl -xe" for details. # systemctl -l status pdns ● pdns.service - PowerDNS Authoritative Server Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: enabled) Active: activating (auto-restart) (Result: exit-code) since do 2019-03-21 20:21:42 CET; 934ms a Docs: man:pdns_server(1) man:pdns_control(1) https://doc.powerdns.com Process: 5877 ExecStart=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-t Main PID: 5877 (code=exited, status=1/FAILURE) mrt 21 20:21:43 mach6.hviaene.thuis systemd[1]: Starting PowerDNS Authoritative Server... mrt 21 20:21:44 mach6.hviaene.thuis pdns_server[5883]: Reading random entropy from '/dev/urandom' mrt 21 20:21:44 mach6.hviaene.thuis pdns_server[5883]: This is a standalone pdns mrt 21 20:21:44 mach6.hviaene.thuis pdns_server[5883]: Listening on controlsocket in '/run/powerdn mrt 21 20:21:44 mach6.hviaene.thuis pdns_server[5883]: Unable to bind UDP socket to '0.0.0.0:53': mrt 21 20:21:44 mach6.hviaene.thuis pdns_server[5883]: Fatal error: Unable to bind to UDP socket mrt 21 20:21:44 mach6.hviaene.thuis systemd[1]: pdns.service: Main process exited, code=exited, st mrt 21 20:21:44 mach6.hviaene.thuis systemd[1]: Failed to start PowerDNS Authoritative Server. mrt 21 20:21:44 mach6.hviaene.thuis systemd[1]: pdns.service: Unit entered failed state. mrt 21 20:21:44 mach6.hviaene.thuis systemd[1]: pdns.service: Failed with result 'exit-code'. # netstat -apn|grep 53 tcp6 0 0 :::80 :::* LISTEN 2053/httpd udp 0 0 192.168.122.1:53 0.0.0.0:* 2606/dnsmasq Why is that dnsmasq still there?????? Took risk # kill 2606 # systemctl start pdns # systemctl -l status pdns ● pdns.service - PowerDNS Authoritative Server Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: enabled) Active: active (running) since do 2019-03-21 20:26:43 CET; 1min 21s ago Docs: man:pdns_server(1) man:pdns_control(1) https://doc.powerdns.com Main PID: 7618 (pdns_server) CGroup: /system.slice/pdns.service └─7618 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp Proceeding as per bug 23814 # netstat -pantu | grep pdns tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 7618/pdns_server udp 0 0 0.0.0.0:53 0.0.0.0:* 7618/pdns_server $ dig mageia.org @127.0.0.1 ; <<>> DiG 9.10.8-P1 <<>> mageia.org @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 44243 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1680 ;; QUESTION SECTION: ;mageia.org. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: do mrt 21 20:30:22 CET 2019 ;; MSG SIZE rcvd: 39 Looks fine to me.
Whiteboard: (none) => MGA6-32-OK
I don't have a clue, so checking 64-bit packages for clean install only. pdns not installed on my system, so I installed it, the backends listed, and all dependencies. All packages installed cleanly. Using the list from Comment 2 in qarepo, I updated all packages. Again, all packages installed cleanly. I'm calling this OK for 64-bit. Validating. Suggested advisory in Comment 2.
Keywords: (none) => validated_updateWhiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
Fedora has issued an advisory for this on March 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ROFI6OTWF4GKONNSNEDUCW6LVSSEBZNF/
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0122.html
Status: NEW => RESOLVEDResolution: (none) => FIXED