Security issues fixed upstream in pdns-recursor have been announced today (May 19): https://www.openwall.com/lists/oss-security/2020/05/19/3 https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html The issues are fixed upstream in 4.1.16 and 4.2.2: https://doc.powerdns.com/recursor/changelog/4.2.html#change-4.2.2 https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.16 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 4.1.16 and 4.2.2
CC: (none) => mageiaWhiteboard: MGA7TOO => (none)
Pushed in updates testing. Advisory: ======================== Updated pdns-recursor packages fix security vulnerability: Backport of security fixes for CVE-2020-10995, CVE-2020-12244 and CVE-2020-10030, plus avoid a crash when loading an invalid RPZ. References: https://www.openwall.com/lists/oss-security/2020/05/19/3 https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-03.html https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.16 Updated packages in core/updates_testing: ======================== pdns-recursor-4.1.16-1.mga7 pdns-recursor-debugsource-4.1.16-1.mga7 pdns-recursor-debuginfo-4.1.16-1.mga7 from: pdns-recursor-4.1.16-1.mga7
Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 4.1.16 and 4.2.2 => (none)
CC: (none) => qa-bugsVersion: 7 => CauldronQA Contact: (none) => securityAssignee: qa-bugs => mageiaWhiteboard: (none) => MGA7TOOStatus comment: (none) => Build failed in Cauldron
Build failure log: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20200519203509.neoclust.duvel.21473/log/pdns-recursor-4.2.2-1.mga8/build.0.20200519203609.log
Component: RPM Packages => Security
fixed by david :-)
Assignee: mageia => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. Installing pdns in addition to follow test prodedure below. Ref bug 24218 for testing. # systemctl stop dnsmasq Failed to stop dnsmasq.service: Unit dnsmasq.service not loaded. # systemctl start pdns # systemctl -l status pdns ● pdns.service - PowerDNS Authoritative Server Loaded: loaded (/usr/lib/systemd/system/pdns.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2020-05-20 13:25:26 CEST; 16s ago Docs: man:pdns_server(1) man:pdns_control(1) https://doc.powerdns.com Main PID: 19933 (pdns_server) Tasks: 8 (limit: 4915) Memory: 4.1M CGroup: /system.slice/pdns.service └─19933 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no May 20 13:25:26 mach5.hviaene.thuis pdns_server[19933]: TCP server bound to 0.0.0.0:53 May 20 13:25:26 mach5.hviaene.thuis pdns_server[19933]: TCPv6 server bound to [::]:53 May 20 13:25:26 mach5.hviaene.thuis pdns_server[19933]: PowerDNS Authoritative Server 4.1.8 (C) 2001-2018 PowerDNS.COM BV May 20 13:25:26 mach5.hviaene.thuis pdns_server[19933]: Using 64-bits mode. Built using gcc 8.3.1 20190510. May 20 13:25:26 mach5.hviaene.thuis pdns_server[19933]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software,> May 20 13:25:26 mach5.hviaene.thuis pdns_server[19933]: PowerDNS Security Update Mandatory: Upgrade now, see https://doc.p> May 20 13:25:26 mach5.hviaene.thuis pdns_server[19933]: Creating backend connection for TCP May 20 13:25:26 mach5.hviaene.thuis systemd[1]: Started PowerDNS Authoritative Server. May 20 13:25:26 mach5.hviaene.thuis pdns_server[19933]: About to create 3 backend threads for UDP May 20 13:25:26 mach5.hviaene.thuis pdns_server[19933]: Done launching threads, ready to distribute questions # systemctl start pdns-recursor # systemctl -l status pdns-recursor ● pdns-recursor.service - PowerDNS Recursor Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2020-05-20 13:26:13 CEST; 16s ago Docs: man:pdns_recursor(1) man:rec_control(1) https://doc.powerdns.com Main PID: 22509 (pdns_recursor) Tasks: 5 (limit: 4915) Memory: 4.3M CGroup: /system.slice/pdns-recursor.service └─22509 /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no May 20 13:26:13 mach5.hviaene.thuis pdns_recursor[22509]: Listening for UDP queries on 127.0.0.1:5300 May 20 13:26:13 mach5.hviaene.thuis pdns_recursor[22509]: Enabled TCP data-ready filter for (slight) DoS protection May 20 13:26:13 mach5.hviaene.thuis pdns_recursor[22509]: Listening for TCP queries on 127.0.0.1:5300 May 20 13:26:13 mach5.hviaene.thuis pdns_recursor[22509]: Set effective group id to 950 May 20 13:26:13 mach5.hviaene.thuis pdns_recursor[22509]: Set effective user id to 951 May 20 13:26:13 mach5.hviaene.thuis pdns_recursor[22509]: Launching 3 threads May 20 13:26:13 mach5.hviaene.thuis pdns_recursor[22509]: Done priming cache with root hints May 20 13:26:13 mach5.hviaene.thuis pdns_recursor[22509]: Enabled 'epoll' multiplexer May 20 13:26:13 mach5.hviaene.thuis pdns_recursor[22509]: Done priming cache with root hints May 20 13:26:13 mach5.hviaene.thuis systemd[1]: Started PowerDNS Recursor. # netstat -pantu | grep pdns tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 22509/pdns_recursor tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 19933/pdns_server tcp6 0 0 :::53 :::* LISTEN 19933/pdns_server udp 0 0 127.0.0.1:5300 0.0.0.0:* 22509/pdns_recursor udp 0 0 0.0.0.0:53 0.0.0.0:* 19933/pdns_server udp6 0 0 :::53 :::* 19933/pdns_server # dig mageia.org @127.0.0.1 -p 53 ; <<>> DiG 9.11.6Mageia-1.1.mga7 <<>> mageia.org @127.0.0.1 -p 53 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 15989 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1680 ;; QUESTION SECTION: ;mageia.org. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed May 20 13:27:23 CEST 2020 ;; MSG SIZE rcvd: 39 # systemctl stop pdns-recursor # systemctl stop pdns # nslookup mageia.org Server: 192.168.2.1 Address: 192.168.2.1#53 Non-authoritative answer: Name: mageia.org Address: 163.172.148.228 Name: mageia.org Address: 2001:bc8:4400:2800::4115 All looks OK.
CC: (none) => herman.viaeneWhiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
Whiteboard: MGA7TOO MGA7-64-OK => MGA7-64-OKCC: qa-bugs => (none)Status comment: Build failed in Cauldron => (none)Version: Cauldron => 7
Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Debian has issued an advisory for this on May 21: https://www.debian.org/security/2020/dsa-4691
dropped references to : CVE-2020-10030 as upstream states: "Linux systems are not affected"
CC: (none) => tmbKeywords: (none) => advisory
Summary: pdns-recursor new security issues CVE-2020-10030, CVE-2020-10995, CVE-2020-12244 => pdns-recursor new security issues CVE-2020-10995, CVE-2020-12244
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0223.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED