PowerDNS has issued an advisory today (July 1): https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html The issue is fixed upstream in 4.1.17 and 4.3.2; https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.2 https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.17 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 4.1.17 and 4.3.2
Done for both Cauldron and mga7!
CC: (none) => geiger.david68210
Advisory: ======================== Updated pdns-recursor package fixes security vulnerability: An issue has been found in PowerDNS Recursor where the ACL applied to the internal web server via webserver-allow-from is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction (CVE-2020-14196). In the default configuration the API webserver is not enabled. Only installations using a non-default value for webserver and webserver-address are affected. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14196 https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-04.html https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.17 ======================== Updated packages in core/updates_testing: ======================== pdns-recursor-4.1.17-1.mga7 from pdns-recursor-4.1.17-1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Assignee: bugsquad => qa-bugsStatus comment: Fixed upstream in 4.1.17 and 4.3.2 => (none)Version: Cauldron => 7
MGA7-64 Plasma on Lenovo B50 No installation issues. Installing pdns in addition to follow test prodedure below. Ref bug 24218 for testing. # systemctl stop dnsmasq Failed to stop dnsmasq.service: Unit dnsmasq.service not loaded. # systemctl start pdns # systemctl -l status pdns ● pdns.service - PowerDNS Authoritative Server Loaded: loaded (/usr/lib/systemd/system/pdns.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2020-07-06 14:44:04 CEST; 12s ago Docs: man:pdns_server(1) man:pdns_control(1) https://doc.powerdns.com Main PID: 23233 (pdns_server) Tasks: 8 (limit: 4915) Memory: 4.1M CGroup: /system.slice/pdns.service └─23233 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no Jul 06 14:44:02 mach5.hviaene.thuis pdns_server[23233]: TCP server bound to 0.0.0.0:53 Jul 06 14:44:02 mach5.hviaene.thuis pdns_server[23233]: TCPv6 server bound to [::]:53 Jul 06 14:44:02 mach5.hviaene.thuis pdns_server[23233]: PowerDNS Authoritative Server 4.1.8 (C) 2001-2018 PowerDNS.COM BV Jul 06 14:44:02 mach5.hviaene.thuis pdns_server[23233]: Using 64-bits mode. Built using gcc 8.3.1 20190510. Jul 06 14:44:02 mach5.hviaene.thuis pdns_server[23233]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, an> Jul 06 14:44:04 mach5.hviaene.thuis pdns_server[23233]: PowerDNS Security Update Mandatory: Upgrade now, see https://doc.powe> Jul 06 14:44:04 mach5.hviaene.thuis pdns_server[23233]: Creating backend connection for TCP Jul 06 14:44:04 mach5.hviaene.thuis pdns_server[23233]: About to create 3 backend threads for UDP Jul 06 14:44:04 mach5.hviaene.thuis systemd[1]: Started PowerDNS Authoritative Server. Jul 06 14:44:04 mach5.hviaene.thuis pdns_server[23233]: Done launching threads, ready to distribute questions # systemctl start pdns-recursor # systemctl -l status pdns-recursor ● pdns-recursor.service - PowerDNS Recursor Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2020-07-06 14:44:37 CEST; 12s ago Docs: man:pdns_recursor(1) man:rec_control(1) https://doc.powerdns.com Main PID: 25011 (pdns_recursor) Tasks: 5 (limit: 4915) Memory: 6.7M CGroup: /system.slice/pdns-recursor.service └─25011 /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no Jul 06 14:44:37 mach5.hviaene.thuis pdns_recursor[25011]: Enabled TCP data-ready filter for (slight) DoS protection Jul 06 14:44:37 mach5.hviaene.thuis pdns_recursor[25011]: Listening for TCP queries on 127.0.0.1:5300 Jul 06 14:44:37 mach5.hviaene.thuis pdns_recursor[25011]: Set effective group id to 967 Jul 06 14:44:37 mach5.hviaene.thuis pdns_recursor[25011]: Set effective user id to 975 Jul 06 14:44:37 mach5.hviaene.thuis pdns_recursor[25011]: Launching 3 threads Jul 06 14:44:37 mach5.hviaene.thuis pdns_recursor[25011]: Done priming cache with root hints Jul 06 14:44:37 mach5.hviaene.thuis pdns_recursor[25011]: Enabled 'epoll' multiplexer Jul 06 14:44:37 mach5.hviaene.thuis pdns_recursor[25011]: Done priming cache with root hints Jul 06 14:44:37 mach5.hviaene.thuis systemd[1]: Started PowerDNS Recursor. Jul 06 14:44:37 mach5.hviaene.thuis pdns_recursor[25011]: Done priming cache with root hints # netstat -pantu | grep pdns tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 25011/pdns_recursor tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 23233/pdns_server tcp6 0 0 :::53 :::* LISTEN 23233/pdns_server udp 0 0 127.0.0.1:5300 0.0.0.0:* 25011/pdns_recursor udp 0 0 0.0.0.0:53 0.0.0.0:* 23233/pdns_server udp6 0 0 :::53 :::* 23233/pdns_server # dig mageia.org @127.0.0.1 -p 53 ; <<>> DiG 9.11.6Mageia-1.1.mga7 <<>> mageia.org @127.0.0.1 -p 53 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 43390 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1680 ;; QUESTION SECTION: ;mageia.org. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Jul 06 14:45:36 CEST 2020 ;; MSG SIZE rcvd: 39 # systemctl stop pdns-recursor # systemctl stop pdns # nslookup mageia.org Server: 212.71.0.33 Address: 212.71.0.33#53 Non-authoritative answer: Name: mageia.org Address: 163.172.148.228 Name: mageia.org Address: 2001:bc8:4400:2800::4115 All looks OK.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => mageiaKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0286.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED