Upstream has issued an advisory today (September 22):
The issue is fixed upstream in 4.1.14 and 4.3.1:
Updates checked into SVN (build system is currently broken).
Mageia 7 is also affected.
Hi, thanks reporting this,
Assigning to registered maintainers.
Updated pdns packages fix security vulnerability:
An issue has been found in PowerDNS Authoritative Server before 4.3.1 where an
authorized user with the ability to insert crafted records into a zone might be
able to leak the content of uninitialized memory. Such a user could be a
customer inserting data via a control panel, or somebody with access to the
REST API. Crafted records cannot be inserted via AXFR (CVE-2020-17482).
The pdns package has been updated to versoin 4.1.14, fixing this issue and
several other bugs. See the upstream changelog for details.
Updated packages in core/updates_testing:
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 254531 for tests
After editing /etc/powerdns/pdns.conf
# systemctl start pdns
# systemctl -l status pdns
● pdns.service - PowerDNS Authoritative Server
Loaded: loaded (/usr/lib/systemd/system/pdns.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2020-09-24 15:04:14 CEST; 26s ago
Main PID: 1103 (pdns_server)
Tasks: 8 (limit: 4915)
└─1103 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
Sep 24 15:04:12 mach5.hviaene.thuis pdns_server: UDP server bound to 0.0.0.0:53
Sep 24 15:04:12 mach5.hviaene.thuis pdns_server: TCP server bound to 0.0.0.0:53
Sep 24 15:04:12 mach5.hviaene.thuis pdns_server: PowerDNS Authoritative Server 4.1.14 (C) 2001-2018 PowerDNS.COM BV
Sep 24 15:04:12 mach5.hviaene.thuis pdns_server: Using 64-bits mode. Built using gcc 8.4.0.
Sep 24 15:04:12 mach5.hviaene.thuis pdns_server: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it accor>
Sep 24 15:04:14 mach5.hviaene.thuis pdns_server: Polled security status of version 4.1.14 at startup, no known issues reported: OK
Sep 24 15:04:14 mach5.hviaene.thuis pdns_server: Creating backend connection for TCP
Sep 24 15:04:14 mach5.hviaene.thuis pdns_server: About to create 3 backend threads for UDP
Sep 24 15:04:14 mach5.hviaene.thuis systemd: Started PowerDNS Authoritative Server.
Sep 24 15:04:14 mach5.hviaene.thuis pdns_server: Done launching threads, ready to distribute questions
# netstat -pantu | grep pdns
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1103/pdns_server
udp 0 0 0.0.0.0:53 0.0.0.0:* 1103/pdns_server
$ dig mageia.org @127.0.0.1
; <<>> DiG 9.11.6Mageia-1.1.mga7 <<>> mageia.org @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 20642
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;mageia.org. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 24 15:11:51 CEST 2020
;; MSG SIZE rcvd: 39
Same as earlier, so OK for me.
Validating. Advisory in Comment 2.
An update for this issue has been pushed to the Mageia Updates repository.
I updated the SVN advisory for this bug to include the info from Bug 24994, so the wiki advisory should get updated the next time the script is run.
However, there is some manual intervention required by sysadmins due to one of the CVEs in Bug 24994 (but only when pdns is used with postgresql, so it doesn't affect *everyone*) that should have been included in the advisory. It's there now, but for those only reading the updates-announce list, they won't see that. Is there a way the e-mail for this advisory could be re-generated with the updated advisory and re-sent to the updates-announce list?
Email advisory has been resent and received via updates-announce.