Upstream has issued an advisory today (October 13): https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html The issue is fixed upstream in 4.1.18 and 4.3.5: https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.18 https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.5 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Hi, thanks for reporting this bug. Assigned to all package maintainers as no registered one. Cc'ed recent commiters. (Please set the status to 'assigned' if you are working on it)
CC: (none) => geiger.david68210Assignee: bugsquad => pkg-bugsKeywords: (none) => Triaged
Suggested advisory: ======================== The updated package fixes a security vulnerability: An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5, and 4.3.x before 4.3.5. A remote attacker can cause the cached records for a given name to be updated to the Bogus DNSSEC validation state, instead of their actual DNSSEC Secure state, via a DNS ANY query. This results in a denial of service for installation that always validate (dnssec=validate), and for clients requesting validation when on-demand validation is enabled (dnssec=process). (CVE-2020-25829) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25829 https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html https://doc.powerdns.com/recursor/changelog/4.1.html#change-4.1.18 ======================== Updated package in core/updates_testing: ======================== pdns-recursor-4.1.18-1.mga7 from SRPM: pdns-recursor-4.1.18-1.mga7.src.rpm
CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDCVE: (none) => CVE-2020-25829Version: Cauldron => 7Whiteboard: MGA7TOO => (none)Source RPM: pdns-recursor-4.3.2-1.mga8.src.rpm => pdns-recursor-4.1.17-1.mga7.src.rpmAssignee: pkg-bugs => qa-bugsKeywords: Triaged => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues. Installing pdns in addition to follow test prodedure below. Ref bug 26887 Comment 3 for testing # systemctl stop dnsmasq Failed to stop dnsmasq.service: Unit dnsmasq.service not loaded. # systemctl start pdns # systemctl -l status pdns ● pdns.service - PowerDNS Authoritative Server Loaded: loaded (/usr/lib/systemd/system/pdns.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2020-10-23 11:29:31 CEST; 14s ago Docs: man:pdns_server(1) man:pdns_control(1) https://doc.powerdns.com Main PID: 11717 (pdns_server) Tasks: 8 (limit: 4915) Memory: 4.5M CGroup: /system.slice/pdns.service └─11717 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no Oct 23 11:29:31 mach5.hviaene.thuis pdns_server[11717]: TCP server bound to 0.0.0.0:53 Oct 23 11:29:31 mach5.hviaene.thuis pdns_server[11717]: TCPv6 server bound to [::]:53 Oct 23 11:29:31 mach5.hviaene.thuis pdns_server[11717]: PowerDNS Authoritative Server 4.1.14 (C) 2001-2018 PowerDNS.COM BV Oct 23 11:29:31 mach5.hviaene.thuis pdns_server[11717]: Using 64-bits mode. Built using gcc 8.4.0. Oct 23 11:29:31 mach5.hviaene.thuis pdns_server[11717]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it acco> Oct 23 11:29:31 mach5.hviaene.thuis pdns_server[11717]: Polled security status of version 4.1.14 at startup, no known issues reported: OK Oct 23 11:29:31 mach5.hviaene.thuis pdns_server[11717]: Creating backend connection for TCP Oct 23 11:29:31 mach5.hviaene.thuis pdns_server[11717]: About to create 3 backend threads for UDP Oct 23 11:29:31 mach5.hviaene.thuis systemd[1]: Started PowerDNS Authoritative Server. Oct 23 11:29:31 mach5.hviaene.thuis pdns_server[11717]: Done launching threads, ready to distribute questions # systemctl start pdns-recursor # systemctl -l status pdns-recursor ● pdns-recursor.service - PowerDNS Recursor Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2020-10-23 11:30:12 CEST; 14s ago Docs: man:pdns_recursor(1) man:rec_control(1) https://doc.powerdns.com Main PID: 14454 (pdns_recursor) Tasks: 5 (limit: 4915) Memory: 4.4M CGroup: /system.slice/pdns-recursor.service └─14454 /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no Oct 23 11:30:12 mach5.hviaene.thuis pdns_recursor[14454]: Listening for UDP queries on 127.0.0.1:5300 Oct 23 11:30:12 mach5.hviaene.thuis pdns_recursor[14454]: Enabled TCP data-ready filter for (slight) DoS protection Oct 23 11:30:12 mach5.hviaene.thuis pdns_recursor[14454]: Listening for TCP queries on 127.0.0.1:5300 Oct 23 11:30:12 mach5.hviaene.thuis pdns_recursor[14454]: Set effective group id to 967 Oct 23 11:30:12 mach5.hviaene.thuis pdns_recursor[14454]: Set effective user id to 975 Oct 23 11:30:12 mach5.hviaene.thuis pdns_recursor[14454]: Launching 3 threads Oct 23 11:30:12 mach5.hviaene.thuis pdns_recursor[14454]: Done priming cache with root hints Oct 23 11:30:12 mach5.hviaene.thuis pdns_recursor[14454]: Enabled 'epoll' multiplexer Oct 23 11:30:12 mach5.hviaene.thuis pdns_recursor[14454]: Done priming cache with root hints Oct 23 11:30:12 mach5.hviaene.thuis systemd[1]: Started PowerDNS Recursor. # netstat -pantu | grep pdns tcp 0 0 127.0.0.1:5300 0.0.0.0:* LISTEN 14454/pdns_recursor tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 11717/pdns_server tcp6 0 0 :::53 :::* LISTEN 11717/pdns_server udp 0 0 127.0.0.1:5300 0.0.0.0:* 14454/pdns_recursor udp 0 0 0.0.0.0:53 0.0.0.0:* 11717/pdns_server udp6 0 0 :::53 :::* 11717/pdns_server # dig mageia.org @127.0.0.1 -p 53 ; <<>> DiG 9.11.6Mageia-1.1.mga7 <<>> mageia.org @127.0.0.1 -p 53 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 48929 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1680 ;; QUESTION SECTION: ;mageia.org. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Oct 23 11:31:22 CEST 2020 ;; MSG SIZE rcvd: 39 # systemctl stop pdns-recursor # systemctl stop pdns # nslookup mageia.org Server: 212.71.0.33 Address: 212.71.0.33#53 Non-authoritative answer: Name: mageia.org Address: 163.172.148.228 Name: mageia.org Address: 2001:bc8:628:1f00::1 All looks OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Advisory pushed to SVN.
Keywords: (none) => advisory, validated_updateCC: (none) => ouaurelien, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0393.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED