[prev in list] [next in list] [prev in thread] [next in thread]
List: pdns-users
Subject: Re: [Pdns-users] [Pdns-announce] PowerDNS Security Advisory 2015-01
From: "Peter van Dijk" <peter.van.dijk () powerdns ! com>
Date: 2015-05-01 9:39:45
Message-ID: 3CAC50C1-98F4-461A-8AA9-BFFA65497CC3 () powerdns ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Hi everybody,
Last week, we released Security Advisory 2015-01 (https://doc.powerdns.co=
m/md/security/powerdns-advisory-2015-01/), with text suggesting that only=
specific platforms were seriously affected. We must now report that this=
was incorrect: all platforms are impacted. The advisory has been updated=
to that effect.
Furthermore, by popular demand, we have released Authoritative Server 3.3=
=2E2, an update to version 3.3.1 which includes DNSSEC improvements and o=
f course a patch for the security issue. Please see http://blog.powerdns.=
com/2015/05/01/important-update-for-security-advisory-2015-01/ for links.=
Kind regards,
-- =
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
On 23 Apr 2015, at 13:05, Peter van Dijk wrote:
> Hi everybody,
>
> Please be aware of PowerDNS Security Advisory 2015-01
> (http://doc.powerdns.com/md/security/powerdns-advisory-2015-01/), which=
you
> can also find below. The good news is that as far as we have seen, only=
> specific builds for RHEL5 are affected, but just to be sure we are doin=
g
> full releases of all recent versions of our products.
>
> Packages and distribution tar balls of Recursor 3.6.3, Recursor 3.7.2 a=
nd Auth
> 3.4.4 are available in the usual places, and release announcements will=
be sent
> out right after this email.
>
> If you prefer a minimal patch, please go to
> https://downloads.powerdns.com/patches/2015-01/ and see README.txt ther=
e.
>
> If you have problems upgrading, please either contact us on our mailing=
lists,
> or privately via powerdns.support@powerdns.com (should you wish to make=
use of
> our SLA-backed support program).
>
> We want to thank Aki Tuomi for finding this issue, and really digging i=
nto it.
> We also want to thank Kees Monshouwer for assisting in debugging and fi=
xing
> the offending code. Finally we want to thank Kai Storbeck for putting a=
n
> earlier, broken version of the patch into production and being understa=
nding
> about the names that broke because of it.
>
>
> PowerDNS Security Advisory 2015-01: Label decompression bug can cause c=
rashes
> on specific platforms
>
> * CVE: CVE-2015-1868
> * Date: 23rd of April 2015
> * Credit: Aki Tuomi
> * Affects: PowerDNS Recursor versions 3.5 and up; Authoritative
> Server 3.2 and up
> * Not affected: Recursor 3.6.3; Recursor 3.7.2; Auth 3.4.4
> * Severity: High
> * Impact: Degraded service
> * Exploit: This problem can be triggered by sending queries for
> specifically configured domains
> * Risk of system compromise: No
> * Solution: Upgrade to any of the non-affected versions
> * Workaround: Run your Recursor under a supervisor. Exposure can be
> limited by configuring the allow-from setting so only trusted
> users can query your nameserver.
>
> A bug was discovered in our label decompression code, making it
> possible for names to refer to themselves, thus causing a loop during
> decompression. This loop is capped at a 1000 iterations by a failsafe,
> making the issue harmless on most platforms.
>
> However, on specific platforms (so far, we are only aware of this
> happening on RHEL5/CentOS5), the recursion involved in these 1000 steps=
> causes memory corruption leading to a quick crash, presumably because
> the default stack is too small.
>
> We recommend that all users upgrade to a corrected version if at all
> possible. Alternatively, if you want to apply a minimal fix to your own=
> tree, please find patches here: https://downloads.powerdns.com/patches/=
2015-01/
>
> These should be trivial to backport to older versions by hand.
>
> As for workarounds, only clients in allow-from are able to trigger the
> degraded service, so this should be limited to your userbase; further,
> we recommend running your critical services under supervision such as
> systemd, supervisord, daemontools, etc.
>
> We want to thank Aki Tuomi for noticing this in production, and then
> digging until he got to the absolute bottom of what at the time
> appeared to be a random and spurious failure.
>
> _______________________________________________
> Pdns-announce mailing list
> Pdns-announce@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-announce
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJVQ0nhAAoJENz1E/p+7Rnz260P/RWjgVT7QkrPPMWHvhgtiOcN
odPH0xKLo+5ts1w07JA4R0l4hjqUqSC+u6vqc/nPWOOR0iIbAJQy6WSgXBl1+rl+
HqV7OJ2jmD9fyZRhN60UWgBZTP6laij9TalvOLHjA/vipSlwN+U2isGswNJS6AFL
14MJUEcTp4JN38u4FTOzeV52Qx2330zLBQrLtQgjKwLOEej0/ToBy0aOy9MEis/5
Ic4CcGePcIpWxElnSLUBcxaGsFHyu2XZcY68mr16uVosbCceokMTo7JX8BK3KF3V
xgDii/yZFEaKEZqPiY5gN9/ZoKoH1ohx6zTrjGtmBojJiB47Zf/sv6eFGpo7iHf1
ePxa8yVz5vUCZ8s0D2pf+7QAkta7UOoiAaq/2O2OAGM18IheCeKLINd/W08Mcsx+
bIPgV3mp8R3CZ2IC2ycMLJh/GeICVH8Dd457MKvy1HBhBfuGnykkuczn5tSWxFps
3JW2yQQdspNAlrr/pRFED+MC2/kxt0+ZJJha2BAW1q6H8SAhvpKsJq49tDCN+fa+
oBMloAk2+ijKLCyv6kCkvlta+TUJhjt1LEHZ/T+K7eaEmsAxsCfb+zRsccJfwXaY
QNY+wZVG+7AyU//j2hO7uwB7jM28AhfU5ox5zA0gIaVEkkZvCct44VHjJVf7L3g0
wijQtJ/F4kh6ZUATh18T
=K2wq
-----END PGP SIGNATURE-----
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic