Security update for pdns-recursor on trusty

Bug #1656931 reported by Scott Kitterman on 2017-01-16
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pdns-recursor (Ubuntu)
Undecided
Unassigned
Trusty
High
Unassigned

Bug Description

Note: We have this package running in production without any apparent issues.

  * SECURITY UPDATE:
  * References
  * CVE-2014-8601: PowerDNS Recursor before 3.6.2 does not limit delegation
    chaining, which allows remote attackers to cause a denial of service
    ("performance degradations") via a large or infinite number of referrals,
    as demonstrated by resolving domains hosted by ezdns.it.
    - Added debian/patches/CVE-2014-8601.patch
  * CVE-2015-1868: The label decompression functionality in PowerDNS Recursor
    3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authoritative (Auth)
    Server 3.2.x, 3.3.x before 3.3.2, and 3.4.x before 3.4.4 allows remote
    attackers to cause a denial of service (CPU consumption or crash) via a
    request with a name that refers to itself.
    - Added debian/patches/CVE-2015-1868.patch
  * CVE-2015-5470: The label decompression functionality in PowerDNS Recursor
    before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth) Server before
    3.3.3 and 3.4.x before 3.4.5 allows remote attackers to cause a denial of
    service (CPU consumption or crash) via a request with a long name that
    refers to itself. NOTE: this vulnerability exists because of an incomplete
    fix for CVE-2015-1868.
    - Added debian/patches/CVE-2015-1868-2.patch
  * CVE-2016-7068: Florian Heinz and Martin Kluge reported that pdns-recursor
    parses all records present in a query regardless of whether they are
    needed or even legitimate, allowing a remote, unauthenticated attacker to
    cause an abnormal CPU usage load on the pdns server, resulting in a
    partial denial of service if the system becomes overloaded.
    - Added debian/patches/CVE-2016-7068.patch
  * Add debian/patches/qtypes.patch so qtypes required for CVE-2016-7068.patch
    are available

I have not evaluated any other Ubuntu releases (and don't intend to).

CVE References

Scott Kitterman (kitterman) wrote :
Scott Kitterman (kitterman) wrote :

debian/changelog will need the revision number adjusted to whatever you prefer and the bug number added.

Changed in pdns-recursor (Ubuntu):
status: New → Invalid
Changed in pdns-recursor (Ubuntu Trusty):
importance: Undecided → High
Emily Ratliff (emilyr) on 2017-01-17
Changed in pdns-recursor (Ubuntu Trusty):
status: New → Confirmed
Emily Ratliff (emilyr) wrote :

ACK

I updated the revision number and added dep headers to the patches that were lacking them.

It is now building in security-proposed. I've done some light testing and it seems to work for me, but the security team does not have standard regression tests for this package, so I would like to ask for some additional testing.

Changed in pdns-recursor (Ubuntu Trusty):
status: Confirmed → In Progress
tags: added: security-verification

Debian LTS uploaded essentially the same patch (we coordinated and reviewed
what each other had done). I'm not sure what to tell you about testing other
than that we have the change in production on a high volume system and haven't
seen any issues.

I'm no longer involved in Ubuntu development, but when I have clients that use
Ubuntu that I do work for, I do like to feed it back to the distro. I don't
know that I can help you further. It would be a shame for other Ubuntu users
to be left with the CVEs unfixed.

Scott K

On Tuesday, January 17, 2017 11:51:23 PM you wrote:
> ACK
>
> I updated the revision number and added dep headers to the patches that
> were lacking them.
>
> It is now building in security-proposed. I've done some light testing
> and it seems to work for me, but the security team does not have
> standard regression tests for this package, so I would like to ask for
> some additional testing.
>
> ** Changed in: pdns-recursor (Ubuntu Trusty)
> Status: Confirmed => In Progress
>
> ** Tags added: security-verification

Emily Ratliff (emilyr) on 2017-01-18
tags: removed: security-verification
Emily Ratliff (emilyr) wrote :

Your work on the debdiff is very much appreciated! Thanks for helping keep Ubuntu secure. The package has now been released.

Changed in pdns-recursor (Ubuntu Trusty):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers