Bug 772570 (CVE-2012-0206)

Summary: Denial of Service vulnerability in PowerDNS 2.9.22
Product: [Fedora] Fedora EPEL Reporter: Nils Breunese <nils>
Component: pdnsAssignee: Ruben Kerkhof <ruben>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: el5CC: maurizio.antillon, ruben, tmz
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pdns-2.9.22.6-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-04 01:07:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nils Breunese 2012-01-09 09:39:58 UTC
http://mailman.powerdns.com/pipermail/pdns-announce/2012-January/000151.html says:

----
Tomorrow (Tuesday the 10th of January) at 9AM eastern time, 15:00 Central
European Time, we will be releasing an important PowerDNS Security Advisory.

This Advisory contains details of a Denial of Service issue within all
currently used versions of the PowerDNS Authoritative Server.

We will be releasing:
	* A configuration based workaround, which might have a performance
	  penalty

	* An iptables based workaround

	* Versions 2.9.22.5 and 3.0.1 of the Authoritative Server
		As source code
		Packages (static 32 bit and 64 bit for Debian and RPM based
		Linux distributions)

	* A one-line patch that solves the issue for source based users

	* Complete details of the problem

The denial of service attack is temporary in nature, but can be performed
using limited resources. There is no risk of a system compromise because of
this attack.

This pre-announcement is made to allow operators to schedule a maintenance
window to possibly upgrade or modify their systems.

If you anticipate requiring help upgrading your affected systems, please
contact powerdns.support at netherlabs.nl.

Some more details:
CVE: CVE-2012-0206
Date: 10th of January 2012

Affects: Most PowerDNS Authoritative Server versions < 3.0.1 (with the 
exception of 2.9.22.5)

Not affected: No versions of the PowerDNS Recursor ('pdns_recursor') are
affected.

Severity: High
Impact: Temporary denial of service
Exploit: Proof of concept
Risk of system compromise: No
Solution: Upgrade to PowerDNS Recursor 2.9.22.5 or 3.0.1
Workaround: Several
----

I think it would be good to upgrade the EPEL package to 2.9.22.5 once it is released tomorrow to protect users of the package from this vulnerability.

Comment 1 Kurt Seifried 2012-01-10 01:49:11 UTC
*** Bug 772581 has been marked as a duplicate of this bug. ***

Comment 2 Kurt Seifried 2012-01-10 01:53:38 UTC
We don't ship PowerDNS, nor does Fedora.

Comment 3 Kurt Seifried 2012-01-10 01:58:25 UTC
Forgot that Fedora calls it pdns, not powerdns.

Comment 4 Ruben Kerkhof 2012-01-10 11:29:34 UTC
That's why Nils opened a bug in the Fedora EPEL component, not Red Hat.

Thanks for the help, but I rather handle my own bugs myself. I opened #772581 to keep track of this in Fedora, not EPEL.

Comment 5 Fedora Update System 2012-01-10 13:24:29 UTC
pdns-2.9.22-4.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/pdns-2.9.22-4.el5

Comment 6 Fedora Update System 2012-01-10 13:25:31 UTC
pdns-2.9.22.5-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/pdns-2.9.22.5-1.el6

Comment 7 Fedora Update System 2012-01-11 07:59:36 UTC
Package pdns-2.9.22.5-1.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing pdns-2.9.22.5-1.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-0061/pdns-2.9.22.5-1.el6
then log in and leave karma (feedback).

Comment 8 Nils Breunese 2012-01-17 23:52:46 UTC
According to http://mailman.powerdns.com/pipermail/pdns-users/2012-January/008492.html 2.9.22.5 introduces a crashing bug when using PowerDNS as an AXFR slave. 2.9.22.6 will be released this week to address this issue.

Comment 9 Ruben Kerkhof 2012-01-18 11:05:32 UTC
Thanks Nils, I didn't see that one since I'm only subscribed to pdns-devel.

I have 2.9.22.5 running in production for a week now, on 1 master and 2 AXFR slaves, and haven't seen any crashes. Just to be save, I'll refrain from pushing 2.9.22.5 and wait for the 2.9.22.6 update.

Comment 10 Nils Breunese 2012-01-18 11:57:12 UTC
Maybe you could just apply the one-line patch to fix the denial of service vulnerability and release that?

Comment 11 Nils Breunese 2012-01-26 09:48:27 UTC
PowerDNS 2.9.22.6 has been released:

----
The improvements to the master/slave engine in 2.9.22.5 contained one serious bug that can cause crashes on busy setups. 2.9.22.6 fixes this crash.
----

http://doc.powerdns.com/changelog.html#changelog-auth-2-9-22-6

Comment 12 Fedora Update System 2012-02-02 09:48:17 UTC
pdns-2.9.22.6-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/pdns-2.9.22.6-1.el6

Comment 13 Fedora Update System 2012-02-04 01:07:45 UTC
pdns-2.9.22-4.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2012-02-18 21:43:25 UTC
pdns-2.9.22.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.