Bug 772570 - (CVE-2012-0206) Denial of Service vulnerability in PowerDNS 2.9.22
Denial of Service vulnerability in PowerDNS 2.9.22
Status: CLOSED ERRATA
Product: Fedora EPEL
Classification: Fedora
Component: pdns (Show other bugs)
el5
All Linux
medium Severity low
: ---
: ---
Assigned To: Ruben Kerkhof
Fedora Extras Quality Assurance
: Reopened, Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-09 04:39 EST by Nils Breunese
Modified: 2013-02-04 04:07 EST (History)
3 users (show)

See Also:
Fixed In Version: pdns-2.9.22.6-1.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-03 20:07:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nils Breunese 2012-01-09 04:39:58 EST
http://mailman.powerdns.com/pipermail/pdns-announce/2012-January/000151.html says:

----
Tomorrow (Tuesday the 10th of January) at 9AM eastern time, 15:00 Central
European Time, we will be releasing an important PowerDNS Security Advisory.

This Advisory contains details of a Denial of Service issue within all
currently used versions of the PowerDNS Authoritative Server.

We will be releasing:
	* A configuration based workaround, which might have a performance
	  penalty

	* An iptables based workaround

	* Versions 2.9.22.5 and 3.0.1 of the Authoritative Server
		As source code
		Packages (static 32 bit and 64 bit for Debian and RPM based
		Linux distributions)

	* A one-line patch that solves the issue for source based users

	* Complete details of the problem

The denial of service attack is temporary in nature, but can be performed
using limited resources. There is no risk of a system compromise because of
this attack.

This pre-announcement is made to allow operators to schedule a maintenance
window to possibly upgrade or modify their systems.

If you anticipate requiring help upgrading your affected systems, please
contact powerdns.support at netherlabs.nl.

Some more details:
CVE: CVE-2012-0206
Date: 10th of January 2012

Affects: Most PowerDNS Authoritative Server versions < 3.0.1 (with the 
exception of 2.9.22.5)

Not affected: No versions of the PowerDNS Recursor ('pdns_recursor') are
affected.

Severity: High
Impact: Temporary denial of service
Exploit: Proof of concept
Risk of system compromise: No
Solution: Upgrade to PowerDNS Recursor 2.9.22.5 or 3.0.1
Workaround: Several
----

I think it would be good to upgrade the EPEL package to 2.9.22.5 once it is released tomorrow to protect users of the package from this vulnerability.
Comment 1 Kurt Seifried 2012-01-09 20:49:11 EST
*** Bug 772581 has been marked as a duplicate of this bug. ***
Comment 2 Kurt Seifried 2012-01-09 20:53:38 EST
We don't ship PowerDNS, nor does Fedora.
Comment 3 Kurt Seifried 2012-01-09 20:58:25 EST
Forgot that Fedora calls it pdns, not powerdns.
Comment 4 Ruben Kerkhof 2012-01-10 06:29:34 EST
That's why Nils opened a bug in the Fedora EPEL component, not Red Hat.

Thanks for the help, but I rather handle my own bugs myself. I opened #772581 to keep track of this in Fedora, not EPEL.
Comment 5 Fedora Update System 2012-01-10 08:24:29 EST
pdns-2.9.22-4.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/pdns-2.9.22-4.el5
Comment 6 Fedora Update System 2012-01-10 08:25:31 EST
pdns-2.9.22.5-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/pdns-2.9.22.5-1.el6
Comment 7 Fedora Update System 2012-01-11 02:59:36 EST
Package pdns-2.9.22.5-1.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing pdns-2.9.22.5-1.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-0061/pdns-2.9.22.5-1.el6
then log in and leave karma (feedback).
Comment 8 Nils Breunese 2012-01-17 18:52:46 EST
According to http://mailman.powerdns.com/pipermail/pdns-users/2012-January/008492.html 2.9.22.5 introduces a crashing bug when using PowerDNS as an AXFR slave. 2.9.22.6 will be released this week to address this issue.
Comment 9 Ruben Kerkhof 2012-01-18 06:05:32 EST
Thanks Nils, I didn't see that one since I'm only subscribed to pdns-devel.

I have 2.9.22.5 running in production for a week now, on 1 master and 2 AXFR slaves, and haven't seen any crashes. Just to be save, I'll refrain from pushing 2.9.22.5 and wait for the 2.9.22.6 update.
Comment 10 Nils Breunese 2012-01-18 06:57:12 EST
Maybe you could just apply the one-line patch to fix the denial of service vulnerability and release that?
Comment 11 Nils Breunese 2012-01-26 04:48:27 EST
PowerDNS 2.9.22.6 has been released:

----
The improvements to the master/slave engine in 2.9.22.5 contained one serious bug that can cause crashes on busy setups. 2.9.22.6 fixes this crash.
----

http://doc.powerdns.com/changelog.html#changelog-auth-2-9-22-6
Comment 12 Fedora Update System 2012-02-02 04:48:17 EST
pdns-2.9.22.6-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/pdns-2.9.22.6-1.el6
Comment 13 Fedora Update System 2012-02-03 20:07:45 EST
pdns-2.9.22-4.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2012-02-18 16:43:25 EST
pdns-2.9.22.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.