| Summary: | <net-dns/pdns-recursor-{4.9.3,5.0.2}: crafted DNSSEC records in a zone can lead to a denial of service (CVE-2023-50387, CVE-2023-50868) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Philippe Chaintreuil <gentoo_bugs_2_peep> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | IN_PROGRESS --- | ||
| Severity: | normal | CC: | ajak, bertrand, gentoo_bugs_2_peep, jstein, swegener |
| Priority: | Normal | Keywords: | PullRequest, SECURITY |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | ||
| See Also: | https://github.com/gentoo/gentoo/pull/35312 | ||
| Whiteboard: | B3 [glsa?] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 924455 | ||
I threw up a PR for the 4.9.3 upgrade (just a rename of the existing 4.9.2, and adding ~ to all arches). I'm running that on my machine as of a few minutes ago. I haven't yet upgraded to the 5.x branch, so I'll leave that alone unless someone wants me to just do a blind copy of that ebuild. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfe8d156704e22ce3c63502cd3d9e723d941a58f commit dfe8d156704e22ce3c63502cd3d9e723d941a58f Author: Sven Wegener <swegener@gentoo.org> AuthorDate: 2024-02-14 00:01:11 +0000 Commit: Sven Wegener <swegener@gentoo.org> CommitDate: 2024-02-14 00:16:42 +0000 net-dns/pdns-recursor: add 5.0.2, drop 5.0.1 Bug: https://bugs.gentoo.org/924442 Signed-off-by: Sven Wegener <swegener@gentoo.org> net-dns/pdns-recursor/Manifest | 2 +- .../{pdns-recursor-5.0.1.ebuild => pdns-recursor-5.0.2.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a75c570cd1eb8a551bdabf0693f5c6d513eef662 commit a75c570cd1eb8a551bdabf0693f5c6d513eef662 Author: Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com> AuthorDate: 2024-02-13 21:31:53 +0000 Commit: Sven Wegener <swegener@gentoo.org> CommitDate: 2024-02-14 00:16:42 +0000 net-dns/pdns-recursor: add 4.9.3 Bug: https://bugs.gentoo.org/924442 Closes: https://github.com/gentoo/gentoo/pull/35312 Signed-off-by: Philippe Chaintreuil <gentoo_bugs_peep@parallaxshift.com> Signed-off-by: Sven Wegener <swegener@gentoo.org> net-dns/pdns-recursor/Manifest | 1 + net-dns/pdns-recursor/pdns-recursor-4.9.3.ebuild | 91 ++++++++++++++++++++++++ 2 files changed, 92 insertions(+) We're targeting 4.9.3 for security stabilization. I've also bumped to 5.0.2, but like to keep it for later, because of the rust integration. The CVEs are also being handled in bug #924447 for bind. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25028f62a022b85167f8b3590845151a819a4507 commit 25028f62a022b85167f8b3590845151a819a4507 Author: Sven Wegener <swegener@gentoo.org> AuthorDate: 2024-02-15 21:57:57 +0000 Commit: Sven Wegener <swegener@gentoo.org> CommitDate: 2024-02-15 21:59:10 +0000 net-dns/pdns-recursor: stabilize 4.9.3 for amd64, x86 Bug: https://bugs.gentoo.org/924442 Signed-off-by: Sven Wegener <swegener@gentoo.org> net-dns/pdns-recursor/pdns-recursor-4.9.3.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Thanks! Please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=117e057dff9fe7b86bb1098fa03bfaca7888a5f6 commit 117e057dff9fe7b86bb1098fa03bfaca7888a5f6 Author: Sven Wegener <swegener@gentoo.org> AuthorDate: 2024-02-18 19:24:49 +0000 Commit: Sven Wegener <swegener@gentoo.org> CommitDate: 2024-02-18 19:24:54 +0000 net-dns/pdns-recursor: drop 4.9.2 Bug: https://bugs.gentoo.org/924442 Signed-off-by: Sven Wegener <swegener@gentoo.org> net-dns/pdns-recursor/Manifest | 1 - net-dns/pdns-recursor/pdns-recursor-4.9.2.ebuild | 91 ------------------------ 2 files changed, 92 deletions(-) |
PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor CVE: CVE-2023-50387 and CVE-2023-50868 Date: 13th of February 2024. Affects: PowerDNS Recursor up to and including 4.8.5, 4.9.2 and 5.0.1 Not affected: PowerDNS Recursor 4.8.6, 4.9.3 and 5.0.2 Severity: High Impact: Denial of service Exploit: This problem can be triggered by an attacker publishing a crafted zone Risk of system compromise: None Solution: Upgrade to patched version or disable DNSSEC validation An attacker can publish a zone that contains crafted DNSSEC related records. While validating results from queries to that zone using the RFC mandated algorithms, the Recursor’s resource usage can become so high that processing of other queries is impacted, resulting in a denial of service. Note that any resolver following the RFCs can be impacted, this is not a problem of this particular implementation. CVSS Score: 7.5, see https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1 The remedies are one of: upgrade to a patched version disable DNSSEC validation by setting dnssec=off or process-no-validate; when using YAML settings: dnssec.validate: off or process-no-validate. Note that this will affect clients depending on DNSSEC validation. Reproducible: Always