Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 739558 (CVE-2018-21029) - <sys-apps/systemd-246: Potential MiTM when using DNS-over-TLS with systemd-resolved (CVE-2018-21029)
Summary: <sys-apps/systemd-246: Potential MiTM when using DNS-over-TLS with systemd-re...
Status: RESOLVED FIXED
Alias: CVE-2018-21029
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/systemd/systemd/is...
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 745084
Blocks:
  Show dependency tree
 
Reported: 2020-08-29 22:15 UTC by John Helmert III
Modified: 2020-12-23 16:58 UTC (History)
1 user (show)

See Also:
Package list:
sys-apps/systemd-246-r1 amd64 arm arm64 ppc ppc64 sparc x86 sys-fs/udev-init-scripts-34 amd64 arm ppc ppc64 s390 sparc
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-29 22:15:10 UTC
Best description I've found comes from Arch Wiki:

Prior to systemd version 245.2-2, systemd-resolved only validated the DNS server certificate if it was issued for the server's IP address (a rare occurrence). DNS server certificates without an IP address were not checked making systemd-resolved vulnerable to man-in-the-middle attacks.



Vulnerability was patched for systemd-246: https://github.com/systemd/systemd/commit/eec394f10bbfcc3d2fc8504ad8ff5be44231abd5

Need to stable 246-r1.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-25 20:49:37 UTC
Ready?
Comment 2 NATTkA bot gentoo-dev 2020-09-28 18:32:53 UTC
Unable to check for sanity:

> no match for package: sys-apps/systemd-246
Comment 3 NATTkA bot gentoo-dev 2020-09-28 18:45:09 UTC
Sanity check failed:

> sys-apps/systemd-246-r1
>   pdepend amd64 stable profile default/linux/amd64/17.0 (68 total)
>     >=sys-fs/udev-init-scripts-34
>   pdepend amd64 dev profile default/linux/amd64/17.0/x32 (34 total)
>     >=sys-fs/udev-init-scripts-34
Comment 4 NATTkA bot gentoo-dev 2020-09-28 19:05:02 UTC
All sanity-check issues have been resolved
Comment 5 Rolf Eike Beer archtester 2020-09-30 18:35:25 UTC
hppa stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-01 18:51:49 UTC
arm64 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-01 19:02:35 UTC
x86 done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-01 19:07:57 UTC
amd64 done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-01 19:08:51 UTC
ppc done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-01 19:10:07 UTC
ppc done
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-01 19:10:59 UTC
amd64 done
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-01 19:13:20 UTC
ppc done
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-01 19:15:15 UTC
ppc64 done
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-01 19:16:21 UTC
arm done
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-01 20:01:02 UTC
sparc done
Comment 16 Agostino Sarubbo gentoo-dev 2020-10-07 06:56:13 UTC
s390 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 17 NATTkA bot gentoo-dev 2020-10-14 19:16:55 UTC
Unable to check for sanity:

> no match for package: sys-apps/systemd-246-r1
Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-23 16:58:38 UTC
GLSA Vote: No

The vulnerability has been disputed.

Repository is clean, all done!