Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 804585 (CVE-2021-36754) - net-dns/pdns-4.5.0: Denial of service
Summary: net-dns/pdns-4.5.0: Denial of service
Status: RESOLVED FIXED
Alias: CVE-2021-36754
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://blog.powerdns.com/2021/07/26/...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-27 05:14 UTC by Sven Wegener
Modified: 2021-08-01 18:47 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sven Wegener gentoo-dev 2021-07-27 05:14:52 UTC
From $URL:

PowerDNS Security Advisory 2021-01: Specific query crashes Authoritative Server

CVE: CVE-2021-36754
Date: July 26th, 2021
Affects: PowerDNS Authoritative version 4.5.0
Not affected: 4.4.x and below, 4.5.1
Severity: High
Impact: Denial of service
Exploit: This problem can be triggered via a specific query packet
Risk of system compromise: None
Solution: Upgrade to 4.5.1, or filter queries in dnsdist
PowerDNS Authoritative Server 4.5.0 (and the alpha/beta/rc1/rc2 prereleases that came before it) will crash with an uncaught out of bounds exception if it receives a query with QTYPE 65535. The offending code was not present in earlier versions, and they are not affected.

Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED)).

When the PowerDNS Authoritative Server is run inside a supervisor like supervisord or systemd, an uncaught exception crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.
Comment 1 Larry the Git Cow gentoo-dev 2021-07-27 05:27:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=57a134af1b2a461f3233b7eb450b8ebddfdd7a46

commit 57a134af1b2a461f3233b7eb450b8ebddfdd7a46
Author:     Sven Wegener <swegener@gentoo.org>
AuthorDate: 2021-07-27 05:19:40 +0000
Commit:     Sven Wegener <swegener@gentoo.org>
CommitDate: 2021-07-27 05:23:41 +0000

    net-dns/pdns: Version bump, security bug #804585
    
    Bug: https://bugs.gentoo.org/804585
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Sven Wegener <swegener@gentoo.org>

 net-dns/pdns/Manifest                                 | 2 +-
 net-dns/pdns/{pdns-4.5.0.ebuild => pdns-4.5.1.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 2 Sven Wegener gentoo-dev 2021-07-27 05:29:51 UTC
Vulnerable versions were never stabilized: 4.5.0 release candidates had no keywords, 4.5.0 final was only ~amd64.
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:20:23 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:28:25 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:36:25 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:44:28 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:52:29 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:56:27 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:00:26 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 18:08:27 UTC
Package list is empty or all packages have requested keywords.
Comment 11 John Helmert III gentoo-dev Security 2021-08-01 18:47:17 UTC
Given this only ever affected unstable packages we can go ahead and noglsa it. All done, thanks!