New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNS resolver security updates for "nxnsattack" #88159
Conversation
https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.1 It fixes DoS CVEs; details e.g. on http://www.nxnsattack.com/ $ nix build -f nixos/release.nix tests.pdns-recursor.x86_64-linux
https://www.isc.org/blogs/bind9-vulnerabilities-2020-05/ $ nix build -f nixos/release.nix tests.bind.x86_64-linux
All the updates should be quite minimalist, so I'm submitting them together and won't wait for long before merging. Unbound causes larger rebuilds, so I pushed it separately to staging-next as 73390e3. |
Result of 2 packages blacklisted:- tests.nixos-functions.nixos-test - tests.nixos-functions.nixosTest-test 24 packages built:- acme-sh - autofs5 - bashSnippets - bind - check-wmiplus - cinnamon.cinnamon-session - cinnamon.cjs - cinnamon.nemo - cinnamon.xapps - dnsperf - dnsutils - dwm-status - host - inxi - knot-resolver - monitoring-plugins - nmapsi4 - pdns-recursor - python27Packages.xapp - python37Packages.xapp - python38Packages.xapp - sssd - testssl - twa |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For pdns-recursor, I tested the update on my server and looks all right.
It should be safe to backport to 20.03.
@vcunat what would be the proper move forward for knot-resolver on the release branches? Bumping to 5.1 seems feasible. |
Ah, yes. I thought I already bumped it during the embargo, but apparently I forgot. Incompatibilities are really tiny and so far we've confirmed no regression. |
@rnhmjoj: for pdns-recursor in 20.03 the bump would also be larger than on master, adding https://blog.powerdns.com/2020/03/03/powerdns-recursor-4-3-0-released/ – on a brief look I see nothing that I would consider incompatible, but there are some changes in behavior. |
https://www.isc.org/blogs/bind9-vulnerabilities-2020-05/ $ nix build -f nixos/release.nix tests.bind.x86_64-linux (cherry picked from commit 13c485d)
https://www.isc.org/blogs/bind9-vulnerabilities-2020-05/ $ nix build -f nixos/release.nix tests.bind.x86_64-linux (cherry picked from commit 13c485d) In BIND case these are quite severe DoS risks, so let me backport to 19.09.
You are right, it may introduce some unwanted changes. Unfortunaly we have 4.3.0 on 20.03 but the the stable branch of pdns-recursor is 4.2.0, so the CVE patch are only backported to that version. |
Ah... silly me, they released also 4.2.2 for the CVE: https://blog.powerdns.com/2020/05/19/powerdns-recursor-4-3-1-4-2-2-and-4-1-16-released/ EDIT: to be clear, 20.03 had 4.2.1, so I did the CVE-only step to 4.2.2. |
https://blog.powerdns.com/2020/05/19/powerdns-recursor-4-3-1-4-2-2-and-4-1-16-released/ $ nix build -f nixos/release.nix tests.pdns-recursor.x86_64-linux NixPkgs master is on 4.3.x already; /cc that PR #88159
https://blog.powerdns.com/2020/05/19/powerdns-recursor-4-3-1-4-2-2-and-4-1-16-released/ $ nix build -f nixos/release.nix tests.pdns-recursor.x86_64-linux NixPkgs master is on 4.3.x already; /cc that PR #88159 (cherry picked from commit 1a02977)
Yeah, I was somehow convinced it was 4.3.0. Thank you. |
BTW, upgrading BIND from 9.14 to 9.16 would probably be desirable soon. (But I won't be looking into that.)
|
…orm-wasm-support * upstream/nixos-19.09: (795 commits) doc: rename guide to 'Nixpkgs Manual' libexif: 0.6.21 -> 0.6.22 gnutls: 3.6.13 -> 3.6.14 Merge NixOS#89474: thunderbird*: 68.8.0 -> 68.9.0 (security) wire-desktop: mac 3.17.3666 -> 3.18.3728 wire-desktop: linux 3.17.2924 -> 3.18.2925 ip2unix: 2.1.2 -> 2.1.3 ip2unix: 2.1.1 -> 2.1.2 ffmpeg_2_8: 2.8.15 -> 2.8.16 ffmpeg-full: 4.2.2 -> 4.2.3 ffmpeg_4: 4.2.2 -> 4.2.3 pdns-recursor: 4.2.0 -> 4.2.2 (security) bind: 9.14.9 -> 9.14.12 (security, PR NixOS#88159) dovecot: v2.3.10 → v2.3.10.1 dovecot: 2.3.9.3 -> 2.3.10 chromium: Mark as insecure firefox: 76.0 -> 76.0.1 firefox: Add patch to fix AES GCM IV bit size monero: fix rcp.restricted option Merge NixOS#87066: thunderbird*: 68.7.0 -> 68.8.0 (security) ...
Motivation for this change
See e.g. https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)