DNS resolver security updates for "nxnsattack" #88159
Conversation
https://doc.powerdns.com/recursor/changelog/4.3.html#change-4.3.1 It fixes DoS CVEs; details e.g. on http://www.nxnsattack.com/ $ nix build -f nixos/release.nix tests.pdns-recursor.x86_64-linux
https://www.isc.org/blogs/bind9-vulnerabilities-2020-05/ $ nix build -f nixos/release.nix tests.bind.x86_64-linux
|
All the updates should be quite minimalist, so I'm submitting them together and won't wait for long before merging. Unbound causes larger rebuilds, so I pushed it separately to staging-next as 73390e3. |
vcunat
added
the
9.needs: port to stable
|
Result of 2 packages blacklisted:- tests.nixos-functions.nixos-test - tests.nixos-functions.nixosTest-test 24 packages built:- acme-sh - autofs5 - bashSnippets - bind - check-wmiplus - cinnamon.cinnamon-session - cinnamon.cjs - cinnamon.nemo - cinnamon.xapps - dnsperf - dnsutils - dwm-status - host - inxi - knot-resolver - monitoring-plugins - nmapsi4 - pdns-recursor - python27Packages.xapp - python37Packages.xapp - python38Packages.xapp - sssd - testssl - twa |
|
@vcunat what would be the proper move forward for knot-resolver on the release branches? Bumping to 5.1 seems feasible. |
|
Ah, yes. I thought I already bumped it during the embargo, but apparently I forgot. Incompatibilities are really tiny and so far we've confirmed no regression. |
|
@rnhmjoj: for pdns-recursor in 20.03 the bump would also be larger than on master, adding https://blog.powerdns.com/2020/03/03/powerdns-recursor-4-3-0-released/ – on a brief look I see nothing that I would consider incompatible, but there are some changes in behavior. |
https://www.isc.org/blogs/bind9-vulnerabilities-2020-05/ $ nix build -f nixos/release.nix tests.bind.x86_64-linux (cherry picked from commit 13c485d)
https://www.isc.org/blogs/bind9-vulnerabilities-2020-05/ $ nix build -f nixos/release.nix tests.bind.x86_64-linux (cherry picked from commit 13c485d) In BIND case these are quite severe DoS risks, so let me backport to 19.09.
|
You are right, it may introduce some unwanted changes. Unfortunaly we have 4.3.0 on 20.03 but the the stable branch of pdns-recursor is 4.2.0, so the CVE patch are only backported to that version. |
|
Ah... silly me, they released also 4.2.2 for the CVE: https://blog.powerdns.com/2020/05/19/powerdns-recursor-4-3-1-4-2-2-and-4-1-16-released/ EDIT: to be clear, 20.03 had 4.2.1, so I did the CVE-only step to 4.2.2. |
https://blog.powerdns.com/2020/05/19/powerdns-recursor-4-3-1-4-2-2-and-4-1-16-released/ $ nix build -f nixos/release.nix tests.pdns-recursor.x86_64-linux NixPkgs master is on 4.3.x already; /cc that PR #88159
vcunat
removed
the
9.needs: port to stable
https://blog.powerdns.com/2020/05/19/powerdns-recursor-4-3-1-4-2-2-and-4-1-16-released/ $ nix build -f nixos/release.nix tests.pdns-recursor.x86_64-linux NixPkgs master is on 4.3.x already; /cc that PR #88159 (cherry picked from commit 1a02977)
Yeah, I was somehow convinced it was 4.3.0. Thank you. |
|
BTW, upgrading BIND from 9.14 to 9.16 would probably be desirable soon. (But I won't be looking into that.)
|
…orm-wasm-support * upstream/nixos-19.09: (795 commits) doc: rename guide to 'Nixpkgs Manual' libexif: 0.6.21 -> 0.6.22 gnutls: 3.6.13 -> 3.6.14 Merge NixOS#89474: thunderbird*: 68.8.0 -> 68.9.0 (security) wire-desktop: mac 3.17.3666 -> 3.18.3728 wire-desktop: linux 3.17.2924 -> 3.18.2925 ip2unix: 2.1.2 -> 2.1.3 ip2unix: 2.1.1 -> 2.1.2 ffmpeg_2_8: 2.8.15 -> 2.8.16 ffmpeg-full: 4.2.2 -> 4.2.3 ffmpeg_4: 4.2.2 -> 4.2.3 pdns-recursor: 4.2.0 -> 4.2.2 (security) bind: 9.14.9 -> 9.14.12 (security, PR NixOS#88159) dovecot: v2.3.10 → v2.3.10.1 dovecot: 2.3.9.3 -> 2.3.10 chromium: Mark as insecure firefox: 76.0 -> 76.0.1 firefox: Add patch to fix AES GCM IV bit size monero: fix rcp.restricted option Merge NixOS#87066: thunderbird*: 68.7.0 -> 68.8.0 (security) ...
Motivation for this change
See e.g. https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)