[Pdns-users] Regarding CVE-2015-7547 & PowerDNS Recursor
Nick Douma
n.douma at nekoconeko.nl
Wed Feb 17 15:13:26 UTC 2016
Hi,
On 17-02-16 14:38, bert hubert wrote:
> On Wed, Feb 17, 2016 at 02:12:51PM +0100, Nick Douma wrote:
>> What about the static debian package on the website? I assume updating
>> the OS libc package is not enough?
>
> Check with ldd /usr/sbin/pdns_server or /usr/sbin/pdns_recursor to see if
> your version runs against the system libc. If it doesn't chances are you are
> running a version that needed to be updated anyhow!
Indeed it seems that both recursor and auth use the system libc:
ubuntu at dns:~$ ldd /usr/sbin/pdns_server
linux-vdso.so.1 => (0x00007ffd3cd46000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f4e844e8000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f4e842e4000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f4e840c6000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f4e83d01000)
/lib64/ld-linux-x86-64.so.2 (0x00007f4e847ee000)
ubuntu at dns:~$ ldd /usr/sbin/pdns_recursor
linux-vdso.so.1 => (0x00007ffdf7362000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f6ccf380000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6ccefbb000)
/lib64/ld-linux-x86-64.so.2 (0x00007f6ccf686000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f6ccedb7000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f6cceb99000)
> Secondly, as a nameserver, we try not to resolve names using the system
> library as this could create chicken/egg problems. We do use getaddrinfo()
> but not to resolve names, only to convert IPv6 addresses, and that only if
> inet_pton doesn't do the job. See
> http://blog.powerdns.com/2014/05/21/a-surprising-discovery-on-converting-ipv6-addresses-we-no-longer-prefer-getaddrinfo/
>
> If you connec to a MySQL or PostgreSQL database using a *named* database
> host, those libraries might try to resolve a name, but we recommend against
> that.
Clear answer, thanks.
Kind regards,
Nick Douma
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160217/00b577a9/attachment.sig>
More information about the Pdns-users
mailing list