[Pdns-users] Regarding CVE-2015-7547 & PowerDNS Recursor

Nick Douma n.douma at nekoconeko.nl
Wed Feb 17 15:13:26 UTC 2016


On 17-02-16 14:38, bert hubert wrote:
> On Wed, Feb 17, 2016 at 02:12:51PM +0100, Nick Douma wrote:
>> What about the static debian package on the website? I assume updating
>> the OS libc package is not enough?
> Check with ldd /usr/sbin/pdns_server or /usr/sbin/pdns_recursor to see if
> your version runs against the system libc. If it doesn't chances are you are
> running a version that needed to be updated anyhow!

Indeed it seems that both recursor and auth use the system libc:

ubuntu at dns:~$ ldd /usr/sbin/pdns_server
	linux-vdso.so.1 =>  (0x00007ffd3cd46000)
	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f4e844e8000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f4e842e4000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f4e83d01000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f4e847ee000)

ubuntu at dns:~$ ldd /usr/sbin/pdns_recursor
	linux-vdso.so.1 =>  (0x00007ffdf7362000)
	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f6ccf380000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6ccefbb000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f6ccf686000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f6ccedb7000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0

> Secondly, as a nameserver, we try not to resolve names using the system
> library as this could create chicken/egg problems. We do use getaddrinfo()
> but not to resolve names, only to convert IPv6 addresses, and that only if
> inet_pton doesn't do the job. See
> http://blog.powerdns.com/2014/05/21/a-surprising-discovery-on-converting-ipv6-addresses-we-no-longer-prefer-getaddrinfo/
> If you connec to a MySQL or PostgreSQL database using a *named* database
> host, those libraries might try to resolve a name, but we recommend against
> that.

Clear answer, thanks.

Kind regards,

Nick Douma

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20160217/00b577a9/attachment.sig>

More information about the Pdns-users mailing list