Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Thursday November 13 2014, @03:19AM   Printer-friendly
from the one-daemon-to-rule-them-all dept.

Whether you're running systemd happily or begrudgingly, it's best if you disable systemd-resolved as your DNS resolver for the time being. Reported today at seclists is a new DNS cache poisoning bug in systemd-resolved.

At its simplest, an attacker triggers a query to a domain he controls via SMTP or SSH-login. Upon receipt of the question, he can just add any answer he wants to have cached to the legit answer he provides for the query, e.g. providing two answer RR's: One for the question asked and one for a question that has never been asked - even if the DNS server is not authoritative for this domain.

Systemd-resolved accepts both answers and caches them. There are no reports as to the affected versions or how widespread the problem may be. Comments over at Hacker News suggests that it might not be widespread, most users would still be running the backported 208-stable while the DNS resolver was committed in 213 and considered fairly complete in 216, but that is if they enabled systemd-resolved in /etc/nsswitch.config.

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by Whoever on Thursday November 13 2014, @03:45AM

    by Whoever (4524) on Thursday November 13 2014, @03:45AM (#115400) Journal

    Systemd hasn't had that many bugs, because it is still new

    FTFY.

    Seriously, come back in 5 years and then look at bug statistics.

    This is exactly why I am trying to stay away from systemd right now. So much new code, bound to be lots of bugs lurking there.

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  

    Total Score:   2  
  • (Score: 3) by novak on Thursday November 13 2014, @03:54AM

    by novak (4683) on Thursday November 13 2014, @03:54AM (#115402) Homepage

    That is a big part of why there are so few bugs. But that's not why I'm staying away. I'm staying away because of the laughable design choices.

    This is a good example, a bug in a feature that should not even exist. It's not like systemd has to resolve domain names, there's any amount of other software which already does this. I prefer options, and one of those options is what DNS resolver/cache to run. I don't want RedHat or anyone else inventing the One True Software which has every subsystem tied together through a mystical API that changes whenever they want.

    --
    novak
  • (Score: 3, Insightful) by Anonymous Coward on Thursday November 13 2014, @03:58AM

    by Anonymous Coward on Thursday November 13 2014, @03:58AM (#115404)

    That's also what makes it totally unsuitable for use in Debian. Debian is all about stability, reliability and security. Systemd just hasn't been proven to be good enough yet. This bug shows that it's way too immature to be part of Debian.

    • (Score: 0) by Anonymous Coward on Thursday November 13 2014, @04:48AM

      by Anonymous Coward on Thursday November 13 2014, @04:48AM (#115415)

      "That's also what makes it totally unsuitable for use in Debian. Debian is all about stability, reliability and security. Systemd just hasn't been proven to be good enough yet. This bug shows that it's way too immature to be part of Debian."

      But, but, features!

    • (Score: 0) by Anonymous Coward on Thursday November 13 2014, @07:32AM

      by Anonymous Coward on Thursday November 13 2014, @07:32AM (#115457)

      And way too immature for RedHat. And SUSE, and ...

    • (Score: 0) by Anonymous Coward on Thursday November 13 2014, @07:43AM

      by Anonymous Coward on Thursday November 13 2014, @07:43AM (#115461)

      Debian all about being a social progressive and supporting feminists lesbians and trannies actually. And policing speech. Code of conduct etc.

      • (Score: 1, Insightful) by Anonymous Coward on Thursday November 13 2014, @01:54PM

        by Anonymous Coward on Thursday November 13 2014, @01:54PM (#115539)

        trannies

        Hey, don't throw us in with the feminists. There are plenty of us who are equally pissed off at them. Probably moreso than you. Feminism is the systemd of gender equality. See the Michigan Womyn's Music Festival and wonderful people like Janice Raymond. Well, maybe Poettering might be worse than Raymond. At least you can ignore her.

        Oh, why the hell am I wasting my time. Voting Libertarian? Got 1% or 2% of the vote at best. Waste of time. Arguing with MRAs who are delusional enough to believe that feminists approve of transsexuals or that being a transsexual makes one a socialist or a feminist? Equally a waste of item. Hoping some MRA gets his head out of his ass to see that there are a lot of transsexuals who lean libertarian. Impossible. Get it through your head: TRANSSEXUALS ARE NOT WELCOME IN FEMINIST GROUPS. FEMINISTS REGULARLY ATTACK TRANSSEXUALS. FEMINISTS LOVE "DOX"ing (I guess that's the right word) TRANSSEXUALS IN DEEP STEALTH. *breathes*

        Why do you think anti-gamergate went after a group with a very inclusive policy for trans women? It doesn't matter that they used transphobia as a rallying cry. These people are con artists, and they'll say whatever they can to get support. Actions speak louder than words. Feminism continues to be about discrimination against trans women and the systematic privileging of the body part between the legs over the body part between the ears.

        Fuck. People like you make me question why I support the Libertarian party.

        What the hell is up with Soylent this morning?

        --Velex's Ghost

        • (Score: 0) by Anonymous Coward on Thursday November 13 2014, @09:24PM

          by Anonymous Coward on Thursday November 13 2014, @09:24PM (#115668)

          It was a flamebait troll comment anyway. Don't take it too serious.

          Politically I am a libertarian, but I am sad that so few people seem to actually want liberty.

        • (Score: 0) by Anonymous Coward on Friday November 14 2014, @02:54AM

          by Anonymous Coward on Friday November 14 2014, @02:54AM (#115762)

          "FEMINISTS REGULARLY ATTACK TRANSSEXUALS" says the transsexual attacking feminists. Talk about sectarian conflict. You do realise that feminists have the concept of intersectionality right? That feminists are by a large stripe LBGTQ* allies? That they don't believe that gender has ANYTHING to do with what's between your legs? I can't believe you are complaining about bigotry by being such a bigot.