Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Thursday November 13 2014, @03:19AM   Printer-friendly
from the one-daemon-to-rule-them-all dept.

Whether you're running systemd happily or begrudgingly, it's best if you disable systemd-resolved as your DNS resolver for the time being. Reported today at seclists is a new DNS cache poisoning bug in systemd-resolved.

At its simplest, an attacker triggers a query to a domain he controls via SMTP or SSH-login. Upon receipt of the question, he can just add any answer he wants to have cached to the legit answer he provides for the query, e.g. providing two answer RR's: One for the question asked and one for a question that has never been asked - even if the DNS server is not authoritative for this domain.

Systemd-resolved accepts both answers and caches them. There are no reports as to the affected versions or how widespread the problem may be. Comments over at Hacker News suggests that it might not be widespread, most users would still be running the backported 208-stable while the DNS resolver was committed in 213 and considered fairly complete in 216, but that is if they enabled systemd-resolved in /etc/nsswitch.config.

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by Marand on Thursday November 13 2014, @07:37AM

    by Marand (1081) on Thursday November 13 2014, @07:37AM (#115459) Journal

    The 'philosophy' of Pottering is that everything that he (and his henchmen) didn't write is crap so lets throw everything in sight away and, being super geniuses (cue Wile E. Coyote in the explosives shack) they will knock out a superior replacement over pizza and Mountain Dew in an evening. How hard can a dns resolver, ntp client, terminal driver, logging system.... etc. be? And all that old crufty UNIX crap will be dead and buried forever!

    Yea, that will work.

    This has been going on a lot longer than just systemd. You just described Redhat and GNOME's entire design process since sometime during the GNOME 2 days. One could even argue that GNOME 1 had some of that mindset too, considering its entire existence boils down to "we don't like Qt license so we'll make our own KDE", but at least GNOME 1 was willing to use outside projects. (Anybody else remember the early GNOME versions using enlightenment as the window manager?)

    When another DE comes up with a solution to a desktop problem, GNOME refuses to support it, implements its own version, and then expects everyone else to implement that solution for better interoperability. I've seen rants from various KDE devs over the years about it, especially in the areas of the systray and notifications. Pulseaudio is another example; ALSA already did software mixing and JACK handled the more advanced needs, but Poettering/GNOME didn't invent those so of course the only solution was to create something else. Same goes for NetworkManager.

    Also, when users asked for Gtk and Qt apps to play nicely with each other's environments to create a more unified look, GNOME people declared that people shouldn't be using non-GNOME apps so it wasn't their problem. Anybody that uses a mix of Qt and Gtk apps, regardless of DE, have KDE devs to thank for the better integration, because they did more to help the GNOME users with that than GNOME did.

    Then with GNOME 3 they started aggressively pushing the "we don't care what you want, we know what you want even if you don't think you want it" crap, deciding that not only did they know better than other devs how to implement everything, they also knew what users wanted better than users did.

    The entire project's motto is "not invented here; we know better than you do" and systemd is just a continuation of that mindset.

    I liked the early GNOME, but even when it became something I didn't care to use during the GNOME 2 days, I still respected them for the work and didn't begrudge their successes. Then I started seeing their antisocial behaviour within the FOSS community and I lost that respect.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=1, Interesting=2, Total=3
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2) by jcross on Thursday November 13 2014, @02:55PM

    by jcross (4009) on Thursday November 13 2014, @02:55PM (#115563)

    Well said! I actually do use GNOME 3 as well as KDE, since it's a lucky accident that I happen to like a number of the choices they've made. But whenever I dig into the guts of the system to see if I can customize something, it looks more and more like the steaming pile of API goo I've always thought GTK to be. Sprawling, poorly organized, and poorly documented, with a culture that seems to assume you already know everything you need to know, and if you don't it's your fault for being an idiot. Also there seems to be a constant stream of breaking changes. I think there might be an emotional reality behind this, which is that knowledge is power and the /g*/ devs are enjoying having and exerting power over others. I suspect the source is a lot of childhoods spent being oppressed, and I really just feel sorry for them for that. On the other hand, with KDE and Qt, everything seems beautifully organized, the documentation is clear and abundant, the community is polite and helpful even to total noobs. Again, there is probably an emotional reality behind this. But the cool thing about open source is: choose your own adventure!

    • (Score: 0) by Anonymous Coward on Thursday November 13 2014, @11:50PM

      by Anonymous Coward on Thursday November 13 2014, @11:50PM (#115703)

      It's probably not just about bad experiences while a child.

      Many power-hungry adult men also have extraordinarily small genitalia. They try to cover up for this ultimate lack of power by trying to acquire large amounts of comparatively less-valuable organizational or political power.