Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 11 submissions in the queue.
posted by n1 on Thursday November 13 2014, @03:19AM   Printer-friendly
from the one-daemon-to-rule-them-all dept.

Whether you're running systemd happily or begrudgingly, it's best if you disable systemd-resolved as your DNS resolver for the time being. Reported today at seclists is a new DNS cache poisoning bug in systemd-resolved.

At its simplest, an attacker triggers a query to a domain he controls via SMTP or SSH-login. Upon receipt of the question, he can just add any answer he wants to have cached to the legit answer he provides for the query, e.g. providing two answer RR's: One for the question asked and one for a question that has never been asked - even if the DNS server is not authoritative for this domain.

Systemd-resolved accepts both answers and caches them. There are no reports as to the affected versions or how widespread the problem may be. Comments over at Hacker News suggests that it might not be widespread, most users would still be running the backported 208-stable while the DNS resolver was committed in 213 and considered fairly complete in 216, but that is if they enabled systemd-resolved in /etc/nsswitch.config.

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Gaaark on Thursday November 13 2014, @02:41PM

    by Gaaark (41) on Thursday November 13 2014, @02:41PM (#115561) Journal

    Looks like a time to change....

    gotta go look, again, at linux from scratch i guess.

    Can my vague understanding of source code protect me from the NSA, etc. Gods almighty... what is the solution. Will Debian/gnu/hurd be okay?

    Come on Richard Stallman... speak up. Help me!

    It's getting redonkulous. Might have to start thinking about going off-line. Sad days are ahead, methinks.

    --
    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 1) by Whoever on Thursday November 13 2014, @03:46PM

    by Whoever (4524) on Thursday November 13 2014, @03:46PM (#115575) Journal

    Or Gentoo.

    I just built a VM using Gentoo with MATE and no systemd.

  • (Score: 2) by DECbot on Thursday November 13 2014, @04:57PM

    by DECbot (832) on Thursday November 13 2014, @04:57PM (#115599) Journal

    You can join me in my hermit cave. We can both ponder if the flint and steel uses systemd to start a fire.

    --
    cats~$ sudo chown -R us /home/base
    • (Score: 2) by Gaaark on Thursday November 13 2014, @07:34PM

      by Gaaark (41) on Thursday November 13 2014, @07:34PM (#115637) Journal

      Aw, crap.... i have to watch the NSA hasn't f*cked with my matches???

      Dang. :)

      --
      --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
  • (Score: 1) by jmorris on Thursday November 13 2014, @09:26PM

    by jmorris (4844) on Thursday November 13 2014, @09:26PM (#115669)

    Will Debian/gnu/hurd be okay?

    Systemd can't coexist with non-Linux systems. Debian/FreeBSD has already went under the bus for this reason, Debian/HURD will be joining it as soon as anyone cares enough to announce it. It isn't like it ever got to a point where anyone actually used it anyway who wasn't a developer.

    With the iron clamp RedHat now has on Linux it is clear that even attempting to flee to LFS or Slackware will only be a delaying action unless we get a much larger (fork strength) backlash soon. FreeBSD is still recovering from Apple poaching away most of their core devels and OpenBSD is great on a server but questionable on a desktop and pointless on most laptops.

    Dark times ahead.