Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Thursday November 13 2014, @03:19AM   Printer-friendly
from the one-daemon-to-rule-them-all dept.

Whether you're running systemd happily or begrudgingly, it's best if you disable systemd-resolved as your DNS resolver for the time being. Reported today at seclists is a new DNS cache poisoning bug in systemd-resolved.

At its simplest, an attacker triggers a query to a domain he controls via SMTP or SSH-login. Upon receipt of the question, he can just add any answer he wants to have cached to the legit answer he provides for the query, e.g. providing two answer RR's: One for the question asked and one for a question that has never been asked - even if the DNS server is not authoritative for this domain.

Systemd-resolved accepts both answers and caches them. There are no reports as to the affected versions or how widespread the problem may be. Comments over at Hacker News suggests that it might not be widespread, most users would still be running the backported 208-stable while the DNS resolver was committed in 213 and considered fairly complete in 216, but that is if they enabled systemd-resolved in /etc/nsswitch.config.

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by jcross on Thursday November 13 2014, @02:55PM

    by jcross (4009) on Thursday November 13 2014, @02:55PM (#115563)

    Well said! I actually do use GNOME 3 as well as KDE, since it's a lucky accident that I happen to like a number of the choices they've made. But whenever I dig into the guts of the system to see if I can customize something, it looks more and more like the steaming pile of API goo I've always thought GTK to be. Sprawling, poorly organized, and poorly documented, with a culture that seems to assume you already know everything you need to know, and if you don't it's your fault for being an idiot. Also there seems to be a constant stream of breaking changes. I think there might be an emotional reality behind this, which is that knowledge is power and the /g*/ devs are enjoying having and exerting power over others. I suspect the source is a lot of childhoods spent being oppressed, and I really just feel sorry for them for that. On the other hand, with KDE and Qt, everything seems beautifully organized, the documentation is clear and abundant, the community is polite and helpful even to total noobs. Again, there is probably an emotional reality behind this. But the cool thing about open source is: choose your own adventure!

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Thursday November 13 2014, @11:50PM

    by Anonymous Coward on Thursday November 13 2014, @11:50PM (#115703)

    It's probably not just about bad experiences while a child.

    Many power-hungry adult men also have extraordinarily small genitalia. They try to cover up for this ultimate lack of power by trying to acquire large amounts of comparatively less-valuable organizational or political power.