Whether you're running systemd happily or begrudgingly, it's best if you disable systemd-resolved as your DNS resolver for the time being. Reported today at seclists is a new DNS cache poisoning bug in systemd-resolved.
At its simplest, an attacker triggers a query to a domain he controls via SMTP or SSH-login. Upon receipt of the question, he can just add any answer he wants to have cached to the legit answer he provides for the query, e.g. providing two answer RR's: One for the question asked and one for a question that has never been asked - even if the DNS server is not authoritative for this domain.
Systemd-resolved accepts both answers and caches them. There are no reports as to the affected versions or how widespread the problem may be. Comments over at Hacker News suggests that it might not be widespread, most users would still be running the backported 208-stable while the DNS resolver was committed in 213 and considered fairly complete in 216, but that is if they enabled systemd-resolved in /etc/nsswitch.config.
(Score: 1) by jmorris on Thursday November 13 2014, @09:26PM
Will Debian/gnu/hurd be okay?
Systemd can't coexist with non-Linux systems. Debian/FreeBSD has already went under the bus for this reason, Debian/HURD will be joining it as soon as anyone cares enough to announce it. It isn't like it ever got to a point where anyone actually used it anyway who wasn't a developer.
With the iron clamp RedHat now has on Linux it is clear that even attempting to flee to LFS or Slackware will only be a delaying action unless we get a much larger (fork strength) backlash soon. FreeBSD is still recovering from Apple poaching away most of their core devels and OpenBSD is great on a server but questionable on a desktop and pointless on most laptops.
Dark times ahead.