Bug 15855

Summary: dnsmasq new security issue CVE-2015-3294
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: julien.moragny, oe, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/643231/
Whiteboard: has_procedure advisory mga4-32-ok mga4-64-ok
Source RPM: dnsmasq-2.71-3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-05-05 19:09:31 CEST 
Ubuntu has issued an advisory on May 4:
http://www.ubuntu.com/usn/usn-2593-1/

The issue is apparently fixed in 2.73-rc4.

Ubuntu also linked to the upstream commit to fix the issue:
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3294.html

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-05-05 19:09:38 CEST

Blocks: (none) => 14674
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 Julien Moragny 2015-05-05 22:16:02 CEST 
Hello,

thanks for the info.
I just sent a push request for a patched version for mga5.

I will cook an advisory and request for mga4 asap.

Status: NEW => ASSIGNED

Comment 2 Oden Eriksson 2015-05-06 08:52:28 CEST 
fixed with dnsmasq-2.66-3.1.mga4

CC: (none) => oe

Comment 3 Julien Moragny 2015-05-06 13:07:43 CEST 
Thank you Oden
Comment 4 David Walser 2015-05-06 14:04:47 CEST 
Patched packages uploaded for Mageia 4 and Cauldron.  Thanks Julien and Oden!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=7466#c9

Advisory:
========================

Updated dnsmasq packages fix security vulnerability:

Dnsmasq could be made to crash or expose sensitive information if it received
specially crafted network traffic (CVE-2015-3294).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3294
http://www.ubuntu.com/usn/usn-2593-1/
========================

Updated packages in core/updates_testing:
========================
dnsmasq-2.66-3.1.mga4
dnsmasq-base-2.66-3.1.mga4
dnsmasq-utils-2.66-3.1.mga4

from dnsmasq-2.66-3.1.mga4.src.rpm

CC: (none) => julien.moragny
Version: Cauldron => 4
Blocks: 14674 => (none)
Assignee: julien.moragny => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => has_procedure

Comment 5 claire robinson 2015-05-11 17:19:41 CEST 
Testing complete mga4 32

Minimal testing during mga5 final release cycle but ensured dnsmasq service restarts without error.

Whiteboard: has_procedure => has_procedure mga4-32-ok

Comment 6 claire robinson 2015-05-11 17:46:43 CEST 
Advisory uploaded.

Whiteboard: has_procedure mga4-32-ok => has_procedure advisory mga4-32-ok

Comment 7 claire robinson 2015-05-12 15:40:36 CEST 
Testing complete mga4 64, as comment 5

Validating.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory mga4-32-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-05-12 21:38:30 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0214.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED