Bug 25854

Summary: dnsmasq new security issue CVE-2019-14834
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, mageia, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: dnsmasq-2.80-8.mga8.src.rpm CVE:
Status comment:

Description David Walser 2019-12-11 00:13:14 CET 
SUSE has issued an advisory on December 5:
http://lists.suse.com/pipermail/sle-security-updates/2019-December/006208.html

Mageia 7 is also affected.
David Walser 2019-12-11 00:13:28 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-12-11 11:20:58 CET 
Assigning to the registered maintainer; CC recent committers of the SRPM.

CC: (none) => geiger.david68210, tmb
Assignee: bugsquad => julien.moragny

Comment 2 Thomas Backlund 2019-12-11 12:39:55 CET 
Taking the bug as I'm already working on it

Assignee: julien.moragny => tmb

Comment 3 David Walser 2019-12-12 23:38:26 CET 
openSUSE has issued an advisory for this on December 11:
https://lists.opensuse.org/opensuse-updates/2019-12/msg00075.html
Comment 4 Thomas Backlund 2019-12-13 14:03:51 CET 
Fixed in Cauldron in dnsmasq-2.80-10.mga8


Package to test for Mga 7:

dnsmasq-2.80-5.2.mga7

Assignee: tmb => qa-bugs
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 5 PC LX 2019-12-13 23:23:46 CET 
Installed and tested without issues.


Tested DNS capabilities. No issues noticed after several hours of usage on the network.
Did NOT test DHCP capabilities.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.4.2-desktop-1.mga7 #1 SMP Thu Dec 5 17:40:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q dnsmasq
dnsmasq-2.80-5.2.mga7
$ systemctl status dnsmasq.service 
* dnsmasq.service - DNS caching server.
   Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-12-13 17:56:54 WET; 4h 23min ago
 Main PID: 13668 (dnsmasq)
   Memory: 1.3M
   CGroup: /system.slice/dnsmasq.service
           `-13668 /usr/sbin/dnsmasq -k

Dec 13 17:56:54 marte systemd[1]: Started DNS caching server..
Dec 13 17:56:54 marte dnsmasq[13668]: started, version 2.80 cachesize 150
Dec 13 17:56:54 marte dnsmasq[13668]: compile time options: IPv6 GNU-getopt DBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile
Dec 13 17:56:54 marte dnsmasq[13668]: using nameserver 192.168.1.1#53
Dec 13 17:56:54 marte dnsmasq[13668]: read /etc/hosts - 9 addresses

CC: (none) => mageia

Comment 6 Thomas Backlund 2019-12-14 01:35:18 CET 
Advisory, added to svn:

type: security
subject: Updated dnsmasq packages fix security vulnerability
CVE:
 - CVE-2019-14834
src:
  7:
   core:
     - dnsmasq-2.80-5.2.mga7
description: |
  A vulnerability was found in dnsmsq through version 2.90, where the
  memory leak allows remote attackers to cause a denial of service
  (memory consumption) via vectors involving DHCP response creation.
  (CVE-2019-14834)
references:
 - https://bugs.mageia.org/show_bug.cgi?id=25854
 - http://lists.suse.com/pipermail/sle-security-updates/2019-December/006208.html

Keywords: (none) => advisory

Comment 7 Thomas Andrews 2019-12-15 18:07:31 CET 
Adding an OK and validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 Mageia Robot 2019-12-15 19:04:21 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0392.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED