Bug 28169

Summary: dnsmasq new security issues CVE-2020-2568[1-7]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, julien.moragny, mageia, mageia, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: dnsmasq-2.82-2.mga8.src.rpm CVE:
Status comment: Fixed upstream in 2.83

Description David Walser 2021-01-19 15:28:32 CET 
RedHat has issued an advisory today (January 19):
https://access.redhat.com/errata/RHSA-2021:0150

The issues are fixed upstream in 2.83.

Mageia 7 is also affected.
David Walser 2021-01-19 15:28:43 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 2.83

Comment 1 David Walser 2021-01-19 15:29:17 CET 
Upstream announcement:
https://www.openwall.com/lists/oss-security/2021/01/19/1
Comment 2 Lewis Smith 2021-01-19 19:28:33 CET 
New version 2.83 - Fixes CVE-2020-2568[1-7] (mga#28169)
Just commited in Cauldron by neoclust; which I imagine fixes M8.

Assigning to pkg maintainer Julien for Mageia 7.

Assignee: bugsquad => julien.moragny

Comment 3 David Walser 2021-01-20 14:33:52 CET 
Fixed in Cauldron in dnsmasq-2.83-1.mga8.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
CC: (none) => mageia

Comment 4 David Walser 2021-01-20 15:34:58 CET 
Ubuntu has issued an advisory for this on January 19:
https://ubuntu.com/security/notices/USN-4698-1
Comment 5 David Walser 2021-01-20 15:45:42 CET 
openSUSE has issued an advisory for this today (January 20):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GY5KV2WHBZG4XCWVKZOU4DFCHSMBT5KV/
Comment 6 Julien Moragny 2021-01-20 21:04:53 CET 
Hello,

I just uploaded dnsmasq 2.83-1.mga7 to updates_testing to fix this issue.


Here is a tentative advisory:

=======================

Updated dnsmasq packages fix security vulnerability:

Multiples vulnerabilities  have been discovered in dnsmasq up to version 2.82:

 - subtle errors in dnsmasq's protections against cache-poisoning attacks
   (CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686)

 - buffer overflow in dnsmasq's DNSSEC code (CVE-2020-25681, 
   CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687)


References:
https://bugs.mageia.org/show_bug.cgi?id=28169
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014599.html
https://www.openwall.com/lists/oss-security/2021/01/19/1


Updated packages in core/updates_testing:
========================
dnsmasq-2.83-1.mga7
dnsmasq-utils-2.83-1.mga7

from dnsmasq-2.83-1.mga7.src.rpm


regards
Julien
Comment 7 Julien Moragny 2021-01-20 21:11:02 CET 
Hello QA,

can you please test this update of dnsmasq.

You can find a procedure to test the update here (disregard the dnsmasq-base package which doesn't exist anymore):
https://bugs.mageia.org/show_bug.cgi?id=19528#c4

regards
Julien

Assignee: julien.moragny => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => julien.moragny

Comment 8 PC LX 2021-01-20 23:36:39 CET 
Installed and tested without issues.


I use dnsmasq to provide DNS for a LAN and VPN. Lots of stuff is blocked at the DNS level.
I don't use dnsmasq's DHCP so only the DNS part was tested.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.10.8-desktop-2.mga7 #1 SMP Mon Jan 18 01:49:12 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q dnsmasq
dnsmasq-2.83-1.mga7
$ lsof -n | grep IPv.*:domain
dnsmasq    2813                          dnsmasq    4u     IPv4             352310      0t0        UDP *:domain 
dnsmasq    2813                          dnsmasq    5u     IPv4             352311      0t0        TCP *:domain (LISTEN)
dnsmasq    2813                          dnsmasq    6u     IPv6             352312      0t0        UDP *:domain 
dnsmasq    2813                          dnsmasq    7u     IPv6             352313      0t0        TCP *:domain (LISTEN)
$ systemctl status dnsmasq.service 
● dnsmasq.service - DNS caching server.
   Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2021-01-20 22:18:08 WET; 8min ago
 Main PID: 2813 (dnsmasq)
    Tasks: 1 (limit: 4668)
   Memory: 664.0K
   CGroup: /system.slice/dnsmasq.service
           └─2813 /usr/sbin/dnsmasq -k --local-service

jan 20 22:18:08 marte systemd[1]: Started DNS caching server..
jan 20 22:18:08 marte dnsmasq[2813]: started, version 2.83 cachesize 150
jan 20 22:18:08 marte dnsmasq[2813]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth nettlehash DNSSEC loop-detect inotify dumpfile
jan 20 22:18:08 marte dnsmasq[2813]: using nameserver 192.168.1.1#53
jan 20 22:18:08 marte dnsmasq[2813]: read /etc/hosts - 12 addresses

CC: (none) => mageia

Comment 9 David Walser 2021-01-21 17:01:19 CET 
Fedora has issued an advisory for this today (January 21):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WYW3IR6APUSKOYKL5FT3ACTIHWHGQY32/
Comment 10 PC LX 2021-01-28 17:36:21 CET 
This update has been working for over a week without issues (see comment 8). The DNS part are working without issues. I've not used the DHCP features. Will OK this for x86_64 to push this forward since it is a security update. Please undo as needed.

Whiteboard: (none) => MGA7-64-OK

Comment 11 Dave Hodgins 2021-01-28 20:02:25 CET 
Advisory committed to svn. Validating based on comment 10.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 12 Mageia Robot 2021-01-29 20:06:50 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0059.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED