Bug 15855 - dnsmasq new security issue CVE-2015-3294
Summary: dnsmasq new security issue CVE-2015-3294
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/643231/
Whiteboard: has_procedure advisory mga4-32-ok mga...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-05-05 19:09 CEST by David Walser
Modified: 2015-05-12 21:38 CEST (History)
3 users (show)

See Also:
Source RPM: dnsmasq-2.71-3.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-05-05 19:09:31 CEST 
Ubuntu has issued an advisory on May 4:
http://www.ubuntu.com/usn/usn-2593-1/

The issue is apparently fixed in 2.73-rc4.

Ubuntu also linked to the upstream commit to fix the issue:
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3294.html

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-05-05 19:09:38 CEST

Blocks: (none) => 14674
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 Julien Moragny 2015-05-05 22:16:02 CEST 
Hello,

thanks for the info.
I just sent a push request for a patched version for mga5.

I will cook an advisory and request for mga4 asap.

Status: NEW => ASSIGNED

Comment 2 Oden Eriksson 2015-05-06 08:52:28 CEST 
fixed with dnsmasq-2.66-3.1.mga4

CC: (none) => oe

Comment 3 Julien Moragny 2015-05-06 13:07:43 CEST 
Thank you Oden
Comment 4 David Walser 2015-05-06 14:04:47 CEST 
Patched packages uploaded for Mageia 4 and Cauldron.  Thanks Julien and Oden!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=7466#c9

Advisory:
========================

Updated dnsmasq packages fix security vulnerability:

Dnsmasq could be made to crash or expose sensitive information if it received
specially crafted network traffic (CVE-2015-3294).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3294
http://www.ubuntu.com/usn/usn-2593-1/
========================

Updated packages in core/updates_testing:
========================
dnsmasq-2.66-3.1.mga4
dnsmasq-base-2.66-3.1.mga4
dnsmasq-utils-2.66-3.1.mga4

from dnsmasq-2.66-3.1.mga4.src.rpm

CC: (none) => julien.moragny
Version: Cauldron => 4
Blocks: 14674 => (none)
Assignee: julien.moragny => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => has_procedure

Comment 5 claire robinson 2015-05-11 17:19:41 CEST 
Testing complete mga4 32

Minimal testing during mga5 final release cycle but ensured dnsmasq service restarts without error.

Whiteboard: has_procedure => has_procedure mga4-32-ok

Comment 6 claire robinson 2015-05-11 17:46:43 CEST 
Advisory uploaded.

Whiteboard: has_procedure mga4-32-ok => has_procedure advisory mga4-32-ok

Comment 7 claire robinson 2015-05-12 15:40:36 CEST 
Testing complete mga4 64, as comment 5

Validating.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory mga4-32-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-05-12 21:38:30 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0214.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.