Fedora has issued an advisory today (September 30): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4TK6DWC53WSU6633EVZL7H4PCWBYHMHK/ Mageia 6 is also affected. Mageia 5 may be as well (see also Bug 19528).
Whiteboard: (none) => MGA6TOO
Hello QA, I just pushed a fix for this CVE to cauldron and 6. Here is a tentative advisory: ======================= Updated dnsmasq packages fix security vulnerability: Dnsmasq could be made to crash on a large DNS query. A DNS query received by UDP which exceeds 512 bytes (or the EDNS0 packet size, if different.) is enough to cause SIGSEGV. (CVE-2017-13704) References: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q3/011692.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4TK6DWC53WSU6633EVZL7H4PCWBYHMHK/ Updated packages in core/updates_testing: ======================== dnsmasq-2.77-1.1.mga6 dnsmasq-base-2.77-1.1.mga6 dnsmasq-utils-2.77-1.1.mga6 from dnsmasq-2.77-1.1.mga6.src.rpm regards Julien
Whiteboard: MGA6TOO => (none)Assignee: julien.moragny => qa-bugsStatus: NEW => ASSIGNEDCC: (none) => julien.moragny
Version: Cauldron => 6
RedHat has issued an advisory today (October 2): https://access.redhat.com/errata/RHSA-2017:2836 It fixes 6 more serious security issues.
Summary: dnsmasq new security issue CVE-2017-13704 => dnsmasq new security issues CVE-2017-13704 and CVE-2017-1449[1-6]Severity: normal => criticalCC: (none) => qa-bugsAssignee: qa-bugs => julien.moragny
Blocks: (none) => 19528
Hello, I just pushed 2.78 to cauldron and 2.77-1.2 to 6/updates_testing. Discussion for mga5 will be on bug 19528. Here is a tentative advisory: ======================= Updated dnsmasq packages fix security vulnerabilities: CVE-2017-13704: Dnsmasq could be made to crash on a large DNS query. A DNS query received by UDP which exceeds 512 bytes (or the EDNS0 packet size, if different.) is enough to cause SIGSEGV. CVE-2017-14491: A heap buffer overflow was found in dnsmasq in the code responsible for building DNS replies. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash or, potentially, execute arbitrary code. CVE-2017-14492: A heap buffer overflow was discovered in dnsmasq in the IPv6 router advertisement (RA) handling code. An attacker on the local network segment could send crafted RAs to dnsmasq which would cause it to crash or, potentially, execute arbitrary code. This issue only affected configurations using one of these options: enable-ra, ra-only, slaac, ra-names, ra-advrouter, or ra-stateless. CVE-2017-14493: A stack buffer overflow was found in dnsmasq in the DHCPv6 code. An attacker on the local network could send a crafted DHCPv6 request to dnsmasq which would cause it to a crash or, potentially, execute arbitrary code. CVE-2017-14494: An information leak was found in dnsmasq in the DHCPv6 relay code. An attacker on the local network could send crafted DHCPv6 packets to dnsmasq causing it to forward the contents of process memory, potentially leaking sensitive data. CVE-2017-14495: A memory exhaustion flaw was found in dnsmasq in the EDNS0 code. An attacker could send crafted DNS packets which would trigger memory allocations which would never be freed, leading to unbounded memory consumption and eventually a crash. This issue only affected configurations using one of the options: add-mac, add-cpe-id, or add-subnet. CVE-2017-14496: An integer underflow flaw leading to a buffer over-read was found in dnsmasq in the EDNS0 code. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash. This issue only affected configurations using one of the options: add-mac, add-cpe-id, or add-subnet. References: https://bugs.mageia.org/show_bug.cgi?id=21793 http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q3/011692.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4TK6DWC53WSU6633EVZL7H4PCWBYHMHK/ https://access.redhat.com/errata/RHSA-2017:2836 https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html Updated packages in core/updates_testing: ======================== dnsmasq-2.77-1.2.mga6 dnsmasq-base-2.77-1.2.mga6 dnsmasq-utils-2.77-1.2.mga6 from dnsmasq-2.77-1.2.mga6.src.rpm
Assignee: julien.moragny => qa-bugs
Hello, I wrote a procedure to test the upgrade on bug 19528 (comment 4): https://bugs.mageia.org/show_bug.cgi?id=19528#c4 thanks regards Julien
Thanks Julien. [root@localhost brian]# uname -a Linux localhost 4.9.50-desktop-1.mga6 #1 SMP Wed Sep 13 23:14:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux The following 3 packages are going to be installed: - dnsmasq-2.77-1.2.mga6.x86_64 - dnsmasq-base-2.77-1.2.mga6.x86_64 - dnsmasq-utils-2.77-1.2.mga6.x86_64 901KB of additional disk space will be used. 392KB of packages will be retrieved. Is it ok to continue? [root@localhost brian]# systemctl start dnsmasq.service [root@localhost brian]# ps -ef | grep dns nobody 3195 1 0 21:21 ? 00:00:00 /usr/sbin/dnsmasq -k root 3259 3159 0 21:22 pts/0 00:00:00 grep --color dns [root@localhost brian]# [root@localhost brian]# host arstechnica.com 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: arstechnica.com has address 50.31.169.131 arstechnica.com mail is handled by 5 alt2.aspmx.l.google.com. arstechnica.com mail is handled by 10 alt4.aspmx.l.google.com. arstechnica.com mail is handled by 10 alt3.aspmx.l.google.com. arstechnica.com mail is handled by 1 aspmx.l.google.com. arstechnica.com mail is handled by 5 alt1.aspmx.l.google.com. [root@localhost brian]# dig arstechnica.com @localhost ; <<>> DiG 9.10.5-P2 <<>> arstechnica.com @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33358 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;arstechnica.com. IN A ;; ANSWER SECTION: arstechnica.com. 190 IN A 50.31.169.131 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Thu Oct 05 21:32:28 CDT 2017 ;; MSG SIZE rcvd: 60 working as designed
CC: (none) => brtians1Whiteboard: (none) => mga6-64-ok
[brian@localhost ~]$ uname -a Linux localhost 4.9.50-desktop-1.mga6 #1 SMP Wed Sep 13 23:15:15 UTC 2017 i686 i686 i686 GNU/Linux The following 3 packages are going to be installed: - dnsmasq-2.77-1.2.mga6.i586 - dnsmasq-base-2.77-1.2.mga6.i586 - dnsmasq-utils-2.77-1.2.mga6.i586 911KB of additional disk space will be used. 396KB of packages will be retrieved. Is it ok to continue? [brian@localhost ~]$ ps -ef | grep dns nobody 1257 1 0 11:28 ? 00:00:00 /usr/sbin/dnsmasq -k brian 12767 12365 0 12:05 pts/0 00:00:00 grep --color dns [brian@localhost ~]$ [brian@localhost ~]$ host mageia.org 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: mageia.org has address 217.70.188.116 mageia.org mail is handled by 20 krampouezh.mageia.org. mageia.org mail is handled by 10 alamut.mageia.org. [brian@localhost ~]$ host slashdot.org 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: slashdot.org has address 216.34.181.45 slashdot.org mail is handled by 10 mx.sourceforge.net. [brian@localhost ~]$ dig mageia.org @localhost ; <<>> DiG 9.10.5-P2 <<>> mageia.org @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3148 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1739 IN A 217.70.188.116 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Fri Oct 06 12:08:29 CDT 2017 ;; MSG SIZE rcvd: 55 [brian@localhost ~]$ working as designed
Whiteboard: mga6-64-ok => mga6-64-ok mga6-32-ok
Thank you Brian for testing this. Advisory from comment 3; validating.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0364.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED