Fedora has issued an advisory on February 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5WAECSZDCDMVB4SBXYHDEHOH24P6UCHM/ They fixed it to add a dnsmasq user and run as that. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Status comment: (none) => dnsmasq should run as its own system user
Hi, I just pushed dnsmasq-2.80-1 which run as user dnsmasq. regards julien
OK, so that leaves Mageia 6 still to be fixed.
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
I want to wait a little to see if no problem arise on cauldron. I will update mga6 in a week or so. regards julien
Status: NEW => ASSIGNED
Hello, I just pushed dnsmasq 2.77-1.3 to core/updates_testing for mga6 which use a specific user for dnsmasq. I have used for the last week on mga6 x86_64 without issue so far. Tentative advisory : =========================== Updated dnsmasq packages fix a security issue Upstream dnsmasq run as nobody user which could lead to security issue if multiple services run as this same user. This update force dnsmasq to run as its own user: dnsmasq. References: https://bugs.mageia.org/show_bug.cgi?id=22694 Updated packages in core/updates_testing: ========================= dnsmasq-2.77-1.3.mga6 dnsmasq-base-2.77-1.3.mga6 dnsmasq-utils-2.77-1.3.mga6 Source RPM: dnsmasq-2.77-1.3.mga6.src.rpm ========================= regards Julien
Assignee: julien.moragny => qa-bugsCC: (none) => julien.moragny
Installed and tested without issues. System: Mageia 6, x86_64, Intel CPU. Tested DNS features (e.g. caching, local domains, block spam/ads/crap domains). DHCP was NOT tested. $ uname -a Linux marte 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep dnsmasq | sort dnsmasq-2.77-1.3.mga6 dnsmasq-base-2.77-1.3.mga6 $ journalctl -b0 -u dnsmasq.service -- Logs begin at Sáb 2018-10-27 12:40:38 WEST, end at Ter 2018-10-30 00:02:00 WET. -- <SNIP> Out 29 23:56:16 marte systemd[1]: Started DNS caching server.. Out 29 23:56:16 marte dnsmasq[26493]: started, version 2.77 cachesize 150 Out 29 23:56:16 marte dnsmasq[26493]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth no-DNSSEC loop-detect inotify Out 29 23:56:16 marte dnsmasq[26493]: using nameserver 192.168.1.1#53 Out 29 23:56:16 marte dnsmasq[26493]: read /etc/hosts - 16 addresses
CC: (none) => mageia
Advisory note, correct URL for references is in Comment 0. Thanks.
MGA6-32 MATE on IBM Thinkpad R50e At installation required to remove bind: OK as this was only present because of a previous update test. At CLI: # systemctl start dnsmasq # systemctl -l status dnsmasq ● dnsmasq.service - DNS caching server. Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled) Active: active (running) since wo 2018-10-31 17:19:56 CET; 7min ago Main PID: 18701 (dnsmasq) CGroup: /system.slice/dnsmasq.service └─18701 /usr/sbin/dnsmasq -k okt 31 17:19:56 mach6.hviaene.thuis systemd[1]: Started DNS caching server.. okt 31 17:19:56 mach6.hviaene.thuis dnsmasq[18701]: started, version 2.77 cachesize 150 okt 31 17:19:56 mach6.hviaene.thuis dnsmasq[18701]: compile time options: IPv6 GNU-getopt DBus i18n ID okt 31 17:19:56 mach6.hviaene.thuis dnsmasq[18701]: reading /etc/resolv.conf okt 31 17:19:56 mach6.hviaene.thuis dnsmasq[18701]: using nameserver 192.168.2.1#53 okt 31 17:19:56 mach6.hviaene.thuis dnsmasq[18701]: using nameserver 212.71.0.33#53 okt 31 17:19:56 mach6.hviaene.thuis dnsmasq[18701]: read /etc/hosts - 2 addresses and Looks OK
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Have been using this update for a few days (see comment #5) without issues so I'm marking it as OK for x86_64.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Validating. Advisory information in Comments 4, 6, and 0.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0427.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
And this turned out to be a broken update :/ adding of dnsmasq user was done in dnsmasq package, but it should have been done in dnsmasq-base. This broke mageia infra that only has dnsmasq-base package installed as part of libvirt setup.
I've fixed it in dnsmasq-2.77-1.5.mga6, tested it on infra and flushed it out to updates and it's syncing out... so hopefully not many users will get hit by it .... Advisory updated with the fixed srpm