RedHat has issued an advisory today (January 19): https://access.redhat.com/errata/RHSA-2021:0150 The issues are fixed upstream in 2.83. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 2.83
Upstream announcement: https://www.openwall.com/lists/oss-security/2021/01/19/1
New version 2.83 - Fixes CVE-2020-2568[1-7] (mga#28169) Just commited in Cauldron by neoclust; which I imagine fixes M8. Assigning to pkg maintainer Julien for Mageia 7.
Assignee: bugsquad => julien.moragny
Fixed in Cauldron in dnsmasq-2.83-1.mga8.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)CC: (none) => mageia
Ubuntu has issued an advisory for this on January 19: https://ubuntu.com/security/notices/USN-4698-1
openSUSE has issued an advisory for this today (January 20): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GY5KV2WHBZG4XCWVKZOU4DFCHSMBT5KV/
Hello, I just uploaded dnsmasq 2.83-1.mga7 to updates_testing to fix this issue. Here is a tentative advisory: ======================= Updated dnsmasq packages fix security vulnerability: Multiples vulnerabilities have been discovered in dnsmasq up to version 2.82: - subtle errors in dnsmasq's protections against cache-poisoning attacks (CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686) - buffer overflow in dnsmasq's DNSSEC code (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687) References: https://bugs.mageia.org/show_bug.cgi?id=28169 http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014599.html https://www.openwall.com/lists/oss-security/2021/01/19/1 Updated packages in core/updates_testing: ======================== dnsmasq-2.83-1.mga7 dnsmasq-utils-2.83-1.mga7 from dnsmasq-2.83-1.mga7.src.rpm regards Julien
Hello QA, can you please test this update of dnsmasq. You can find a procedure to test the update here (disregard the dnsmasq-base package which doesn't exist anymore): https://bugs.mageia.org/show_bug.cgi?id=19528#c4 regards Julien
Assignee: julien.moragny => qa-bugsStatus: NEW => ASSIGNEDCC: (none) => julien.moragny
Installed and tested without issues. I use dnsmasq to provide DNS for a LAN and VPN. Lots of stuff is blocked at the DNS level. I don't use dnsmasq's DHCP so only the DNS part was tested. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.10.8-desktop-2.mga7 #1 SMP Mon Jan 18 01:49:12 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q dnsmasq dnsmasq-2.83-1.mga7 $ lsof -n | grep IPv.*:domain dnsmasq 2813 dnsmasq 4u IPv4 352310 0t0 UDP *:domain dnsmasq 2813 dnsmasq 5u IPv4 352311 0t0 TCP *:domain (LISTEN) dnsmasq 2813 dnsmasq 6u IPv6 352312 0t0 UDP *:domain dnsmasq 2813 dnsmasq 7u IPv6 352313 0t0 TCP *:domain (LISTEN) $ systemctl status dnsmasq.service ● dnsmasq.service - DNS caching server. Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2021-01-20 22:18:08 WET; 8min ago Main PID: 2813 (dnsmasq) Tasks: 1 (limit: 4668) Memory: 664.0K CGroup: /system.slice/dnsmasq.service └─2813 /usr/sbin/dnsmasq -k --local-service jan 20 22:18:08 marte systemd[1]: Started DNS caching server.. jan 20 22:18:08 marte dnsmasq[2813]: started, version 2.83 cachesize 150 jan 20 22:18:08 marte dnsmasq[2813]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth nettlehash DNSSEC loop-detect inotify dumpfile jan 20 22:18:08 marte dnsmasq[2813]: using nameserver 192.168.1.1#53 jan 20 22:18:08 marte dnsmasq[2813]: read /etc/hosts - 12 addresses
CC: (none) => mageia
Fedora has issued an advisory for this today (January 21): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WYW3IR6APUSKOYKL5FT3ACTIHWHGQY32/
This update has been working for over a week without issues (see comment 8). The DNS part are working without issues. I've not used the DHCP features. Will OK this for x86_64 to push this forward since it is a security update. Please undo as needed.
Whiteboard: (none) => MGA7-64-OK
Advisory committed to svn. Validating based on comment 10.
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0059.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED