Bug 28169 - dnsmasq new security issues CVE-2020-2568[1-7]
Summary: dnsmasq new security issues CVE-2020-2568[1-7]
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2021-01-19 15:28 CET by David Walser
Modified: 2021-01-29 20:06 CET (History)
5 users (show)

See Also:
Source RPM: dnsmasq-2.82-2.mga8.src.rpm
Status comment: Fixed upstream in 2.83


Description David Walser 2021-01-19 15:28:32 CET
RedHat has issued an advisory today (January 19):

The issues are fixed upstream in 2.83.

Mageia 7 is also affected.
David Walser 2021-01-19 15:28:43 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 2.83

Comment 1 David Walser 2021-01-19 15:29:17 CET
Upstream announcement:
Comment 2 Lewis Smith 2021-01-19 19:28:33 CET
New version 2.83 - Fixes CVE-2020-2568[1-7] (mga#28169)
Just commited in Cauldron by neoclust; which I imagine fixes M8.

Assigning to pkg maintainer Julien for Mageia 7.

Assignee: bugsquad => julien.moragny

Comment 3 David Walser 2021-01-20 14:33:52 CET
Fixed in Cauldron in dnsmasq-2.83-1.mga8.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
CC: (none) => mageia

Comment 4 David Walser 2021-01-20 15:34:58 CET
Ubuntu has issued an advisory for this on January 19:
Comment 5 David Walser 2021-01-20 15:45:42 CET
openSUSE has issued an advisory for this today (January 20):
Comment 6 Julien Moragny 2021-01-20 21:04:53 CET

I just uploaded dnsmasq 2.83-1.mga7 to updates_testing to fix this issue.

Here is a tentative advisory:


Updated dnsmasq packages fix security vulnerability:

Multiples vulnerabilities  have been discovered in dnsmasq up to version 2.82:

 - subtle errors in dnsmasq's protections against cache-poisoning attacks
   (CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686)

 - buffer overflow in dnsmasq's DNSSEC code (CVE-2020-25681, 
   CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687)


Updated packages in core/updates_testing:

from dnsmasq-2.83-1.mga7.src.rpm

Comment 7 Julien Moragny 2021-01-20 21:11:02 CET
Hello QA,

can you please test this update of dnsmasq.

You can find a procedure to test the update here (disregard the dnsmasq-base package which doesn't exist anymore):


Assignee: julien.moragny => qa-bugs
CC: (none) => julien.moragny

Comment 8 PC LX 2021-01-20 23:36:39 CET
Installed and tested without issues.

I use dnsmasq to provide DNS for a LAN and VPN. Lots of stuff is blocked at the DNS level.
I don't use dnsmasq's DHCP so only the DNS part was tested.

System: Mageia 7, x86_64, Intel CPU.

$ uname -a
Linux marte 5.10.8-desktop-2.mga7 #1 SMP Mon Jan 18 01:49:12 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q dnsmasq
$ lsof -n | grep IPv.*:domain
dnsmasq    2813                          dnsmasq    4u     IPv4             352310      0t0        UDP *:domain 
dnsmasq    2813                          dnsmasq    5u     IPv4             352311      0t0        TCP *:domain (LISTEN)
dnsmasq    2813                          dnsmasq    6u     IPv6             352312      0t0        UDP *:domain 
dnsmasq    2813                          dnsmasq    7u     IPv6             352313      0t0        TCP *:domain (LISTEN)
$ systemctl status dnsmasq.service 
● dnsmasq.service - DNS caching server.
   Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2021-01-20 22:18:08 WET; 8min ago
 Main PID: 2813 (dnsmasq)
    Tasks: 1 (limit: 4668)
   Memory: 664.0K
   CGroup: /system.slice/dnsmasq.service
           └─2813 /usr/sbin/dnsmasq -k --local-service

jan 20 22:18:08 marte systemd[1]: Started DNS caching server..
jan 20 22:18:08 marte dnsmasq[2813]: started, version 2.83 cachesize 150
jan 20 22:18:08 marte dnsmasq[2813]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth nettlehash DNSSEC loop-detect inotify dumpfile
jan 20 22:18:08 marte dnsmasq[2813]: using nameserver
jan 20 22:18:08 marte dnsmasq[2813]: read /etc/hosts - 12 addresses

CC: (none) => mageia

Comment 9 David Walser 2021-01-21 17:01:19 CET
Fedora has issued an advisory for this today (January 21):
Comment 10 PC LX 2021-01-28 17:36:21 CET
This update has been working for over a week without issues (see comment 8). The DNS part are working without issues. I've not used the DHCP features. Will OK this for x86_64 to push this forward since it is a security update. Please undo as needed.

Whiteboard: (none) => MGA7-64-OK

Comment 11 Dave Hodgins 2021-01-28 20:02:25 CET
Advisory committed to svn. Validating based on comment 10.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 12 Mageia Robot 2021-01-29 20:06:50 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.