Fedora has issued an advisory on April 23: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GHURNEHHUBSW45KMIZ4FNBCSUPWPGV5V/ The issue is fixed upstream in 2.85. Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 2.85Whiteboard: (none) => MGA7TOO
Hello, I just pushed an update to 2.85 for both MGA7 & MGA8 in updates_testing, this version has been released two months ago (and was in cauldron not long after) and no major issue has since surfaced. Can you please test and (hopefully) validate these updates of dnsmasq. You can find a procedure to test the update here (disregard the dnsmasq-base package which doesn't exist anymore): https://bugs.mageia.org/show_bug.cgi?id=19528#c4 Tentatives advisories: Mageia 8 ======================= Updated dnsmasq packages fix security vulnerability: CVE-2021-3448: A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity. This kind of configuration is the default when network-manager use dnsmasq. References: https://bugs.mageia.org/show_bug.cgi?id=29030 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3448 https://bugzilla.redhat.com/show_bug.cgi?id=1939368 Updated packages in core/updates_testing: ======================== dnsmasq-2.85-1.mga8 dnsmasq-utils-2.85-1.mga8 from dnsmasq-2.85-1.mga8.src.rpm ======================== Mageia 7 ======================= Updated dnsmasq packages fix security vulnerability: CVE-2021-3448: A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity. This kind of configuration is the default when network-manager use dnsmasq. References: https://bugs.mageia.org/show_bug.cgi?id=29030 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3448 https://bugzilla.redhat.com/show_bug.cgi?id=1939368 Updated packages in core/updates_testing: ======================== dnsmasq-2.85-1.mga7 dnsmasq-utils-2.85-1.mga7 from dnsmasq-2.85-1.mga7.src.rpm ========================
CC: (none) => julien.moragnyAssignee: julien.moragny => qa-bugsStatus: NEW => ASSIGNED
mga8, x86 # dnsmasq --test dnsmasq: syntax check OK. # systemctl enable dnsmasq # systemctl start dnsmasq .... Updated the two pckages. $ rpm -q dnsmasq dnsmasq-2.85-1.mga8 Referring to earlier test bug 19258#c4 : # systemctl restart dnsmasq # dnsmasq --test dnsmasq: syntax check OK. # journalctl | grep dnsmasq .... May 30 17:46:50 canopus systemd[1]: dnsmasq.service: Succeeded. May 30 17:46:50 canopus dnsmasq[287894]: started, version 2.85 cachesize 150 May 30 17:46:50 canopus dnsmasq[287894]: DNS service limited to local subnets May 30 17:46:50 canopus dnsmasq[287894]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC loop-detect inotify dumpfile May 30 17:46:50 canopus dnsmasq[287894]: reading /etc/resolv.conf May 30 17:46:50 canopus dnsmasq[287894]: using nameserver 192.168.1.1#53 May 30 17:46:50 canopus dnsmasq[287894]: read /etc/hosts - 15 addresses # netstat -atun Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN udp 0 0 0.0.0.0:53 0.0.0.0:* udp6 0 0 :::53 :::* # host mageia.org 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: mageia.org has address 163.172.148.228 mageia.org has IPv6 address 2001:bc8:628:1f00::1 mageia.org mail is handled by 10 sucuk.mageia.org. mageia.org mail is handled by 20 neru.mageia.org. Following Brian Rockwell: # dig mageia.org @localhost ;; ANSWER SECTION: mageia.org. 1604 IN A 163.172.148.228 $ urpmq -i dnsmasq-utils ...... Name : dnsmasq-utils Version : 2.83 [...] Summary : Utilities for manipulating DHCP server leases Description : Utilities that use the standard DHCP protocol to query/remove a DHCP server's leases. Could not find anything other than dnsmasq in /sbin. dnsmasq has a multitude of options and it may be that dnsmasq-utils provides support for those. Anyway it looks good so far.
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OKCC: (none) => tarazed25
mga7, x64 Updated to latest versions and followed the exact procedures outlined in comment 2 but ran into trouble starting the service. port 53 was already in use. Found the pids of the two processes using `ps aux` and deleted both. OK after that. dmasq service started successfully and checks returned the same data as in the previous comment. Giving this an OK for Mageia 7.
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Installed and tested without issues. I use dnsmasq to provide DNS for a LAN and VPN and block unwanted stuff at the DNS level. dnsmasq's DHCP is not used and thus not tested. Only the DNS part was tested. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.10.41-desktop-1.mga7 #1 SMP Fri May 28 14:28:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q dnsmasq dnsmasq-2.85-1.mga7 $ lsof -n | grep IPv.*:domain dnsmasq 1565 dnsmasq 4u IPv4 22465 0t0 UDP *:domain dnsmasq 1565 dnsmasq 5u IPv4 22466 0t0 TCP *:domain (LISTEN) dnsmasq 1565 dnsmasq 6u IPv6 22467 0t0 UDP *:domain dnsmasq 1565 dnsmasq 7u IPv6 22468 0t0 TCP *:domain (LISTEN) $ systemctl status dnsmasq.service ● dnsmasq.service - DNS caching server. Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2021-05-31 09:44:29 WEST; 17min ago Main PID: 1565 (dnsmasq) Tasks: 1 (limit: 4668) Memory: 1.5M CGroup: /system.slice/dnsmasq.service └─1565 /usr/sbin/dnsmasq -k --local-service mai 31 09:44:29 marte systemd[1]: Started DNS caching server.. mai 31 09:44:29 marte dnsmasq[1565]: started, version 2.85 cachesize 150 mai 31 09:44:29 marte dnsmasq[1565]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC loop-detect inotify dumpfile mai 31 09:44:29 marte dnsmasq[1565]: using nameserver 192.168.1.1#53 mai 31 09:44:29 marte dnsmasq[1565]: read /etc/hosts - 19 addresses
CC: (none) => mageia
Validating. Advisories in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => ouaurelienStatus comment: Fixed upstream in 2.85 => (none)CVE: (none) => CVE-2021-3448Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0231.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED