SUSE has issued an advisory today (April 21): https://lists.suse.com/pipermail/sle-security-updates/2022-April/010784.html Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
Hello, I just pushed an update to fix this bug in cauldron (2.86-3) and update_testing/8 (2.85-2) Can you please test and validate this update. A basic test procedure is provided below the proposed advisory but in this specific case, I'm not sure it's very useful since the bug is in the DHCP part of dnsmasq and I don't know of a simple procedure to test it. Proposed advisory: Mageia 8 ======================= Updated dnsmasq packages fix security vulnerability: CVE-2022-0934: a write after free has been discovered in DHCPv6 code. A special request could be crafted to modify already freed memory. References: https://bugs.mageia.org/show_bug.cgi?id=30318 https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016272.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0934 Updated packages in core/updates_testing: ======================== dnsmasq-2.85-2.mga8 dnsmasq-utils-2.85-2.mga8 from dnsmasq-2.85-2.mga8.src.rpm +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Test procedure: to install: urpmi dnsmasq to start: systemctl start dnsmasq.service or reboot since dnsmasq.service is started automatically at boot. in journalctl, you should get something like that : localhost dnsmasq[1426]: demarré, version 2.85 (taille de cache 150) localhost dnsmasq[1426]: options à la compilation : IPv6 GNU-getopt DBus i18n ID localhost dnsmasq[1426]: Lecture de /etc/resolv.conf localhost dnsmasq[1426]: utilise le serveur de nom 10.0.2.2#53 localhost dnsmasq[1426]: lecture /etc/hosts - 1 adresses which tell you that without further configuration, dnsmasq use resolv.conf and /etc/hosts to know where to transmit dns request (here, it's 10.0.2.2). It also listen on all interface (you can see it with netstat -atun and look at the line on port 53). You can configure your resolver in /etc/dnsmasq.conf (options server= and no-resolv) To test if dnsmasq can resolv a name, you can use the program host from package bind-utils. In the example below, it asks the IP of mageia.org using the server on localhost (127.0.0.1 ; i.e. the dnsmasq we just started): host mageia.org 127.0.0.1 which should answer something like that : Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: mageia.org has address 217.70.188.116 mageia.org mail is handled by 10 alamut.mageia.org. mageia.org mail is handled by 20 krampouezh.mageia.org. I don't know how to test the dhcp part of dnsmasq without a complex configuration. regards Julien
Assignee: julien.moragny => qa-bugsCC: (none) => julien.moragnyStatus: NEW => ASSIGNED
Installing this update showed the following message: "Warning: The unit file, source configuration file or drop-ins of dnsmasq.service changed on disk. Run 'systemctl daemon-reload' to reload units." I'm not certain but I think I didn't see this message when installing a package. I have an override for the service but it should not make a difference. # cat /etc/systemd/system/dnsmasq.service.d/override.conf [Unit] Wants=network-online.target It is easy to resolve but shouldn't the package script restart the service automatically? System: Mageia 8, x86_64, Intel CPU. # uname -a Linux marte 5.15.32-desktop-1.mga8 #1 SMP Mon Mar 28 08:31:19 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux # rpm -q dnsmasq dnsmasq-2.85-2.mga8 # systemctl status dnsmasq.service ● dnsmasq.service - DNS caching server. Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled) Drop-In: /etc/systemd/system/dnsmasq.service.d └─override.conf Active: active (running) since Thu 2022-04-21 23:56:59 WEST; 7s ago Main PID: 52260 (dnsmasq) Tasks: 1 (limit: 4690) Memory: 1.9M CPU: 9ms CGroup: /system.slice/dnsmasq.service └─52260 /usr/sbin/dnsmasq -k --local-service abr 21 23:56:59 marte systemd[1]: Started DNS caching server.. abr 21 23:57:00 marte dnsmasq[52260]: started, version 2.85 cachesize 150 abr 21 23:57:00 marte dnsmasq[52260]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC loop-detect inotify dumpfile abr 21 23:57:00 marte dnsmasq[52260]: using nameserver 192.168.1.1#53 abr 21 23:57:00 marte dnsmasq[52260]: read /etc/hosts - 15 addresses
CC: (none) => mageia
The message: "Warning: The unit file, source configuration file or drop-ins of dnsmasq.service changed on disk. Run 'systemctl daemon-reload' to reload units." means exactly what it says...it's not that it needs restarted (although that should also happen here) it needs systemctl daemon-reload. That's something that should be handled automatically if the correct scriplets are used in the package: https://wiki.mageia.org/en/System_Service_policy
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues. Qouting Julien above "reboot since dnsmasq.service is started automatically at boot." So rebooted and then: # systemctl -l status dnsmasq * dnsmasq.service - DNS caching server. Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: disabled) Active: inactive (dead) But this is inline with behavior of previous updates. Anyway, continuing following tests of bugs 29030 and 26964: # systemctl start dnsmasq # systemctl -l status dnsmasq * dnsmasq.service - DNS caching server. Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2022-05-11 11:40:23 CEST; 3s ago Main PID: 35366 (dnsmasq) Tasks: 1 (limit: 9395) Memory: 1.3M CPU: 6ms CGroup: /system.slice/dnsmasq.service `-35366 /usr/sbin/dnsmasq -k --local-service mei 11 11:40:23 mach5.hviaene.thuis systemd[1]: Started DNS caching server.. mei 11 11:40:23 mach5.hviaene.thuis dnsmasq[35366]: started, version 2.85 cachesize 150 mei 11 11:40:23 mach5.hviaene.thuis dnsmasq[35366]: DNS service limited to local subnets mei 11 11:40:23 mach5.hviaene.thuis dnsmasq[35366]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSS> mei 11 11:40:23 mach5.hviaene.thuis dnsmasq[35366]: reading /etc/resolv.conf mei 11 11:40:23 mach5.hviaene.thuis dnsmasq[35366]: using nameserver 192.168.2.1#53 mei 11 11:40:23 mach5.hviaene.thuis dnsmasq[35366]: using nameserver 212.71.0.33#53 mei 11 11:40:23 mach5.hviaene.thuis dnsmasq[35366]: read /etc/hosts - 2 addresses # lsof | grep dnsmasq.*IPv dnsmasq 35366 dnsmasq 4u IPv4 37722 0t0 UDP *:domain dnsmasq 35366 dnsmasq 5u IPv4 37723 0t0 TCP *:domain (LISTEN) dnsmasq 35366 dnsmasq 6u IPv6 37724 0t0 UDP *:domain dnsmasq 35366 dnsmasq 7u IPv6 37725 0t0 TCP *:domain (LISTEN) # dnsmasq --test dnsmasq: syntax check OK. # netstat -atun Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN tcp 0 0 192.168.2.5:43910 212.219.56.184:80 TIME_WAIT tcp 0 0 192.168.2.5:58484 35.81.71.18:443 ESTABLISHED tcp 0 0 192.168.2.5:41782 142.251.36.3:80 TIME_WAIT tcp 0 0 192.168.2.5:43912 212.219.56.184:80 TIME_WAIT tcp 0 0 192.168.2.5:43902 212.219.56.184:80 TIME_WAIT tcp 0 0 192.168.2.5:42010 212.85.158.151:443 TIME_WAIT tcp 0 0 192.168.2.5:43906 212.219.56.184:80 TIME_WAIT tcp 0 0 192.168.2.5:43898 212.219.56.184:80 TIME_WAIT tcp 0 0 192.168.2.5:43904 212.219.56.184:80 TIME_WAIT tcp 0 0 192.168.2.5:43894 212.219.56.184:80 TIME_WAIT tcp 0 0 192.168.2.5:43908 212.219.56.184:80 TIME_WAIT tcp 0 0 192.168.2.5:43900 212.219.56.184:80 TIME_WAIT tcp6 0 0 ::1:25 :::* LISTEN tcp6 0 0 :::53 :::* LISTEN tcp6 0 0 :::631 :::* LISTEN udp 0 0 0.0.0.0:36861 0.0.0.0:* udp 0 0 0.0.0.0:53 0.0.0.0:* udp 0 0 127.0.0.1:323 0.0.0.0:* udp 0 0 0.0.0.0:5353 0.0.0.0:* udp6 0 0 :::53 :::* udp6 0 0 ::1:323 :::* udp6 0 0 :::5353 :::* udp6 0 0 :::59078 :::* # host mageia.org 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: mageia.org has address 163.172.148.228 mageia.org has IPv6 address 2001:bc8:628:1f00::1 mageia.org mail is handled by 20 neru.mageia.org. mageia.org mail is handled by 10 sucuk.mageia.org. # dig mageia.org @localhost ; <<>> DiG 9.11.37Mageia-1.mga8 <<>> mageia.org @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31833 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1751 IN A 163.172.148.228 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: wo mei 11 11:43:56 CEST 2022 ;; MSG SIZE rcvd: 55 This all looks OK.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
So it seems to work OK, but should the "correct scriplets" issue from Comment 3 be addressed before validating?
CC: (none) => andrewsfarm
Yes, Julien should look at this.
Keywords: (none) => feedback
I must admit that I'm a bit puzzled by this message (that I can't reproduce at the moment) since daemon-reload is invoked at the end of the transaction when using the systemd pre|post macros like the spec is doing (see (1) & (2)) for about 5~6 years now. You can see it in the journal with the line: systemd[1]: Reloading. (1) https://fedoraproject.org/wiki/Changes/systemd_file_triggers (2) https://github.com/systemd/systemd/pull/1909/commits/873e413323dfff4023604849c70944674ae5cd29
I just looked at the spec, and it's using Fedora macros for the service and not ours. See the link in Comment 3.
Which doesn't change the fact that it has worked for 5 years and that this message is bogus since daemon-reload is executed at the end of the transaction. Anyway, xkcd#386 and all that, dnsmasq-2.85-3.mga8 is building at the moment which revert to standard mageia macros. regards julien
Thanks. You missed the postun that's not needed with our macros. Fixed in -4. Updated packages in core/updates_testing: ======================== dnsmasq-2.85-4.mga8 dnsmasq-utils-2.85-4.mga8 from dnsmasq-2.85-4.mga8.src.rpm
Keywords: feedback => (none)Whiteboard: MGA8-64-OK => (none)
Installed the new version I didn't see a message like mentioned in Comment 2 and 3, but the remark I made in Comment 4 still stands: the service does not run automatically after a reboot, I had to start it manually. So, all my results at the CLI are the same as in Comment 4.
Herman, I'm guessing you have the service masked. Try systemctl unmask dnsmasq.service, or removing /etc/systemd/system/dnsmasq.service
Gave as root the command systemctl unmask dnsmasq.service ans rebooted. Still the same, service is inactive. As far as /etc/systemd/system/dnsmasq.service is concerned, this file is simply not there.
Installed dnsmasq in a vb guest. As root ran "systemctl enable dnsmasq.service", and started it. Confirmed it's running. Rebooted. [root@x8v ~]# systemctl status dnsmasq.service ● dnsmasq.service - DNS caching server. Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2022-06-17 13:50:13 EDT; 29s ago Main PID: 1220 (dnsmasq) Tasks: 1 (limit: 4695) Memory: 2.2M CPU: 9ms CGroup: /system.slice/dnsmasq.service └─1220 /usr/sbin/dnsmasq -k --local-service Jun 17 13:50:13 x8v.hodgins.homeip.net systemd[1]: Started DNS caching server.. Jun 17 13:50:13 x8v.hodgins.homeip.net dnsmasq[1220]: started, version 2.85 cachesize 150 Jun 17 13:50:13 x8v.hodgins.homeip.net dnsmasq[1220]: DNS service limited to local subnets Jun 17 13:50:13 x8v.hodgins.homeip.net dnsmasq[1220]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC loop-detect inotify dumpfile Jun 17 13:50:13 x8v.hodgins.homeip.net dnsmasq[1220]: reading /etc/resolv.conf Jun 17 13:50:13 x8v.hodgins.homeip.net dnsmasq[1220]: using nameserver 192.168.10.2#53 Jun 17 13:50:13 x8v.hodgins.homeip.net dnsmasq[1220]: using nameserver 192.168.10.101#53 Jun 17 13:50:13 x8v.hodgins.homeip.net dnsmasq[1220]: read /etc/hosts - 2 addresses [root@x8v ~]# nslookup mageia.org localhost Server: localhost Address: ::1#53 Non-authoritative answer: Name: mageia.org Address: 163.172.148.228 Name: mageia.org Address: 2001:bc8:628:1f00::1 Herman, I suspect you forgot to enable the service. Validating the update.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0233.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED