Bug 31770 - dnsmasq new security issue CVE-2023-28450
Summary: dnsmasq new security issue CVE-2023-28450
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2023-04-06 19:26 CEST by David Walser
Modified: 2023-04-24 02:21 CEST (History)
4 users (show)

See Also:
Source RPM: dnsmasq-2.89-1.mga9.src.rpm
Status comment:


Description David Walser 2023-04-06 19:26:15 CEST
Fedora has issued an advisory today (April 6):

The issue is fixed upstream in 2.90.

Mageia 8 is also affected.
David Walser 2023-04-06 19:26:25 CEST

Status comment: (none) => Fixed upstream in 2.90
Whiteboard: (none) => MGA8TOO

Comment 1 Julien Moragny 2023-04-19 18:14:43 CEST

an update has been pushed for cauldron last week, and for 8 some minutes ago.

here is the tentative advisory:

Mageia 8

Updated dnsmasq packages fix security vulnerability:

CVE-2023-28450: A flaw was found in Dnsmasq. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.


Updated packages in core/updates_testing:

from dnsmasq-2.85-6.mga8.src.rpm


I don't expect any problem with this update, other resolvers use this configuration for years.

Test procedure:

to install: urpmi dnsmasq

to start: systemctl start dnsmasq.service 
or reboot since dnsmasq.service is started automatically at boot.

in journalctl, you should get something like that :
localhost dnsmasq[1426]: demarré, version 2.85 (taille de cache 150)
localhost dnsmasq[1426]: options à la compilation : IPv6 GNU-getopt DBus i18n ID
localhost dnsmasq[1426]: Lecture de /etc/resolv.conf
localhost dnsmasq[1426]: utilise le serveur de nom
localhost dnsmasq[1426]: lecture /etc/hosts - 1 adresses

which tell you that without further configuration, dnsmasq use resolv.conf and /etc/hosts to know where to transmit dns request (here, it's It also listen on all interface (you can see it with netstat -atun and look at the line on port 53).

You can configure your resolver in /etc/dnsmasq.conf (options server= and no-resolv)

To test if dnsmasq can resolv a name, you can use the program host from package bind-utils. In the example below, it asks the IP of mageia.org using the server on localhost ( ; i.e. the dnsmasq we just started):

host mageia.org

which should answer something like that :

Using domain server:

mageia.org has address
mageia.org mail is handled by 10 alamut.mageia.org.
mageia.org mail is handled by 20 krampouezh.mageia.org.

I don't know how to test the dhcp part of dnsmasq without a complex configuration.


Assignee: julien.moragny => qa-bugs
CC: (none) => julien.moragny

David Walser 2023-04-19 20:21:01 CEST

Status comment: Fixed upstream in 2.90 => (none)

Thomas Backlund 2023-04-19 22:41:42 CEST

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 2 Thomas Andrews 2023-04-23 17:11:22 CEST
MGA8-64 Plasma system. Installed dnsmasq, then immediately updated using qarepo.

Not entirely sure what I am doing here, so I followed Herman's lead from Bug 30318:

[root@localhost ~]# systemctl enable dnsmasq
Created symlink /etc/systemd/system/multi-user.target.wants/dnsmasq.service → /usr/lib/systemd/system/dnsmasq.service.
[root@localhost ~]# systemctl start dnsmasq
[root@localhost ~]# systemctl -l status dnsmasq
● dnsmasq.service - DNS caching server.
     Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled)
     Active: active (running) since Sun 2023-04-23 10:36:22 EDT; 3min 18s ago
   Main PID: 35402 (dnsmasq)
      Tasks: 1 (limit: 9446)
     Memory: 900.0K
        CPU: 10ms
     CGroup: /system.slice/dnsmasq.service
             └─35402 /usr/sbin/dnsmasq -k --local-service

Apr 23 10:36:22 localhost.localdomain systemd[1]: Started DNS caching server..

[root@localhost ~]# lsof | grep dnsmasq.*IPv
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
      Output information may be incomplete.
lsof: WARNING: can't stat() fuse.portal file system /run/user/1000/doc
      Output information may be incomplete.
dnsmasq   35402                    dnsmasq    4u     IPv4              40543       0t0        UDP *:domain 
dnsmasq   35402                    dnsmasq    5u     IPv4              40544       0t0        TCP *:domain (LISTEN)
dnsmasq   35402                    dnsmasq    6u     IPv6              40545       0t0        UDP *:domain 
dnsmasq   35402                    dnsmasq    7u     IPv6              40546       0t0        TCP *:domain (LISTEN)

[root@localhost ~]# dnsmasq --test
dnsmasq: syntax check OK.

[root@localhost ~]# netstat -atun
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0    *               LISTEN     
tcp        0      0   *               LISTEN     
tcp        0      0        ESTABLISHED
tcp6       0      0 :::1716                 :::*                    LISTEN     
tcp6       0      0 :::53                   :::*                    LISTEN     
tcp6       0      0 :::631                  :::*                    LISTEN     
tcp6       0      0 2603:7080:7a00:9d:40922 2606:4700::6810:f9f:443 ESTABLISHED
tcp6       0      0 2603:7080:7a00:9d:44824 2606:4700::6810:f8f:443 ESTABLISHED
udp        0      0 *                          
udp        0      0    *                          
udp        0      0          ESTABLISHED
udp        0      0 *                          
udp        0      0  *                          
udp6       0      0 :::53                   :::*                               
udp6       0      0 ::1:323                 :::*                               
udp6       0      0 :::5353                 :::*                               
udp6       0      0 :::34048                :::*                               
udp6       0      0 :::1716                 :::*  

[root@localhost ~]# host mageia.org
Using domain server:

mageia.org has address
mageia.org has IPv6 address 2001:bc8:628:1f00::1
mageia.org mail is handled by 20 neru.mageia.org.
mageia.org mail is handled by 10 sucuk.mageia.org.

[root@localhost ~]# dig mageia.org @localhost

; <<>> DiG 9.11.37Mageia-1.1.mga8 <<>> mageia.org @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64873
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1232
;mageia.org.                    IN      A

mageia.org.             1745    IN      A

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Apr 23 10:47:14 EDT 2023
;; MSG SIZE  rcvd: 55

This appears to be consistent with Herman's results, allowing for differences in our networks.

I rebooted, and the dnsmasq service was started automatically.

CC: (none) => andrewsfarm

Comment 3 Thomas Andrews 2023-04-23 17:12:14 CEST
Giving this an OK, and validating. Advisory in comment 1.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2023-04-23 23:55:22 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2023-04-24 02:21:55 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.