Fedora has issued an advisory today (April 6): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OU2ZT4ITSEOOR2CFBAHK4Z67KXJIEWQA/ The issue is fixed upstream in 2.90. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 2.90Whiteboard: (none) => MGA8TOO
Hello, an update has been pushed for cauldron last week, and for 8 some minutes ago. here is the tentative advisory: Mageia 8 ======================= Updated dnsmasq packages fix security vulnerability: CVE-2023-28450: A flaw was found in Dnsmasq. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020. References: https://bugs.mageia.org/show_bug.cgi?id=31770 http://www.dnsflagday.net/2020/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28450 Updated packages in core/updates_testing: ======================== dnsmasq-2.85-6.mga8 dnsmasq-utils-2.85-6.mga8 from dnsmasq-2.85-6.mga8.src.rpm +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ I don't expect any problem with this update, other resolvers use this configuration for years. Test procedure: to install: urpmi dnsmasq to start: systemctl start dnsmasq.service or reboot since dnsmasq.service is started automatically at boot. in journalctl, you should get something like that : localhost dnsmasq[1426]: demarré, version 2.85 (taille de cache 150) localhost dnsmasq[1426]: options à la compilation : IPv6 GNU-getopt DBus i18n ID localhost dnsmasq[1426]: Lecture de /etc/resolv.conf localhost dnsmasq[1426]: utilise le serveur de nom 10.0.2.2#53 localhost dnsmasq[1426]: lecture /etc/hosts - 1 adresses which tell you that without further configuration, dnsmasq use resolv.conf and /etc/hosts to know where to transmit dns request (here, it's 10.0.2.2). It also listen on all interface (you can see it with netstat -atun and look at the line on port 53). You can configure your resolver in /etc/dnsmasq.conf (options server= and no-resolv) To test if dnsmasq can resolv a name, you can use the program host from package bind-utils. In the example below, it asks the IP of mageia.org using the server on localhost (127.0.0.1 ; i.e. the dnsmasq we just started): host mageia.org 127.0.0.1 which should answer something like that : Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: mageia.org has address 217.70.188.116 mageia.org mail is handled by 10 alamut.mageia.org. mageia.org mail is handled by 20 krampouezh.mageia.org. I don't know how to test the dhcp part of dnsmasq without a complex configuration. regards Julien
Assignee: julien.moragny => qa-bugsStatus: NEW => ASSIGNEDCC: (none) => julien.moragny
Status comment: Fixed upstream in 2.90 => (none)
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
MGA8-64 Plasma system. Installed dnsmasq, then immediately updated using qarepo. Not entirely sure what I am doing here, so I followed Herman's lead from Bug 30318: [root@localhost ~]# systemctl enable dnsmasq Created symlink /etc/systemd/system/multi-user.target.wants/dnsmasq.service → /usr/lib/systemd/system/dnsmasq.service. [root@localhost ~]# systemctl start dnsmasq [root@localhost ~]# systemctl -l status dnsmasq ● dnsmasq.service - DNS caching server. Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2023-04-23 10:36:22 EDT; 3min 18s ago Main PID: 35402 (dnsmasq) Tasks: 1 (limit: 9446) Memory: 900.0K CPU: 10ms CGroup: /system.slice/dnsmasq.service └─35402 /usr/sbin/dnsmasq -k --local-service Apr 23 10:36:22 localhost.localdomain systemd[1]: Started DNS caching server.. [root@localhost ~]# lsof | grep dnsmasq.*IPv lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs Output information may be incomplete. lsof: WARNING: can't stat() fuse.portal file system /run/user/1000/doc Output information may be incomplete. dnsmasq 35402 dnsmasq 4u IPv4 40543 0t0 UDP *:domain dnsmasq 35402 dnsmasq 5u IPv4 40544 0t0 TCP *:domain (LISTEN) dnsmasq 35402 dnsmasq 6u IPv6 40545 0t0 UDP *:domain dnsmasq 35402 dnsmasq 7u IPv6 40546 0t0 TCP *:domain (LISTEN) [root@localhost ~]# dnsmasq --test dnsmasq: syntax check OK. [root@localhost ~]# netstat -atun Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN tcp 0 0 192.168.1.116:34982 34.117.65.55:443 ESTABLISHED tcp6 0 0 :::1716 :::* LISTEN tcp6 0 0 :::53 :::* LISTEN tcp6 0 0 :::631 :::* LISTEN tcp6 0 0 2603:7080:7a00:9d:40922 2606:4700::6810:f9f:443 ESTABLISHED tcp6 0 0 2603:7080:7a00:9d:44824 2606:4700::6810:f8f:443 ESTABLISHED udp 0 0 0.0.0.0:36151 0.0.0.0:* udp 0 0 0.0.0.0:53 0.0.0.0:* udp 0 0 192.168.1.116:68 192.168.1.1:67 ESTABLISHED udp 0 0 127.0.0.1:323 0.0.0.0:* udp 0 0 0.0.0.0:5353 0.0.0.0:* udp6 0 0 :::53 :::* udp6 0 0 ::1:323 :::* udp6 0 0 :::5353 :::* udp6 0 0 :::34048 :::* udp6 0 0 :::1716 :::* [root@localhost ~]# host mageia.org 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: mageia.org has address 163.172.148.228 mageia.org has IPv6 address 2001:bc8:628:1f00::1 mageia.org mail is handled by 20 neru.mageia.org. mageia.org mail is handled by 10 sucuk.mageia.org. [root@localhost ~]# dig mageia.org @localhost ; <<>> DiG 9.11.37Mageia-1.1.mga8 <<>> mageia.org @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64873 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1745 IN A 163.172.148.228 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Sun Apr 23 10:47:14 EDT 2023 ;; MSG SIZE rcvd: 55 This appears to be consistent with Herman's results, allowing for differences in our networks. I rebooted, and the dnsmasq service was started automatically.
CC: (none) => andrewsfarm
Giving this an OK, and validating. Advisory in comment 1.
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0153.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED