Hello, I just updated dnsmasq in mga9 to v2.90 in order to fix CVE-2023-50387 and CVE-2023-50868 along with others bugfixes (including a potential segfault). It landed in cauldron yesterday. QA, can you please test and validate this update. Here is a tentative advisory: =================== This updated dnsmasq package fix security issues CVE-2023-50387 and CVE-2023-50868: Certain DNSSEC aspects of the DNS protocol allow a remote attacker to trigger a denial of service via extreme consumption of resource caused by DNSSEC query or response: KeyTrap - Extreme CPU consumption in DNSSEC validator. (CVE-2023-50387) Preparing an NSEC3 closest encloser proof can exhaust CPU resources.(CVE-2023-50868) this update also fix issues with udp packet size (fix already present in mageia package for 2.89), possible segfault and caching. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387 https://thekelleys.org.uk/dnsmasq/CHANGELOG ======================== Updated packages in core/updates_testing: ======================== dnsmasq-2.90-1.mga9 dnsmasq-utils-2.90-1.mga9 Source RPMs: dnsmasq-2.90-1.mga9 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Test procedure: to install: urpmi dnsmasq to start: systemctl start dnsmasq.service or reboot since dnsmasq.service is started automatically at boot. in journalctl, you should get something like that : localhost dnsmasq[1426]: demarré, version 2.85 (taille de cache 150) localhost dnsmasq[1426]: options à la compilation : IPv6 GNU-getopt DBus i18n ID localhost dnsmasq[1426]: Lecture de /etc/resolv.conf localhost dnsmasq[1426]: utilise le serveur de nom 10.0.2.2#53 localhost dnsmasq[1426]: lecture /etc/hosts - 1 adresses which tell you that without further configuration, dnsmasq use resolv.conf and /etc/hosts to know where to transmit dns request (here, it's 10.0.2.2). It also listen on all interface (you can see it with netstat -atun and look at the line on port 53). You can configure your resolver in /etc/dnsmasq.conf (options server= and no-resolv) To test if dnsmasq can resolv a name, you can use the program host from package bind-utils. In the example below, it asks the IP of mageia.org using the server on localhost (127.0.0.1 ; i.e. the dnsmasq we just started): host mageia.org 127.0.0.1 which should answer something like that : Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: mageia.org has address 217.70.188.116 mageia.org mail is handled by 10 alamut.mageia.org. mageia.org mail is handled by 20 krampouezh.mageia.org. I don't know how to test the dhcp part of dnsmasq without a complex configuration. thanks regards julien
CC: (none) => julien.moragny
QA Contact: (none) => security
Component: RPM Packages => Security
Summary: Update Dnsmasq to fix CVE CVE-2023-50387 & CVE-2023-50868 => Update Dnsmasq to fix CVE-2023-50387 and CVE-2023-50868
CVE: (none) => CVE-2023-50387 CVE-2023-50868CC: (none) => marja11URL: (none) => https://thekelleys.org.uk/dnsmasq/CHANGELOG
Keywords: (none) => advisory
CC: (none) => mageia
Thank you for the test procedure, Julien. It's very helpful. MGA9-64 Plasma in VirtualBox. I installed dnsmasq and dnsmasq-utils, then used qarepo to get the update candidates. There were no installation issues. This particular VM had not been used in a couple of weeks, and there was a pending systemd update waiting, so a reboot was necessary. Contrary to the above procedure, dnsmasq did not start automatically - status of the service claimed it was disabled and "dead." Afte enabling and starting it, I got this: [root@localhost ~]# systemctl status dnsmasq ● dnsmasq.service - DNS caching server. Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; preset: disabled) Active: active (running) since Sat 2024-02-17 19:16:50 EST; 1min 15s ago Main PID: 55292 (dnsmasq) Tasks: 1 (limit: 4690) Memory: 1.2M CPU: 4ms CGroup: /system.slice/dnsmasq.service └─55292 /usr/sbin/dnsmasq -k --local-service Feb 17 19:16:50 localhost.localdomain systemd[1]: Started dnsmasq.service. Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: started, version 2.90 cachesize 150 Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: DNS service limited to local subnets Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset no-nftset au> Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: reading /etc/resolv.conf Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: using nameserver 192.168.1.1#53 Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: read /etc/hosts - 8 names Those last messages look like those in the procedure, but following up anyway: [root@localhost ~]# journalctl -ab | grep dnsmasq Feb 17 19:16:50 localhost.localdomain systemd[1]: Started dnsmasq.service. Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: started, version 2.90 cachesize 150 Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: DNS service limited to local subnets Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset no-nftset auth cryptohash DNSSEC loop-detect inotify dumpfile Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: reading /etc/resolv.conf Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: using nameserver 192.168.1.1#53 Feb 17 19:16:50 localhost.localdomain dnsmasq[55292]: read /etc/hosts - 8 names Continuing: [root@localhost ~]# host mageia.org 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: mageia.org has address 163.172.148.228 mageia.org has IPv6 address 2001:bc8:710:175f:dc00:ff:fe2d:c0ff mageia.org mail is handled by 10 sucuk.mageia.org. mageia.org mail is handled by 20 neru.mageia.org. Not sure why I get a different result for the mageia.org mail handlers, but it doesn't look like an error. Looks good to me otherwise. Validating the update.
Whiteboard: (none) => MGA9-64-OKKeywords: (none) => has_procedure, validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0041.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED