The Openwall ref includes:
> Details and patches are available on the website at
> https://thekelleys.org.uk/dnsmasq/CVE/
whence they are linked CVE by CVE.
> and I have made "2.92rel2" release of the current 2.92 dnsmasq stable 
> release which is downloadable from the usual place and has had these 
> patches applied.

DavidG has already put version: 2.92re2 in Cauldron. I suspect this should do for M9, whose current version 2.90-1 is close.

Where to assign for M9? CC'ing DavidG; & Julien who routinely updates this.

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
CC: (none) => geiger.david68210, julien.moragny
Assignee: bugsquad => pkg-bugs

Fixed for Cauldron with dnsmasq-2.92rel2-1.mga10!

Hello,

Since dnsmasq is really stable, I updated it in mga9 to v2.92rel2 in order to fix the multiples CVE. We also get others bugfixes (notably regarding DNSSEC validation and a buffer overflow). At this moment, packages are uploading.

QA, can you please test and validate this update.


Here is a tentative advisory:

===================
dnsmasq 2.92rel2

This updated dnsmasq package fix multiples security issues :

	CVE-2026-2291: dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS.
	CVE-2026-4890: A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet. 
	CVE-2026-4891: A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet. 
	CVE-2026-4892: A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet. 
	CVE-2026-4893: An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information. 
	CVE-2026-5172: A buffer overflow in dnsmasq’s extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the record’s end. 


References:
https://app.opencve.io/cve/CVE-2026-2291
https://app.opencve.io/cve/CVE-2026-4890
https://app.opencve.io/cve/CVE-2026-4891
https://app.opencve.io/cve/CVE-2026-4892
https://app.opencve.io/cve/CVE-2026-4893
https://app.opencve.io/cve/CVE-2026-5172

https://thekelleys.org.uk/dnsmasq/CHANGELOG

========================


Updated packages in core/updates_testing:
========================
dnsmasq-2.92rel2-1.mga9
dnsmasq-utils-2.92rel2-1.mga9

Source RPMs:
dnsmasq-2.92rel2-1.mga9


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Test procedure:

to install: urpmi dnsmasq

to start: systemctl start dnsmasq.service 
or reboot since dnsmasq.service is started automatically at boot.


with journalctl -u dnsmasq.service, you should get something like that :

 systemd[1]: Started DNS caching server..
 dnsmasq[24364]: demarré, version 2.92rel2 (taille de cache 150)
 dnsmasq[24364]: DNS service limited to local subnets
 dnsmasq[24364]: options à la compilation : IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset no-nftset auth DNSSEC loop-detect inotify dumpfile
 dnsmasq[24364]: Lecture de /etc/resolv.conf
 dnsmasq[24364]: utilise le serveur de nom 192.168.1.1#53


which tell you that without further configuration, dnsmasq use resolv.conf to know where to transmit dns request (here, it's 192.168.1.1). It also listen on all interface (you can see it with netstat -atun and look at the line on port 53).

You can configure your resolver in /etc/dnsmasq.conf (options server= and no-resolv)

To test if dnsmasq can resolv a name, you can use the program host from package bind-utils. In the example below, it asks the IP of mageia.org using the server on localhost (127.0.0.1 (ipv4) or ::1 (ipv6); i.e. the dnsmasq we just started):

host mageia.org 127.0.0.1  

(or host mageia.org ::1 )

which should answer something like that :

Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

mageia.org has address 163.172.148.228
mageia.org has IPv6 address 2001:bc8:710:175f:dc00:ff:fe2d:c0ff
mageia.org mail is handled by 10 sucuk.mageia.org.
mageia.org mail is handled by 20 neru.mageia.org.


I don't know how to test the dhcp part of dnsmasq without a complex configuration.

thanks

regards
julien

Assignee: pkg-bugs => qa-bugs

Installed and tested without issues.

Tested:
- systemd hardened;
- DNS;
- DHCP;
- DNS and DHCP for libvirtd's isolated and NAT networks.
All OK. No issues noticed.



System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz



$ uname -a
Linux marte 6.6.138-server-1.mga9 #1 SMP PREEMPT_DYNAMIC Fri May  8 16:15:17 UTC 2026 x86_64 GNU/Linux
$ rpm -q dnsmasq
dnsmasq-2.92rel2-1.mga9
$ systemctl status dnsmasq.service
● dnsmasq.service - DNS caching server.
     Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; preset: disabled)
    Drop-In: /etc/systemd/system/dnsmasq.service.d
             └─override.conf
     Active: active (running) since Tue 2026-05-12 22:59:35 WEST; 11h ago
   Main PID: 918832 (dnsmasq)
      Tasks: 1 (limit: 18732)
     Memory: 5.7M
        CPU: 36.287s
     CGroup: /system.slice/dnsmasq.service
             └─918832 /usr/sbin/dnsmasq -k --local-service

<SNIP>
$ cat /etc/systemd/system/dnsmasq.service.d/override.conf
[Service]
Restart=on-failure

User=dnsmasq
Group=dnsmasq

PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed

UMask=0077
NoNewPrivileges=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RemoveIPC=yes

RestrictRealtime=yes
RestrictSUIDSGID=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET AF_INET6

SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources

ProtectProc=invisible
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict

AmbientCapabilities=CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_NET_ADMIN
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_NET_ADMIN

StateDirectory=dnsmasq

Comment 4 looks like a valid test to me. Validating the update.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0135.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED