Fedora has issued an advisory on August 23: http://lists.fedoraproject.org/pipermail/package-announce/2012-September/086158.html Mageia 1 and Mageia 2 are also affected. It is fixed upstream in 2.63. This one sounds pretty nasty. Details at the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=838528
CC: (none) => gouessejWhiteboard: (none) => MGA2TOO, MGA1TOOSeverity: normal => major
Sorry, here's the correct RH bug link: https://bugzilla.redhat.com/show_bug.cgi?id=833033
CC: (none) => julien.moragnyAssignee: bugsquad => julien.moragny
CC: gouessej => (none)
cauldron is not affected, we are already at version 2.63. I will prepare an update to mga1 and mga2
Status: NEW => ASSIGNED
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Hmm, in fact, it's a bit more complicated than I initially tought. Dnsmasq used in conjunction with libvirt in certain configuration can receive and process packets from prohibited network. in 2.63, there is a new option --bind-dynamic which fix the behavior in this cases. It doesn't fix the problem with others bind-something. CVE-2012-3411
I have uploaded an updated package for Mageia 2. Sadly, I don't have any idea on how to properly test this. Suggested advisory: ======================== Updated dnsmasq packages fix security vulnerabilities: When dnsmasq before 2.63 is used in conjunctions with certain configurations of libvirtd, network packets from prohibited networks (e.g. packets that should not be passed in) may be sent to the dnsmasq application and processed. This can result in DNS amplification attacks for example. (CVE-2012-3411). This update adds a new option --bind-dynamic which is immune to this problem. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3411 http://thekelleys.org.uk/dnsmasq/CHANGELOG ======================== Updated packages in core/updates_testing: ======================== dnsmasq-2.63-1.mga2 dnsmasq-base-2.63-1.mga2 Source RPM: dnsmasq-2.63-1.mga2.src.rpm
I have uploaded an updated package for Mageia 1. Sadly, I don't have any idea on how to properly test this. Suggested advisory: ======================== Updated dnsmasq packages fix security vulnerabilities: When dnsmasq before 2.63 is used in conjunctions with certain configurations of libvirtd, network packets from prohibited networks (e.g. packets that should not be passed in) may be sent to the dnsmasq application and processed. This can result in DNS amplification attacks for example. (CVE-2012-3411). This update adds a new option --bind-dynamic which is immune to this problem. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3411 http://thekelleys.org.uk/dnsmasq/CHANGELOG ======================== Updated packages in core/updates_testing: ======================== dnsmasq-2.63-1.mga1 dnsmasq-base-2.63-1.mga1 Source RPM: dnsmasq-2.63-1.mga1.src.rpm
Hi QA, this is a security bug for dnsmasq. As I wasn't able to patch the current release with the fix (a lot of conflict and a lack of competence for me), I have updated to 2.63 for both mga1 and mga2. I didn't include the advisory of ubuntu nor the BR of RedHat in our advisory, maybe it would be better to do it. http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-3411.html In relation to testing the update, I don't know how to do it, sorry. I can just tell you I'm using the new version on MGA2 64bits without noticing anything different (but I didn't test all the conf). regards and thank you Julien
Assignee: julien.moragny => qa-bugs
Nice job, thanks Julien. The advisories you posted are just fine as they are.
Testing complete mga2 64 Tested dhcp, tftp and dns. I'll write the procedure in another comment.
Hardware: i586 => AllWhiteboard: MGA1TOO => MGA1TOO has_procedure mga2-64-OK
Used mga2 64 as the host and a VM as client, you could use another computer or even the same one, although dhcping I think has problems then. I disabled DHCP in my router. In /etc/dnsmasq.conf edited the following lines. I had /var/ftp/pub/welcome.msg from a previous proftpd installation, but configure tftp-root somewhere that exists or create something in that path to download. # This is an example of a DHCP range where the netmask is given. This # is needed for networks we reach the dnsmasq DHCP server via a relay # agent. If you don't know what a DHCP relay agent is, you probably # don't need to worry about this. dhcp-range=192.168.2.230,192.168.2.237,255.255.255.0,12h # Enable dnsmasq's built-in TFTP server enable-tftp # Set the root directory for files available via FTP. tftp-root=/var/ftp # Set the DHCP server to authoritative mode. In this mode it will barge in # and take over the lease for any client which broadcasts on the network, # whether it has a record of the lease or not. This avoids long timeouts # when a machine wakes up on a new network. DO NOT enable this if there's # the slightest chance that you might end up accidentally configuring a DHCP # server for your campus/company accidentally. The ISC server uses # the same option, and this URL provides more information: # http://www.isc.org/files/auth.html dhcp-authoritative Started the server with systemctl. On mga1 it would be 'service dnsmasq start' instead. # systemctl start dnsmasq.service # tail /var/log/syslog dnsmasq[10105]: started, version 2.63rc6 cachesize 150 dnsmasq[10105]: compile time options: IPv6 GNU-getopt DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack dnsmasq-dhcp[10105]: DHCP, IP range 192.168.2.230 -- 192.168.2.237, lease time 12h dnsmasq-tftp[10105]: TFTP root is /var/ftp dnsmasq[10105]: reading /etc/resolv.conf dnsmasq[10105]: using nameserver 208.67.200.200#53 dnsmasq[10105]: using nameserver 208.67.220.220#53 dnsmasq[10105]: read /etc/hosts - 6 addresses dnsmasq[10094]: Starting dnsmasq: [ OK ] On the VM then I installed dhcping. From there I ran the commands below, substitute your own <Host IP> and <Local computer name>. # dhcping -s <Host IP> -t1 Got answer from: <Host IP> # nslookup <Local computer name> <Host IP> Server: <Host IP> Address: <Host IP>#53 Name: Local computer name Address: <The correct IP> # nslookup bbc.co.uk <Host IP> Server: <Host IP> Address: <Host IP>#53 Non-authoritative answer: Name: bbc.co.uk Address: 212.58.241.131 # tftp <Host IP> -c get pub/welcome.msg # cat welcome.msg Welcome, archive user %U@%R ! The local time is: %T This is an experimental FTP server. If have any unusual problems, please report them via e-mail to <root@%L>. Updated to the update candidate and restarted the service then repeated the tests.
Testing complete mga1 32
Whiteboard: MGA1TOO has_procedure mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga2-64-OK
Testing complete mga1 64
Whiteboard: MGA1TOO has_procedure mga1-32-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK
Testing mga2 32
Testing complete Mga2 32 Validated See comment 4 and comment 5 for srpms and advisories for mga1 & 2 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-32-OK mga2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0273
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED