[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 3974-1] dnsmasq security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

From: Lee Garrett <debian@rocketjump.eu>
To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3974-1] dnsmasq security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3974-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Lee Garrett
November 29, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : dnsmasq
Version        : 2.85-1+deb11u1
CVE ID         : CVE-2022-0934 CVE-2023-28450 CVE-2023-50387 CVE-2023-50868
Debian Bug     : 

Brief introduction 

CVE-2022-0934

    A single-byte, non-arbitrary write/use-after-free flaw was found in dnsmasq.
    This flaw allows an attacker who sends a crafted packet processed by
    dnsmasq, potentially causing a denial of service.

CVE-2023-28450

    An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0
    UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day
    2020.

CVE-2023-50387

    Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840,
    and related RFCs) allow remote attackers to cause a denial of service (CPU
    consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One
    of the concerns is that, when there is a zone with many DNSKEY and RRSIG
    records, the protocol specification implies that an algorithm must evaluate
    all combinations of DNSKEY and RRSIG records.

CVE-2023-50868

    The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC
    9276 guidance is skipped) allows remote attackers to cause a denial of
    service (CPU consumption for SHA-1 computations) via DNSSEC responses in a
    random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification
    implies that an algorithm must perform thousands of iterations of a hash
    function in certain situations.

For Debian 11 bullseye, these problems have been fixed in version
2.85-1+deb11u1.

We recommend that you upgrade your dnsmasq packages.

For the detailed security status of dnsmasq please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dnsmasq

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQQzBAEBCgAdFiEE2EfGJRCpwv8kLOAs1gShxII+4PgFAmdK880ACgkQ1gShxII+
4PgZ6R//QaepVH7EthPN+PhTeO+z0CiH7lzsiVkCHW1zfLpvTvH3yTrQVZ3dZ8Wo
WduxQ0jkM+foJGM/IG8W0pRXu7bcCqlo3SS6oQI9q5Bp9bpL9udu1KQrseq1ZGGq
25TgFMtc/h4pf30NIpfLkQ3aOhhi8hir5UEeaDXzMF3vYfrlhLVuzv+LccQZ9Avu
mMBFlOVVEO4rBhzdZWtmMa/EsvvBFdr3bcDl/8hY0LAto8Vo2S35jortBLkC/VHG
IGfv+qbX2ApK8UIARrl2NquuFVC76ddbx4nIok/kxr8xfqeFGHRdFz6k4BhJOTXy
LZNyoq+KWjnFt777WGbL4gAzVBBtJLfFIt4BJOKl0Z8vbpkVGlFAyJJ9kdatIugQ
3QAQKaCfxFrc4MwHTULkhaR1V//bNmz/WRZLnckgts8hc+Eqy/t631hhA5EDwJkr
1pQYucfLWsU/KGeRCJYI046quLBn7KYvARqaFlvzKy1TawqVShAwU3GwPXIZ+MyI
5ZlmmrNNFZ7Njj0Poq3+QuDFqfBDh+XaSlRyk/Vwn/HJedEK3rKcW7JFP0TJmh4f
xA7BciBzqGPJXrhejUejZCJ0G3TiWJSA3t3etg7zdKfEuWnarVomjN4PuLVykAsT
qwIzdWoVvTPi+w2gUUdzw5vlDs0b2YBqV4FPNh/AmQjR/+ZnhBIpbYtjHfOK0Do4
MexX049BfXjA8DswcrfhhroFDS57Xmo+faoY92qm4KAUuen4p/cm27jQz/tRKG2s
HDyct7xMT+AjfmTlv3MrIPmf9C35g05TINtqjoZFOGYg/+7HMTo8e1tz9BocznmN
zReJ7YPDv21p73qYHNATsD9XwL9xMydLmwmQzKD4Pzy+KlrjEWq0uUBnzrphmnY/
x+uJ4zPBhdHM3r4TxicHXKknh3sKW0FA8VXVF6wM46HqmmwJI3JHXPh8zEa6SYKw
0LLKHHwUXX2xytO5agT9NhFDu9kXuwLpV/nAjLjv8y1xJysh9B0LOctQQboIEiTG
LEMy84v1zxuJ2qRH0T4BQT4Tl4xd0dUOynjU58xpymO212Qq8TyvfY5o/Z3G0+Qr
sg9rn18GRXnvNEJLLT987+umLZ84WSDYNTl7XdOrr5C4rxoh0OFEJptOUZGT5TxU
L+5/7c/s612j3wbB54mww8G46Z3Z9CVCcBgiCTcWwvcAU2ykL2WetU27p0RbiUIf
QTkDDxBc9a2yGKIW5LiYh5U+aWGxAx/NZd10NhHvbyPKxgqzLgKuwp2Tlad1tK+X
SQ4dAIK1ZSmnbAFrp/QYeWDUXlpVWRmYNJW9Xm654DWKjqaoGF2i+lCJx0hpEnkT
70cGj0lB7biPvKhmnLiXcWLU3VpoTw==
=Ze90
-----END PGP SIGNATURE-----


Reply to: