[SECURITY] [DLA 3974-1] dnsmasq security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
From: Lee Garrett <debian@rocketjump.eu>
To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3974-1] dnsmasq security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3974-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Lee Garrett
November 29, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : dnsmasq
Version : 2.85-1+deb11u1
CVE ID : CVE-2022-0934 CVE-2023-28450 CVE-2023-50387 CVE-2023-50868
Debian Bug :
Brief introduction
CVE-2022-0934
A single-byte, non-arbitrary write/use-after-free flaw was found in dnsmasq.
This flaw allows an attacker who sends a crafted packet processed by
dnsmasq, potentially causing a denial of service.
CVE-2023-28450
An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0
UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day
2020.
CVE-2023-50387
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840,
and related RFCs) allow remote attackers to cause a denial of service (CPU
consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One
of the concerns is that, when there is a zone with many DNSKEY and RRSIG
records, the protocol specification implies that an algorithm must evaluate
all combinations of DNSKEY and RRSIG records.
CVE-2023-50868
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC
9276 guidance is skipped) allows remote attackers to cause a denial of
service (CPU consumption for SHA-1 computations) via DNSSEC responses in a
random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification
implies that an algorithm must perform thousands of iterations of a hash
function in certain situations.
For Debian 11 bullseye, these problems have been fixed in version
2.85-1+deb11u1.
We recommend that you upgrade your dnsmasq packages.
For the detailed security status of dnsmasq please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dnsmasq
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQQzBAEBCgAdFiEE2EfGJRCpwv8kLOAs1gShxII+4PgFAmdK880ACgkQ1gShxII+
4PgZ6R//QaepVH7EthPN+PhTeO+z0CiH7lzsiVkCHW1zfLpvTvH3yTrQVZ3dZ8Wo
WduxQ0jkM+foJGM/IG8W0pRXu7bcCqlo3SS6oQI9q5Bp9bpL9udu1KQrseq1ZGGq
25TgFMtc/h4pf30NIpfLkQ3aOhhi8hir5UEeaDXzMF3vYfrlhLVuzv+LccQZ9Avu
mMBFlOVVEO4rBhzdZWtmMa/EsvvBFdr3bcDl/8hY0LAto8Vo2S35jortBLkC/VHG
IGfv+qbX2ApK8UIARrl2NquuFVC76ddbx4nIok/kxr8xfqeFGHRdFz6k4BhJOTXy
LZNyoq+KWjnFt777WGbL4gAzVBBtJLfFIt4BJOKl0Z8vbpkVGlFAyJJ9kdatIugQ
3QAQKaCfxFrc4MwHTULkhaR1V//bNmz/WRZLnckgts8hc+Eqy/t631hhA5EDwJkr
1pQYucfLWsU/KGeRCJYI046quLBn7KYvARqaFlvzKy1TawqVShAwU3GwPXIZ+MyI
5ZlmmrNNFZ7Njj0Poq3+QuDFqfBDh+XaSlRyk/Vwn/HJedEK3rKcW7JFP0TJmh4f
xA7BciBzqGPJXrhejUejZCJ0G3TiWJSA3t3etg7zdKfEuWnarVomjN4PuLVykAsT
qwIzdWoVvTPi+w2gUUdzw5vlDs0b2YBqV4FPNh/AmQjR/+ZnhBIpbYtjHfOK0Do4
MexX049BfXjA8DswcrfhhroFDS57Xmo+faoY92qm4KAUuen4p/cm27jQz/tRKG2s
HDyct7xMT+AjfmTlv3MrIPmf9C35g05TINtqjoZFOGYg/+7HMTo8e1tz9BocznmN
zReJ7YPDv21p73qYHNATsD9XwL9xMydLmwmQzKD4Pzy+KlrjEWq0uUBnzrphmnY/
x+uJ4zPBhdHM3r4TxicHXKknh3sKW0FA8VXVF6wM46HqmmwJI3JHXPh8zEa6SYKw
0LLKHHwUXX2xytO5agT9NhFDu9kXuwLpV/nAjLjv8y1xJysh9B0LOctQQboIEiTG
LEMy84v1zxuJ2qRH0T4BQT4Tl4xd0dUOynjU58xpymO212Qq8TyvfY5o/Z3G0+Qr
sg9rn18GRXnvNEJLLT987+umLZ84WSDYNTl7XdOrr5C4rxoh0OFEJptOUZGT5TxU
L+5/7c/s612j3wbB54mww8G46Z3Z9CVCcBgiCTcWwvcAU2ykL2WetU27p0RbiUIf
QTkDDxBc9a2yGKIW5LiYh5U+aWGxAx/NZd10NhHvbyPKxgqzLgKuwp2Tlad1tK+X
SQ4dAIK1ZSmnbAFrp/QYeWDUXlpVWRmYNJW9Xm654DWKjqaoGF2i+lCJx0hpEnkT
70cGj0lB7biPvKhmnLiXcWLU3VpoTw==
=Ze90
-----END PGP SIGNATURE-----
Reply to: