Bug#1079941: bookworm-pu: package dnsmasq/2.90-4~deb12u1

To: 1079941@bugs.debian.org
Subject: Bug#1079941: bookworm-pu: package dnsmasq/2.90-4~deb12u1
From: Lee Garrett <debian@rocketjump.eu>
Date: Sun, 1 Dec 2024 22:14:16 +0100
Message-id: <[🔎] 4cf5688a-f9bd-456d-a0f2-35ac98d094da@rocketjump.eu>
Reply-to: Lee Garrett <debian@rocketjump.eu>, 1079941@bugs.debian.org
In-reply-to: <172487374488.547560.3600278299957860897.reportbug@batou.fritz.box>
References: <172487374488.547560.3600278299957860897.reportbug@batou.fritz.box> <172487374488.547560.3600278299957860897.reportbug@batou.fritz.box> <172487374488.547560.3600278299957860897.reportbug@batou.fritz.box>

Hi,

these three CVEs are now fixed in buster and bullseye. This means users whoupgrade to bookworm will be vulnerable to those issues again. Can we get adecision from the release team on this bug? Is there any information missing tomake a decision?


Kind regards,
Lee



On Wed, 28 Aug 2024 21:35:44 +0200 Lee Garrett <debian@rocketjump.eu> wrote:

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: dnsmasq@packages.debian.org, Simon Kelley <simon@thekelleys.org.uk>, Sven Geuer <debmaint@g-e-u-e-r.de>, debian@rocketjump.eu
Control: affects -1 + src:dnsmasq

(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)

[ Reason ]
I'm filing a bookwork-pu for dnsmasq after discussion with the maintainers
(CCed) to fix the following CVEs:
    - CVE-2023-28450 - Reduce default maximum EDNS.0 UDP packet size due to DNS
      Flag Day 2020
    - CVE-2023-50387, CVE-2023-50868 - DNSSEC validation CPU exhaustion
      ("Keytrap")

This is a backport of 2.90-4 from trixie, as the code changes for the two
keytrap CVEs are rather extensive, and backporting them are risky. There are no
behavioural changes of the package to existing config/parameters, so upgrading
does not require users to update their config.

The upstream maintainer (Simon Kelley) has publicly recommended to refrain from
backporting when possible:

"The security fixes are conceptually complex, but they ended up touchinga lot of code, so backporting them is going to be difficult. I'dencourage anyone who can to upgrade rather than backporting."


Source: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html

[ Impact ]
Users will be affected by the three CVEs mentioned above. CVE-2023-28450 allows
for DoS in certain situations, and the keytrap issues allow for DoS via
resource exhaustion, when the attacker convinces the dnsmasq user to resolve a
specially crafted RR that is secured via DNSSEC.

[ Tests ]
The autopkgtests run through fine, and I have done some minor manual tests.


[ Risks ]
This is a backport of a newer version. The risk of regression is a bit higher
than a targeted fix, I believe however that the risks of backporting an
extensive set of patches is higher.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
This is a no-changes backport of 2.90-4 from trixie, fixing the above three
CVEs.

The upstream changelog for 2.90 is here: https://thekelleys.org.uk/dnsmasq/CHANGELOG

Reply to:

Follow-Ups:
- Bug#1079941: bookworm-pu: package dnsmasq/2.90-4~deb12u1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#1088797: transition: libfm-qt
Next by Date: Bug#1088819: marked as done (RM: kio-gdrive/22.12.3-1)
Previous by thread: Bug#1088820: marked as done (RM: koko/23.08.5+ds.1-2+b1)
Next by thread: Bug#1079941: bookworm-pu: package dnsmasq/2.90-4~deb12u1
Index(es):
- Date
- Thread