Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: dnsmasq@packages.debian.org, Simon Kelley <simon@thekelleys.org.uk>, Sven Geuer <debmaint@g-e-u-e-r.de>, debian@rocketjump.eu
Control: affects -1 + src:dnsmasq
(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)
[ Reason ]
I'm filing a bookwork-pu for dnsmasq after discussion with the maintainers
(CCed) to fix the following CVEs:
- CVE-2023-28450 - Reduce default maximum EDNS.0 UDP packet size due to DNS
Flag Day 2020
- CVE-2023-50387, CVE-2023-50868 - DNSSEC validation CPU exhaustion
("Keytrap")
This is a backport of 2.90-4 from trixie, as the code changes for the two
keytrap CVEs are rather extensive, and backporting them are risky. There are no
behavioural changes of the package to existing config/parameters, so upgrading
does not require users to update their config.
The upstream maintainer (Simon Kelley) has publicly recommended to refrain from
backporting when possible:
"The security fixes are conceptually complex, but they ended up touching
a lot of code, so backporting them is going to be difficult. I'd
encourage anyone who can to upgrade rather than backporting."
Source: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
[ Impact ]
Users will be affected by the three CVEs mentioned above. CVE-2023-28450 allows
for DoS in certain situations, and the keytrap issues allow for DoS via
resource exhaustion, when the attacker convinces the dnsmasq user to resolve a
specially crafted RR that is secured via DNSSEC.
[ Tests ]
The autopkgtests run through fine, and I have done some minor manual tests.
[ Risks ]
This is a backport of a newer version. The risk of regression is a bit higher
than a targeted fix, I believe however that the risks of backporting an
extensive set of patches is higher.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
This is a no-changes backport of 2.90-4 from trixie, fixing the above three
CVEs.
The upstream changelog for 2.90 is here: https://thekelleys.org.uk/dnsmasq/CHANGELOG