Mageia 2020-0310: dnsmasq security update | LinuxSecurity.com

Advisories

MGASA-2020-0310 - Updated dnsmasq packages fix security vulnerability

Publication date: 31 Jul 2020
URL: https://advisories.mageia.org/MGASA-2020-0310.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-14312

Updated dnsmasq package fix insecure default configuration potentially
making it an open resolver (CVE-2020-14312).

In its default configuration, dnsmasq listen and answer query from any
address even outside of the local subnet. Thus, it may inadvertently
become an open resolver which might be used in Distributed Denial of
Service attacks.

This update add the option --local-service at startup which limits
dnsmasq to listen only to machines on the same local network.

This option only works if there aren't any of the following options
on cmdline or in dnsmasq.conf (without the double dash):
--interface
--except-interface
--listen-address
--auth-server

References:
- https://bugs.mageia.org/show_bug.cgi?id=26964
- https://bugzilla.redhat.com/show_bug.cgi?id=1851342
- https://bugzilla.redhat.com/show_bug.cgi?id=1852373
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14312

SRPMS:
- 7/core/dnsmasq-2.80-5.3.mga7

Mageia 2020-0310: dnsmasq security update

Updated dnsmasq package fix insecure default configuration potentially making it an open resolver (CVE-2020-14312)

Summary

Updated dnsmasq package fix insecure default configuration potentially making it an open resolver (CVE-2020-14312).
In its default configuration, dnsmasq listen and answer query from any address even outside of the local subnet. Thus, it may inadvertently become an open resolver which might be used in Distributed Denial of Service attacks.
This update add the option --local-service at startup which limits dnsmasq to listen only to machines on the same local network.
This option only works if there aren't any of the following options on cmdline or in dnsmasq.conf (without the double dash): --interface --except-interface --listen-address --auth-server

References

- https://bugs.mageia.org/show_bug.cgi?id=26964

- https://bugzilla.redhat.com/show_bug.cgi?id=1851342

- https://bugzilla.redhat.com/show_bug.cgi?id=1852373

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14312

Resolution

MGASA-2020-0310 - Updated dnsmasq packages fix security vulnerability

SRPMS

- 7/core/dnsmasq-2.80-5.3.mga7

Severity
Publication date: 31 Jul 2020
URL: https://advisories.mageia.org/MGASA-2020-0310.html
Type: security
CVE: CVE-2020-14312

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.