Hash: SHA1

[slackware-security]  dnsmasq (SSA:2021-040-01)

New dnsmasq packages are available for Slackware 14.0, 14.1, 14.2, and -current
to fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
patches/packages/dnsmasq-2.84-i586-1_slack14.2.txz:  Upgraded.
  This update fixes bugs and remotely exploitable security issues:
    Use the values of --min-port and --max-port in outgoing
    TCP connections to upstream DNS servers.
    Fix a remote buffer overflow problem in the DNSSEC code. Any
    dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
    referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
    Be sure to only accept UDP DNS query replies at the address
    from which the query was originated. This keeps as much entropy
    in the {query-ID, random-port} tuple as possible, to help defeat
    cache poisoning attacks. Refer: CVE-2020-25684.
    Use the SHA-256 hash function to verify that DNS answers
    received are for the questions originally asked. This replaces
    the slightly insecure SHA-1 (when compiled with DNSSEC) or
    the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
    Handle multiple identical near simultaneous DNS queries better.
    Previously, such queries would all be forwarded
    independently. This is, in theory, inefficent but in practise
    not a problem, _except_ that is means that an answer for any
    of the forwarded queries will be accepted and cached.
    An attacker can send a query multiple times, and for each repeat,
    another {port, ID} becomes capable of accepting the answer he is
    sending in the blind, to random IDs and ports. The chance of a
    succesful attack is therefore multiplied by the number of repeats
    of the query. The new behaviour detects repeated queries and
    merely stores the clients sending repeats so that when the
    first query completes, the answer can be sent to all the
    clients who asked. Refer: CVE-2020-25686.
  For more information, see:
  (* Security fix *)

Where to find the new packages:

Thanks to the friendly folks at the OSU Open Source Lab
(https://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on https://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.0:

Updated package for Slackware x86_64 14.0:

Updated package for Slackware 14.1:

Updated package for Slackware x86_64 14.1:

Updated package for Slackware 14.2:

Updated package for Slackware x86_64 14.2:

Updated package for Slackware -current:

Updated package for Slackware x86_64 -current:

MD5 signatures:

Slackware 14.0 package:
21656a83c165a785f6fadab6a1af1719  dnsmasq-2.84-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
90cd9eda688df52f01a984506b1248b1  dnsmasq-2.84-x86_64-1_slack14.0.txz

Slackware 14.1 package:
2bde4367a591308ecde01f438cd1c01e  dnsmasq-2.84-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
b926b57679a8c420259c72fab90c73b6  dnsmasq-2.84-x86_64-1_slack14.1.txz

Slackware 14.2 package:
433bd15bc94f577ac2235d246ec222c0  dnsmasq-2.84-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
76081b1d11ac9b9ec3f8580163713163  dnsmasq-2.84-x86_64-1_slack14.2.txz

Slackware -current package:
5dab2510f2d679a10b2b9881f8578053  n/dnsmasq-2.84-i586-1.txz

Slackware x86_64 -current package:
d1fca4e7b70ebdb7136288a3f1707813  n/dnsmasq-2.84-x86_64-1.txz

Installation instructions:

Upgrade the package as root:
# upgradepkg dnsmasq-2.84-i586-1_slack14.2.txz

Then restart dnsmasq if you are using it:
# sh /etc/rc.d/rc.dnsmasq restart