Linux Security
    Linux Security
    Linux Security

    Slackware: 2021-040-01: dnsmasq Security Update

    Date 09 Feb 2021
    112
    Posted By LinuxSecurity Advisories
    New dnsmasq packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    [slackware-security]  dnsmasq (SSA:2021-040-01)
    
    New dnsmasq packages are available for Slackware 14.0, 14.1, 14.2, and -current
    to fix security issues.
    
    
    Here are the details from the Slackware 14.2 ChangeLog:
    +--------------------------+
    patches/packages/dnsmasq-2.84-i586-1_slack14.2.txz:  Upgraded.
      This update fixes bugs and remotely exploitable security issues:
        Use the values of --min-port and --max-port in outgoing
        TCP connections to upstream DNS servers.
        Fix a remote buffer overflow problem in the DNSSEC code. Any
        dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
        referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
        CVE-2020-25687.
        Be sure to only accept UDP DNS query replies at the address
        from which the query was originated. This keeps as much entropy
        in the {query-ID, random-port} tuple as possible, to help defeat
        cache poisoning attacks. Refer: CVE-2020-25684.
        Use the SHA-256 hash function to verify that DNS answers
        received are for the questions originally asked. This replaces
        the slightly insecure SHA-1 (when compiled with DNSSEC) or
        the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
        Handle multiple identical near simultaneous DNS queries better.
        Previously, such queries would all be forwarded
        independently. This is, in theory, inefficent but in practise
        not a problem, _except_ that is means that an answer for any
        of the forwarded queries will be accepted and cached.
        An attacker can send a query multiple times, and for each repeat,
        another {port, ID} becomes capable of accepting the answer he is
        sending in the blind, to random IDs and ports. The chance of a
        succesful attack is therefore multiplied by the number of repeats
        of the query. The new behaviour detects repeated queries and
        merely stores the clients sending repeats so that when the
        first query completes, the answer can be sent to all the
        clients who asked. Refer: CVE-2020-25686.
      For more information, see:
        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25681
        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25682
        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25683
        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25684
        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25685
        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25686
        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25687
      (* Security fix *)
    +--------------------------+
    
    
    Where to find the new packages:
    +-----------------------------+
    
    Thanks to the friendly folks at the OSU Open Source Lab
    (https://osuosl.org) for donating FTP and rsync hosting
    to the Slackware project!  :-)
    
    Also see the "Get Slack" section on https://slackware.com for
    additional mirror sites near you.
    
    Updated package for Slackware 14.0:
    ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/dnsmasq-2.84-i486-1_slack14.0.txz
    
    Updated package for Slackware x86_64 14.0:
    ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/dnsmasq-2.84-x86_64-1_slack14.0.txz
    
    Updated package for Slackware 14.1:
    ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/dnsmasq-2.84-i486-1_slack14.1.txz
    
    Updated package for Slackware x86_64 14.1:
    ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/dnsmasq-2.84-x86_64-1_slack14.1.txz
    
    Updated package for Slackware 14.2:
    ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/dnsmasq-2.84-i586-1_slack14.2.txz
    
    Updated package for Slackware x86_64 14.2:
    ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/dnsmasq-2.84-x86_64-1_slack14.2.txz
    
    Updated package for Slackware -current:
    ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/dnsmasq-2.84-i586-1.txz
    
    Updated package for Slackware x86_64 -current:
    ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/dnsmasq-2.84-x86_64-1.txz
    
    
    MD5 signatures:
    +-------------+
    
    Slackware 14.0 package:
    21656a83c165a785f6fadab6a1af1719  dnsmasq-2.84-i486-1_slack14.0.txz
    
    Slackware x86_64 14.0 package:
    90cd9eda688df52f01a984506b1248b1  dnsmasq-2.84-x86_64-1_slack14.0.txz
    
    Slackware 14.1 package:
    2bde4367a591308ecde01f438cd1c01e  dnsmasq-2.84-i486-1_slack14.1.txz
    
    Slackware x86_64 14.1 package:
    b926b57679a8c420259c72fab90c73b6  dnsmasq-2.84-x86_64-1_slack14.1.txz
    
    Slackware 14.2 package:
    433bd15bc94f577ac2235d246ec222c0  dnsmasq-2.84-i586-1_slack14.2.txz
    
    Slackware x86_64 14.2 package:
    76081b1d11ac9b9ec3f8580163713163  dnsmasq-2.84-x86_64-1_slack14.2.txz
    
    Slackware -current package:
    5dab2510f2d679a10b2b9881f8578053  n/dnsmasq-2.84-i586-1.txz
    
    Slackware x86_64 -current package:
    d1fca4e7b70ebdb7136288a3f1707813  n/dnsmasq-2.84-x86_64-1.txz
    
    
    Installation instructions:
    +------------------------+
    
    Upgrade the package as root:
    # upgradepkg dnsmasq-2.84-i586-1_slack14.2.txz
    
    Then restart dnsmasq if you are using it:
    # sh /etc/rc.d/rc.dnsmasq restart
    
    
    +-----+
    

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/49-tis-the-season-of-giving-how-have-you-given-back-to-the-open-source-community?task=poll.vote&format=json
    49
    radio
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"22","type":"x","order":"1","pct":34.92,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"13","type":"x","order":"2","pct":20.63,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"28","type":"x","order":"3","pct":44.44,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.