-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  dnsmasq (SSA:2021-040-01)

New dnsmasq packages are available for Slackware 14.0, 14.1, 14.2, and -current
to fix security issues.


Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/dnsmasq-2.84-i586-1_slack14.2.txz:  Upgraded.
  This update fixes bugs and remotely exploitable security issues:
    Use the values of --min-port and --max-port in outgoing
    TCP connections to upstream DNS servers.
    Fix a remote buffer overflow problem in the DNSSEC code. Any
    dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
    referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
    CVE-2020-25687.
    Be sure to only accept UDP DNS query replies at the address
    from which the query was originated. This keeps as much entropy
    in the {query-ID, random-port} tuple as possible, to help defeat
    cache poisoning attacks. Refer: CVE-2020-25684.
    Use the SHA-256 hash function to verify that DNS answers    received are for the questions originally asked. This replaces
    the slightly insecure SHA-1 (when compiled with DNSSEC) or
    the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
    Handle multiple identical near simultaneous DNS queries better.
    Previously, such queries would all be forwarded
    independently. This is, in theory, inefficent but in practise
    not a problem, _except_ that is means that an answer for any
    of the forwarded queries will be accepted and cached.
    An attacker can send a query multiple times, and for each repeat,
    another {port, ID} becomes capable of accepting the answer he is
    sending in the blind, to random IDs and ports. The chance of a
    succesful attack is therefore multiplied by the number of repeats
    of the query. The new behaviour detects repeated queries and
    merely stores the clients sending repeats so that when the
    first query completes, the answer can be sent to all the
    clients who asked. Refer: CVE-2020-25686.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25681
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25682
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25683
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25684
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25685
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25686
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25687
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(https://osuosl.org/) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://www.slackware.com/ for
additional mirror sites near you.

Updated package for Slackware 14.0:

Updated package for Slackware x86_64 14.0:

Updated package for Slackware 14.1:

Updated package for Slackware x86_64 14.1:

Updated package for Slackware 14.2:

Updated package for Slackware x86_64 14.2:

Updated package for Slackware -current:

Updated package for Slackware x86_64 -current:


MD5 signatures:
+-------------+

Slackware 14.0 package:
21656a83c165a785f6fadab6a1af1719  dnsmasq-2.84-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
90cd9eda688df52f01a984506b1248b1  dnsmasq-2.84-x86_64-1_slack14.0.txz

Slackware 14.1 package:
2bde4367a591308ecde01f438cd1c01e  dnsmasq-2.84-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
b926b57679a8c420259c72fab90c73b6  dnsmasq-2.84-x86_64-1_slack14.1.txz

Slackware 14.2 package:
433bd15bc94f577ac2235d246ec222c0  dnsmasq-2.84-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
76081b1d11ac9b9ec3f8580163713163  dnsmasq-2.84-x86_64-1_slack14.2.txz

Slackware -current package:
5dab2510f2d679a10b2b9881f8578053  n/dnsmasq-2.84-i586-1.txz

Slackware x86_64 -current package:
d1fca4e7b70ebdb7136288a3f1707813  n/dnsmasq-2.84-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg dnsmasq-2.84-i586-1_slack14.2.txz

Then restart dnsmasq if you are using it:
# sh /etc/rc.d/rc.dnsmasq restart


+-----+

Slackware: 2021-040-01: dnsmasq Security Update

February 9, 2021
New dnsmasq packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues

Summary

Here are the details from the Slackware 14.2 ChangeLog: patches/packages/dnsmasq-2.84-i586-1_slack14.2.txz: Upgraded. This update fixes bugs and remotely exploitable security issues: Use the values of --min-port and --max-port in outgoing TCP connections to upstream DNS servers. Fix a remote buffer overflow problem in the DNSSEC code. Any dnsmasq with DNSSEC compiled in and enabled is vulnerable to this, referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 CVE-2020-25687. Be sure to only accept UDP DNS query replies at the address from which the query was originated. This keeps as much entropy in the {query-ID, random-port} tuple as possible, to help defeat cache poisoning attacks. Refer: CVE-2020-25684. Use the SHA-256 hash function to verify that DNS answers received are for the questions originally asked. This replaces the slightly insecure SHA-1 (when compiled with DNSSEC) or the very insecure CRC32 (otherwise). Refer: CVE-2020-25685. Handle multiple identical near simultaneous DNS queries better. Previously, such queries would all be forwarded independently. This is, in theory, inefficent but in practise not a problem, _except_ that is means that an answer for any of the forwarded queries will be accepted and cached. An attacker can send a query multiple times, and for each repeat, another {port, ID} becomes capable of accepting the answer he is sending in the blind, to random IDs and ports. The chance of a succesful attack is therefore multiplied by the number of repeats of the query. The new behaviour detects repeated queries and merely stores the clients sending repeats so that when the first query completes, the answer can be sent to all the clients who asked. Refer: CVE-2020-25686. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25681 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25682 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25683 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25684 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25685 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25686 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25687 (* Security fix *)

Where Find New Packages

Thanks to the friendly folks at the OSU Open Source Lab (https://osuosl.org/) for donating FTP and rsync hosting to the Slackware project! :-)
Also see the "Get Slack" section on http://www.slackware.com/ for additional mirror sites near you.
Updated package for Slackware 14.0:
Updated package for Slackware x86_64 14.0:
Updated package for Slackware 14.1:
Updated package for Slackware x86_64 14.1:
Updated package for Slackware 14.2:
Updated package for Slackware x86_64 14.2:
Updated package for Slackware -current:
Updated package for Slackware x86_64 -current:

MD5 Signatures

Slackware 14.0 package: 21656a83c165a785f6fadab6a1af1719 dnsmasq-2.84-i486-1_slack14.0.txz
Slackware x86_64 14.0 package: 90cd9eda688df52f01a984506b1248b1 dnsmasq-2.84-x86_64-1_slack14.0.txz
Slackware 14.1 package: 2bde4367a591308ecde01f438cd1c01e dnsmasq-2.84-i486-1_slack14.1.txz
Slackware x86_64 14.1 package: b926b57679a8c420259c72fab90c73b6 dnsmasq-2.84-x86_64-1_slack14.1.txz
Slackware 14.2 package: 433bd15bc94f577ac2235d246ec222c0 dnsmasq-2.84-i586-1_slack14.2.txz
Slackware x86_64 14.2 package: 76081b1d11ac9b9ec3f8580163713163 dnsmasq-2.84-x86_64-1_slack14.2.txz
Slackware -current package: 5dab2510f2d679a10b2b9881f8578053 n/dnsmasq-2.84-i586-1.txz
Slackware x86_64 -current package: d1fca4e7b70ebdb7136288a3f1707813 n/dnsmasq-2.84-x86_64-1.txz

Severity
[slackware-security] dnsmasq (SSA:2021-040-01)
New dnsmasq packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.

Installation Instructions

Installation instructions: Upgrade the package as root: # upgradepkg dnsmasq-2.84-i586-1_slack14.2.txz Then restart dnsmasq if you are using it: # sh /etc/rc.d/rc.dnsmasq restart

Related News

11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
2.Motherboard Esm H320
2 - 3 min read
The recently uncovered "Native Branch History Injection (BHI)" exploit against the Linux kernel marks a significant milestone in the ongoing battle
1.Penguin Landscape Esm H320
1 - 2 min read
There are compelling arguments in favor of Linux over Windows for desktop usage. Let's explore some advantages of choosing Linux over Windows for

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved