- Update to 2.83:
* bsc#1177077: Fixed DNSpooq vulnerabilities * Use the values of --min-port and --max-port in outgoing TCP connections to upstream DNS servers. * Fix a remote buffer overflow problem in the DNSSEC code. Any dnsmasq with DNSSEC compiled in and enabled is vulnerable to this, referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 CVE-2020-25687. * Be sure to only accept UDP DNS query replies at the address from which the query was originated. This keeps as much entropy in the {query-ID, random-port} tuple as possible, to help defeat cache poisoning attacks. Refer: CVE-2020-25684. * Use the SHA-256 hash function to verify that DNS answers received are for the questions originally asked. This replaces the slightly insecure SHA-1 (when compiled with DNSSEC) or the very insecure CRC32 (otherwise). Refer: CVE-2020-25685 * Handle multiple identical near simultaneous DNS queries better. Previously, such queries would all be forwarded independently. This is, in theory, inefficent but in practise not a problem, _except_ that is means that an answer for any of the forwarded queries will be accepted and cached. An attacker can send a query multiple times, and for each repeat, another {port, ID} becomes capable of accepting the answer he is sending in the blind, to random IDs and ports. The chance of a succesful attack is therefore multiplied by the number of repeats of the query. The new behaviour detects repeated queries and merely stores the clients sending repeats so that when the first query completes, the answer can be sent to all the clients who asked. Refer: CVE-2020-25686. OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=126
This commit is contained in:
parent
be2d2498af
commit
f38fa3d41b
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:84523646f3116bb5e1151efb66e645030f6e6a8256f29aab444777a343ebc132
|
||||
size 509904
|
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAl8UwTUACgkQFc3aauGR
|
||||
NaLN9A/7BwXyk9I50Xgct/25lzXBU8E3apZXNfsHS3NBIRudNzVEKU6pqdqXIWmF
|
||||
Neiq7zzgSF4n6azP8tIfoLrMtmblK+6qetd/zyLLqMCp/xwuriX9IGrYdXfYSn8F
|
||||
mqBrCsppww+mBhbV+trbjBdpfqG+5Vf2o9Crx41bdNMeYVq8ZeZbD+SDRZCU8OtF
|
||||
PvoKYEtJicycWrHdSObpl1ky/huB9zuawPRsMIQZ2pDaFkC1CzBGaBmd6i/B1kcP
|
||||
oDN+c6pBCCi2FKingiUiNNxSGuvhfT6eiAQaVdL0hHpSzSR+POezn7UulJg2c1OM
|
||||
sR+mL8dReIjUItLjJCknovoGBxGpchNfSSLuj1UxfeetZUf5uVs8ZRec1+n9+tVw
|
||||
gweFpE3k7Xwy8IGMT1TAFpP2HhMahkUg1MO1VXOgu4yoIq6g7q1i6O/kFPXyRFz/
|
||||
N6V/laJz1oLFtrVW+zQtvLpXJIIc473+Xkpf4DoD2BRmnqr2Ufg2Dk19sdktBbw+
|
||||
Xz8YqIUDR781uMy3+N/EQRlQ3+NDjGgA/qJEzpSsUa5E0BHTyfRPLV9kOkJ+IdU5
|
||||
SVFgSRek7LBW9zp113xt4dWWoccaWGf5Cdt30Dycknc3PTLgBRRbrJKRz7N2/3by
|
||||
c6HvcQYkEdEl9QgUQ7nxFlpK+y9zn8AGRb1lt91Qwj4BI2JGgBA=
|
||||
=umZ9
|
||||
-----END PGP SIGNATURE-----
|
3
dnsmasq-2.83.tar.xz
Normal file
3
dnsmasq-2.83.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:ffc1f7e8b05e22d910b9a71d09f1128197292766dc7c54cb7018a1b2c3af4aea
|
||||
size 513880
|
16
dnsmasq-2.83.tar.xz.asc
Normal file
16
dnsmasq-2.83.tar.xz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmAGqrMACgkQFc3aauGR
|
||||
NaK0YBAAph9k8oDA8MnTrDXmGkWWtWks8cEn+DBrE0tSekdehQlPl9jyUwZUUKXI
|
||||
3j6qhCVgd9VpwlS810lhU+YTiQoB13f7FR6Bnaps6nYMoi0hUgQrmSyvaQEJ3xmZ
|
||||
Vaypvf7DiIQM4Rb95QbWNA684iTE77vwjTiyV+RWFxUyeAXJwH4Dh6AdB74byM+Y
|
||||
0WMZqGm6FZQWGI7bCPtW6rLbSZ/5c8szrQxeo6oKo7mCtMaM/nIL5xrTBGwgHK84
|
||||
jCKs86ReFeC0dGJZOcEiYWCr6e33CXSD/wl1aw76FefmBVBt1ducAMthURHNiknh
|
||||
C7+saiLsgL4UmEPj5xn9gUNx3siz+YSTHjq+9KQNaBACXLCb82UQaH7Os8+0A0Na
|
||||
Hhzetyj1LxEbujr4CQrWLU0TwatmJ8jGsGJHdR+IXuBGy+s4NpWxu+SSzBUHe3Je
|
||||
DLnIec4XVlj3Hq6zjV1YGWuBMzBCPPp09mmuv4kBLR81+6oGJFQC7T6fK4Vh2qCB
|
||||
1vsual+TIHiVWVjRQ/gbGr3SN4XwWC7rlmjXHPEuz47dguf8/2EnU7ADFWI6fGZG
|
||||
fmDUXC6Is9U0GH8rZIcoLOZ7CBJuRjzZRCuUjL4wAZ44TaGCHyDiUL4IZ94eNLg+
|
||||
kJQtPdgZmpo4EZaaZ8HaXB5zoqp6SK3F3lQB4+w1jUIOkZgQS2A=
|
||||
=YQ56
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +1,36 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 19 12:24:02 UTC 2021 - Reinhard Max <max@suse.com>
|
||||
|
||||
- Update to 2.83:
|
||||
* bsc#1177077: Fixed DNSpooq vulnerabilities
|
||||
* Use the values of --min-port and --max-port in outgoing
|
||||
TCP connections to upstream DNS servers.
|
||||
* Fix a remote buffer overflow problem in the DNSSEC code.
|
||||
Any dnsmasq with DNSSEC compiled in and enabled is vulnerable
|
||||
to this, referenced by CVE-2020-25681, CVE-2020-25682,
|
||||
CVE-2020-25683 CVE-2020-25687.
|
||||
* Be sure to only accept UDP DNS query replies at the address
|
||||
from which the query was originated. This keeps as much
|
||||
entropy in the {query-ID, random-port} tuple as possible, to
|
||||
help defeat cache poisoning attacks. Refer: CVE-2020-25684.
|
||||
* Use the SHA-256 hash function to verify that DNS answers
|
||||
received are for the questions originally asked. This replaces
|
||||
the slightly insecure SHA-1 (when compiled with DNSSEC) or
|
||||
the very insecure CRC32 (otherwise). Refer: CVE-2020-25685
|
||||
* Handle multiple identical near simultaneous DNS queries better.
|
||||
Previously, such queries would all be forwarded independently.
|
||||
This is, in theory, inefficent but in practise not a problem,
|
||||
_except_ that is means that an answer for any of the forwarded
|
||||
queries will be accepted and cached.
|
||||
An attacker can send a query multiple times, and for each
|
||||
repeat, another {port, ID} becomes capable of accepting the
|
||||
answer he is sending in the blind, to random IDs and ports.
|
||||
The chance of a succesful attack is therefore multiplied by the
|
||||
number of repeats of the query. The new behaviour detects
|
||||
repeated queries and merely stores the clients sending repeats
|
||||
so that when the first query completes, the answer can be sent
|
||||
to all the clients who asked. Refer: CVE-2020-25686.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 28 08:00:51 UTC 2020 - Martin Rey <mrey@suse.com>
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package dnsmasq
|
||||
#
|
||||
# Copyright (c) 2020 SUSE LLC
|
||||
# Copyright (c) 2021 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -22,7 +22,7 @@
|
||||
%bcond_without tftp_user_package
|
||||
%endif
|
||||
Name: dnsmasq
|
||||
Version: 2.82
|
||||
Version: 2.83
|
||||
Release: 0
|
||||
Summary: DNS Forwarder and DHCP Server
|
||||
License: GPL-2.0-only OR GPL-3.0-only
|
||||
|
Loading…
Reference in New Issue
Block a user