GNU bug report logs -
#47674
dnsmasq is vulnerable to CVE-2021-3448
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47674 in the body.
You can then email your comments to 47674 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#47674
; Package
guix
.
(Fri, 09 Apr 2021 15:11:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Nicolò Balzarotti <anothersms <at> gmail.com>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Fri, 09 Apr 2021 15:11:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
CVE-2021-3448
A flaw was found in dnsmasq in versions before 2.85. When configured to
use a specific server for a given network interface, dnsmasq uses a
fixed port while forwarding queries. An attacker on the network, able to
find the outgoing port used by dnsmasq, only needs to guess the random
transmission ID to forge a reply and get it accepted by dnsmasq. This
flaw makes a DNS Cache Poisoning attack much easier. The highest threat
from this vulnerability is to data integrity.
guix ships dnsmasq <at> 2.84. guix refresh shows version 2.85 is available,
and there are 43 dependent packages so this can go directly to master.
All dependent packages (refresh -l) build fine except for
python2-libvirt <at> 7.2.0, which is failing also on master
(libvirt-python requires Python >= 3.5 to build). Since it's a python2
package and no other packages depends on it, can we just drop it?
Thanks, Nicolò
[0001-gnu-dnsmasq-Update-to-2.85.patch (text/x-patch, attachment)]
Added tag(s) security.
Request was from
Nicolò Balzarotti <anothersms <at> gmail.com>
to
control <at> debbugs.gnu.org
.
(Fri, 09 Apr 2021 15:13:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#47674
; Package
guix
.
(Fri, 09 Apr 2021 19:34:01 GMT)
Full text and
rfc822 format available.
Message #10 received at 47674 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
> CVE-2021-3448
>
> A flaw was found in dnsmasq in versions before 2.85. When configured to
> use a specific server for a given network interface, dnsmasq uses a
> fixed port while forwarding queries. An attacker on the network, able to
> find the outgoing port used by dnsmasq, only needs to guess the random
> transmission ID to forge a reply and get it accepted by dnsmasq. This
> flaw makes a DNS Cache Poisoning attack much easier. The highest threat
> from this vulnerability is to data integrity.
>
> guix ships dnsmasq <at> 2.84. guix refresh shows version 2.85 is available,
> and there are 43 dependent packages so this can go directly to master.
>
> All dependent packages (refresh -l) build fine except for
> python2-libvirt <at> 7.2.0, which is failing also on master
> (libvirt-python requires Python >= 3.5 to build). Since it's a python2
> package and no other packages depends on it, can we just drop it?
Yes, sounds good.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Leo Famulari <leo <at> famulari.name>
:
You have taken responsibility.
(Fri, 09 Apr 2021 19:35:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Nicolò Balzarotti <anothersms <at> gmail.com>
:
bug acknowledged by developer.
(Fri, 09 Apr 2021 19:35:02 GMT)
Full text and
rfc822 format available.
Message #15 received at 47674-done <at> debbugs.gnu.org (full text, mbox):
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
> From a0932442c6c72d1e1a2a0f400f8afa487251189d Mon Sep 17 00:00:00 2001
> From: nixo <nicolo <at> nixo.xyz>
> Date: Fri, 9 Apr 2021 16:19:03 +0200
> Subject: [PATCH] gnu: dnsmasq: Update to 2.85.
>
> * gnu/packages/dns.scm (dnsmasq): Update to 2.85.
Looks like this change was already done with commit
c8d809f9a49c2b4ec5500c2685e96168dcd9afa9
Information forwarded
to
bug-guix <at> gnu.org
:
bug#47674
; Package
guix
.
(Fri, 09 Apr 2021 19:39:02 GMT)
Full text and
rfc822 format available.
Message #18 received at 47674 <at> debbugs.gnu.org (full text, mbox):
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
> All dependent packages (refresh -l) build fine except for
> python2-libvirt <at> 7.2.0, which is failing also on master
> (libvirt-python requires Python >= 3.5 to build). Since it's a python2
> package and no other packages depends on it, can we just drop it?
I notice that python2-libvirt builds okay on staging:
https://ci.guix.gnu.org/search?query=python2-libvirt&border-high-id=134835
Information forwarded
to
bug-guix <at> gnu.org
:
bug#47674
; Package
guix
.
(Fri, 09 Apr 2021 19:48:01 GMT)
Full text and
rfc822 format available.
Message #21 received at 47674 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> writes:
> On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
>> All dependent packages (refresh -l) build fine except for
>> python2-libvirt <at> 7.2.0, which is failing also on master
>> (libvirt-python requires Python >= 3.5 to build). Since it's a python2
>> package and no other packages depends on it, can we just drop it?
>
> I notice that python2-libvirt builds okay on staging:
>
> https://ci.guix.gnu.org/search?query=python2-libvirt&border-high-id=134835
Staging has an older version (5.8 vs 7.2, which has been released in
november 2019 [fn:1] though), and it got updated a few days ago
(28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
fail on staging too. Am I wrong?
[fn:1] https://pypi.org/project/libvirt-python/#history
Information forwarded
to
bug-guix <at> gnu.org
:
bug#47674
; Package
guix
.
(Fri, 09 Apr 2021 20:08:01 GMT)
Full text and
rfc822 format available.
Message #24 received at 47674 <at> debbugs.gnu.org (full text, mbox):
On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
> Staging has an older version (5.8 vs 7.2, which has been released in
> november 2019 [fn:1] though), and it got updated a few days ago
> (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
> fail on staging too. Am I wrong?
Ah, could be. The new staging builds haven't been performed yet.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#47674
; Package
guix
.
(Sat, 10 Apr 2021 21:40:01 GMT)
Full text and
rfc822 format available.
Message #27 received at 47674 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> writes:
> On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
>> Staging has an older version (5.8 vs 7.2, which has been released in
>> november 2019 [fn:1] though), and it got updated a few days ago
>> (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
>> fail on staging too. Am I wrong?
>
> Ah, could be. The new staging builds haven't been performed yet.
Failed both i686 and x86_64 on staging
Information forwarded
to
bug-guix <at> gnu.org
:
bug#47674
; Package
guix
.
(Sat, 10 Apr 2021 22:06:01 GMT)
Full text and
rfc822 format available.
Message #30 received at 47674 <at> debbugs.gnu.org (full text, mbox):
On Fri, Apr 09, 2021 at 04:07:07PM -0400, Leo Famulari wrote:
> On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
> > Staging has an older version (5.8 vs 7.2, which has been released in
> > november 2019 [fn:1] though), and it got updated a few days ago
> > (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
> > fail on staging too. Am I wrong?
>
> Ah, could be. The new staging builds haven't been performed yet.
Thanks for following up. Sure, I think it's fine to remove a package
if it does not build and has no dependents.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#47674
; Package
guix
.
(Sat, 10 Apr 2021 22:28:01 GMT)
Full text and
rfc822 format available.
Message #33 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Nicolò,
Nicolò Balzarotti writes:
> gnu/packages/dns.scm (dnsmasq): Update to 2.85.
I see you managed to aim this beautifully between me searching the
issue tracker for ‘dnsmasq’ and me actually pushing an update, so
well done I guess.
(Also: sorry for the duplicated effort, and thanks for keeping an
eye on the securities. :-)
Kind regards,
T G-R
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#47674
; Package
guix
.
(Sat, 10 Apr 2021 22:28:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Sun, 09 May 2021 11:24:08 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 324 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.