Acknowledgement sent
to Nicolò Balzarotti <anothersms@gmail.com>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org.
(Fri, 09 Apr 2021 15:11:01 GMT) (full text, mbox, link).
CVE-2021-3448
A flaw was found in dnsmasq in versions before 2.85. When configured to
use a specific server for a given network interface, dnsmasq uses a
fixed port while forwarding queries. An attacker on the network, able to
find the outgoing port used by dnsmasq, only needs to guess the random
transmission ID to forge a reply and get it accepted by dnsmasq. This
flaw makes a DNS Cache Poisoning attack much easier. The highest threat
from this vulnerability is to data integrity.
guix ships dnsmasq@2.84. guix refresh shows version 2.85 is available,
and there are 43 dependent packages so this can go directly to master.
All dependent packages (refresh -l) build fine except for
python2-libvirt@7.2.0, which is failing also on master
(libvirt-python requires Python >= 3.5 to build). Since it's a python2
package and no other packages depends on it, can we just drop it?
Thanks, Nicolò
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
> CVE-2021-3448
>
> A flaw was found in dnsmasq in versions before 2.85. When configured to
> use a specific server for a given network interface, dnsmasq uses a
> fixed port while forwarding queries. An attacker on the network, able to
> find the outgoing port used by dnsmasq, only needs to guess the random
> transmission ID to forge a reply and get it accepted by dnsmasq. This
> flaw makes a DNS Cache Poisoning attack much easier. The highest threat
> from this vulnerability is to data integrity.
>
> guix ships dnsmasq@2.84. guix refresh shows version 2.85 is available,
> and there are 43 dependent packages so this can go directly to master.
>
> All dependent packages (refresh -l) build fine except for
> python2-libvirt@7.2.0, which is failing also on master
> (libvirt-python requires Python >= 3.5 to build). Since it's a python2
> package and no other packages depends on it, can we just drop it?
Yes, sounds good.
Subject: Re: bug#47674: dnsmasq is vulnerable to CVE-2021-3448
Date: Fri, 9 Apr 2021 15:38:05 -0400
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
> All dependent packages (refresh -l) build fine except for
> python2-libvirt@7.2.0, which is failing also on master
> (libvirt-python requires Python >= 3.5 to build). Since it's a python2
> package and no other packages depends on it, can we just drop it?
I notice that python2-libvirt builds okay on staging:
https://ci.guix.gnu.org/search?query=python2-libvirt&border-high-id=134835
Information forwarded
to bug-guix@gnu.org: bug#47674; Package guix.
(Fri, 09 Apr 2021 19:48:01 GMT) (full text, mbox, link).
Subject: Re: bug#47674: dnsmasq is vulnerable to CVE-2021-3448
Date: Fri, 09 Apr 2021 21:47:13 +0200
Leo Famulari <leo@famulari.name> writes:
> On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
>> All dependent packages (refresh -l) build fine except for
>> python2-libvirt@7.2.0, which is failing also on master
>> (libvirt-python requires Python >= 3.5 to build). Since it's a python2
>> package and no other packages depends on it, can we just drop it?
>
> I notice that python2-libvirt builds okay on staging:
>
> https://ci.guix.gnu.org/search?query=python2-libvirt&border-high-id=134835
Staging has an older version (5.8 vs 7.2, which has been released in
november 2019 [fn:1] though), and it got updated a few days ago
(28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
fail on staging too. Am I wrong?
[fn:1] https://pypi.org/project/libvirt-python/#history
Information forwarded
to bug-guix@gnu.org: bug#47674; Package guix.
(Fri, 09 Apr 2021 20:08:01 GMT) (full text, mbox, link).
Subject: Re: bug#47674: dnsmasq is vulnerable to CVE-2021-3448
Date: Fri, 9 Apr 2021 16:07:07 -0400
On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
> Staging has an older version (5.8 vs 7.2, which has been released in
> november 2019 [fn:1] though), and it got updated a few days ago
> (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
> fail on staging too. Am I wrong?
Ah, could be. The new staging builds haven't been performed yet.
Information forwarded
to bug-guix@gnu.org: bug#47674; Package guix.
(Sat, 10 Apr 2021 21:40:01 GMT) (full text, mbox, link).
Subject: Re: bug#47674: dnsmasq is vulnerable to CVE-2021-3448
Date: Sat, 10 Apr 2021 23:39:37 +0200
Leo Famulari <leo@famulari.name> writes:
> On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
>> Staging has an older version (5.8 vs 7.2, which has been released in
>> november 2019 [fn:1] though), and it got updated a few days ago
>> (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
>> fail on staging too. Am I wrong?
>
> Ah, could be. The new staging builds haven't been performed yet.
Failed both i686 and x86_64 on staging
Information forwarded
to bug-guix@gnu.org: bug#47674; Package guix.
(Sat, 10 Apr 2021 22:06:01 GMT) (full text, mbox, link).
Subject: Re: bug#47674: dnsmasq is vulnerable to CVE-2021-3448
Date: Sat, 10 Apr 2021 18:05:06 -0400
On Fri, Apr 09, 2021 at 04:07:07PM -0400, Leo Famulari wrote:
> On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
> > Staging has an older version (5.8 vs 7.2, which has been released in
> > november 2019 [fn:1] though), and it got updated a few days ago
> > (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
> > fail on staging too. Am I wrong?
>
> Ah, could be. The new staging builds haven't been performed yet.
Thanks for following up. Sure, I think it's fine to remove a package
if it does not build and has no dependents.
Information forwarded
to bug-guix@gnu.org: bug#47674; Package guix.
(Sat, 10 Apr 2021 22:28:01 GMT) (full text, mbox, link).
Nicolò,
Nicolò Balzarotti writes:
> gnu/packages/dns.scm (dnsmasq): Update to 2.85.
I see you managed to aim this beautifully between me searching the
issue tracker for ‘dnsmasq’ and me actually pushing an update, so
well done I guess.
(Also: sorry for the duplicated effort, and thanks for keeping an
eye on the securities. :-)
Kind regards,
T G-R
Debbugs is free software and licensed under the terms of the
GNU Public License version 2. The current version can be
obtained from https://bugs.debian.org/debbugs-source/.