GNU bug report logs

#47674 dnsmasq is vulnerable to CVE-2021-3448

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #10 received at 47674@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47674) by debbugs.gnu.org; 9 Apr 2021 19:33:33 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 09 15:33:33 2021
Received: from localhost ([127.0.0.1]:50954 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lUwsm-0007Un-Tn
	for submit@debbugs.gnu.org; Fri, 09 Apr 2021 15:33:33 -0400
Received: from out5-smtp.messagingengine.com ([66.111.4.29]:44785)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1lUwsl-0007UY-1E
 for 47674@debbugs.gnu.org; Fri, 09 Apr 2021 15:33:31 -0400
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id 8144E5C010B;
 Fri,  9 Apr 2021 15:33:25 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute3.internal (MEProxy); Fri, 09 Apr 2021 15:33:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=ha7bEO3W5mQ2cS4HlTvJx2/K
 BrFqzzMDkY1vkT4a03g=; b=x7stZ5U69WAPAN+QmJGCRO7EicdP5i2xni5Gdy0X
 A0AWIqa2/7VR1YIfMEyzCFZScJE+ObIbYc1UxEGuDqcgotCxpInqhfsUF4+2aekE
 /P8qL/4sEK7ZQOr0VfutNzajDd9g3tT3GaN6ZGzLwow4fkBcJGYNlD6Rvu16KVaU
 QGI=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=ha7bEO
 3W5mQ2cS4HlTvJx2/KBrFqzzMDkY1vkT4a03g=; b=S4Ob5/r+LeSDH7NqT0fbEQ
 MNlcmVvkhpyHeCTJrktkRG79rx7+BuJbeV8aBogrPdkY2JbBpiwMBklN576wasGY
 xHrb6U4JLK8Ho510cdGJawOwAcRktBmdhz5OmrY/nkjyaJbI7FbZXg+3uk8JkHKG
 Okoqmg2CVbK6U80X1KNIuZKFOdYYJniuSmXUD0AW6yCEOm8P5p8aF0KAn2SbHhP8
 jXAbuOVtnM9kcqYuIYyYiPw40AkN80O9zsymvhdfaWEu1cpW/89CWQoz7LW+VR4l
 fXh+6nYLAQb+PX/1HlnAh2Mv/osKADwMudSpJJ95OjXzwxIJe5BDz2Jz/g+TeKYQ
 ==
X-ME-Sender: <xms:BaxwYMDD1a6e_y6Zq_gSZhuHxAWUtaBWF4QFRoF8c317mOxMmnUqIw>
 <xme:BaxwYOj02Ls3SC--Pps8v7tVi0o2LpSTt92CJr3aEf9thuzMUkTN0ErZdfeScdPsJ
 T7-FBh5wxe7Rr9UTg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudekuddgudegvdcutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjsehgtd
 erredttddunecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl
 rghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeduhfffveehtdfgjeevleefueekhf
 dtvdffteegueeigfevvdekfeeijeffgfffleenucfkphepuddttddruddurdduieelrddu
 udeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplh
 gvohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:BaxwYPkOqdRV1BqjcCl_NurJZlPbK69r1r34GHbCdOe_fIYlCJ4Tvg>
 <xmx:BaxwYCyC3m9p188wY5RI00UMAYirHSocBTtpPl589lYamh5-_tl_UQ>
 <xmx:BaxwYBS5hO8OXns8qBGS0tL6azddX1t72gihopYwvI3dsH3ZB1nEhg>
 <xmx:BaxwYMPcX-SRroUCzYsG5hRMizK3OnZFDvQ1IvVTJyRV6hgtoi4WQA>
Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net
 [100.11.169.118])
 by mail.messagingengine.com (Postfix) with ESMTPA id 36592240054;
 Fri,  9 Apr 2021 15:33:25 -0400 (EDT)
Date: Fri, 9 Apr 2021 15:33:22 -0400
From: Leo Famulari <leo@famulari.name>
To: Nicolò Balzarotti <anothersms@gmail.com>
Subject: Re: bug#47674: dnsmasq is vulnerable to CVE-2021-3448
Message-ID: <YHCsAioNoPoTh5EH@jasmine.lan>
References: <87pmz3mr2k.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="z4P2ohRx+psNzaCQ"
Content-Disposition: inline
In-Reply-To: <87pmz3mr2k.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 47674
Cc: 47674@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

[Message part 1 (text/plain, inline)]
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
> CVE-2021-3448
> 
> A flaw was found in dnsmasq in versions before 2.85. When configured to
> use a specific server for a given network interface, dnsmasq uses a
> fixed port while forwarding queries. An attacker on the network, able to
> find the outgoing port used by dnsmasq, only needs to guess the random
> transmission ID to forge a reply and get it accepted by dnsmasq. This
> flaw makes a DNS Cache Poisoning attack much easier. The highest threat
> from this vulnerability is to data integrity.
> 
> guix ships dnsmasq@2.84. guix refresh shows version 2.85 is available,
> and there are 43 dependent packages so this can go directly to master.
> 
> All dependent packages (refresh -l) build fine except for
> python2-libvirt@7.2.0, which is failing also on master
> (libvirt-python requires Python >= 3.5 to build).  Since it's a python2
> package and no other packages depends on it, can we just drop it?

Yes, sounds good.

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 18:33:07 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.