drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in dnsmasq
Name: |
Mehrere Probleme in dnsmasq |
|
ID: |
SSA:2021-040-01 |
|
Distribution: |
Slackware |
|
Plattformen: |
Slackware -current, Slackware x86_64 -current, Slackware 14.0, Slackware x86_64 14.0, Slackware 14.1, Slackware x86_64 14.1, Slackware 14.2, Slackware x86_64 14.2 |
|
Datum: |
Di, 9. Februar 2021, 23:48 |
|
Referenzen: |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25683
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25682
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25687
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25684
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25686
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25685
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25681 |
|
Applikationen: |
Dnsmasq |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
[slackware-security] dnsmasq (SSA:2021-040-01)
New dnsmasq packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/dnsmasq-2.84-i586-1_slack14.2.txz: Upgraded. This update fixes bugs and remotely exploitable security issues: Use the values of --min-port and --max-port in outgoing TCP connections to upstream DNS servers. Fix a remote buffer overflow problem in the DNSSEC code. Any dnsmasq with DNSSEC compiled in and enabled is vulnerable to this, referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 CVE-2020-25687. Be sure to only accept UDP DNS query replies at the address from which the query was originated. This keeps as much entropy in the {query-ID, random-port} tuple as possible, to help defeat cache poisoning attacks. Refer: CVE-2020-25684. Use the SHA-256 hash function to verify that DNS answers received are for the questions originally asked. This replaces the slightly insecure SHA-1 (when compiled with DNSSEC) or the very insecure CRC32 (otherwise). Refer: CVE-2020-25685. Handle multiple identical near simultaneous DNS queries better. Previously, such queries would all be forwarded independently. This is, in theory, inefficent but in practise not a problem, _except_ that is means that an answer for any of the forwarded queries will be accepted and cached. An attacker can send a query multiple times, and for each repeat, another {port, ID} becomes capable of accepting the answer he is sending in the blind, to random IDs and ports. The chance of a succesful attack is therefore multiplied by the number of repeats of the query. The new behaviour detects repeated queries and merely stores the clients sending repeats so that when the first query completes, the answer can be sent to all the clients who asked. Refer: CVE-2020-25686. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25681 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25682 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25683 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25684 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25685 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25686 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25687 (* Security fix *) +--------------------------+
Where to find the new packages: +-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you.
Updated package for Slackware 14.0: dnsmasq-2.84-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0: dnsmasq-2.84-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1: dnsmasq-2.84-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1: dnsmasq-2.84-x86_64-1_slack14.1.txz
Updated package for Slackware 14.2: dnsmasq-2.84-i586-1_slack14.2.txz
Updated package for Slackware x86_64 14.2: dnsmasq-2.84-x86_64-1_slack14.2.txz
Updated package for Slackware -current: dnsmasq-2.84-i586-1.txz
Updated package for Slackware x86_64 -current: dnsmasq-2.84-x86_64-1.txz
MD5 signatures: +-------------+
Slackware 14.0 package: 21656a83c165a785f6fadab6a1af1719 dnsmasq-2.84-i486-1_slack14.0.txz
Slackware x86_64 14.0 package: 90cd9eda688df52f01a984506b1248b1 dnsmasq-2.84-x86_64-1_slack14.0.txz
Slackware 14.1 package: 2bde4367a591308ecde01f438cd1c01e dnsmasq-2.84-i486-1_slack14.1.txz
Slackware x86_64 14.1 package: b926b57679a8c420259c72fab90c73b6 dnsmasq-2.84-x86_64-1_slack14.1.txz
Slackware 14.2 package: 433bd15bc94f577ac2235d246ec222c0 dnsmasq-2.84-i586-1_slack14.2.txz
Slackware x86_64 14.2 package: 76081b1d11ac9b9ec3f8580163713163 dnsmasq-2.84-x86_64-1_slack14.2.txz
Slackware -current package: 5dab2510f2d679a10b2b9881f8578053 n/dnsmasq-2.84-i586-1.txz
Slackware x86_64 -current package: d1fca4e7b70ebdb7136288a3f1707813 n/dnsmasq-2.84-x86_64-1.txz
Installation instructions: +------------------------+
Upgrade the package as root: # upgradepkg dnsmasq-2.84-i586-1_slack14.2.txz
Then restart dnsmasq if you are using it: # sh /etc/rc.d/rc.dnsmasq restart
+-----+
Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com
+------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAmAi9AIACgkQakRjwEAQIjOq4wCfQoFBzdm9XpPTZMCx+8OcJBUV pucAn0gUNcGVyeCadJHrcm/mjJCxnSQX =fsum -----END PGP SIGNATURE-----
|
|
|
|