Описание
Security update for dnsmasq
This update for dnsmasq fixes the following issues:
Update to version 2.86
- CVE-2021-3448: fixed outgoing port used when --server is used with an interface name. (bsc#1183709)
- CVE-2020-14312: Set --local-service by default (bsc#1173646).
- Open inotify socket only when used (bsc#1180914).
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Список пакетов
openSUSE Leap 15.2
Ссылки
- E-Mail link for openSUSE-SU-2021:1426-1
- SUSE Security Ratings
- SUSE Bug 1173646
- SUSE Bug 1180914
- SUSE Bug 1183709
- SUSE CVE CVE-2020-14312 page
- SUSE CVE CVE-2021-3448 page
Описание
A flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems.
Затронутые продукты
Ссылки
- CVE-2020-14312
- SUSE Bug 1173646
Описание
A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity.
Затронутые продукты
Ссылки
- CVE-2021-3448
- SUSE Bug 1183709