Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 436894 (CVE-2012-3411) - <net-dns/dnsmasq-2.63, <app-emulation/libvirt-1.0.1: dns amplification attack (CVE-2012-3411)
Summary: <net-dns/dnsmasq-2.63, <app-emulation/libvirt-1.0.1: dns amplification attack...
Status: RESOLVED FIXED
Alias: CVE-2012-3411
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.mageia.org/show_bug.cgi?...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-01 23:40 UTC by Michael Klapproth
Modified: 2014-06-25 21:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Klapproth 2012-10-01 23:40:07 UTC
Please bump dnsmasq to 2.63

Coyp & Paste from: https://bugs.mageia.org/show_bug.cgi?id=7466#c4

Updated dnsmasq packages fix security vulnerabilities:

When dnsmasq before 2.63 is used in conjunctions with certain configurations of
libvirtd, network packets from prohibited networks (e.g. packets that
should not be passed in) may be sent to the dnsmasq application and
processed. This can result in DNS amplification attacks for example.
 (CVE-2012-3411).

Reproducible: Always
Comment 1 Patrick McLean gentoo-dev 2012-10-02 02:38:24 UTC
net-dns/dnsmasq-2.63 is already in the tree, we can go ahead and stabilize it.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2012-10-02 14:13:08 UTC
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2012-10-03 11:47:43 UTC
amd64 stable
Comment 4 Anthony Basile gentoo-dev 2012-10-04 11:32:41 UTC
stable ppc ppc64
Comment 5 Anthony Basile gentoo-dev 2012-10-04 11:48:49 UTC
stable arm
Comment 6 Markus Meier gentoo-dev 2012-10-06 08:44:31 UTC
arm stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2012-10-07 14:13:49 UTC
alpha/ia64/s390/sh/sparc/x86 stable
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-09 00:49:13 UTC
Thanks, everyone.

GLSA vote: yes.
Comment 9 Doug Goldstein (RETIRED) gentoo-dev 2012-11-22 06:19:19 UTC
It's worth noting this issue is libvirt + dnsmasq so you need a fixed libvirt to call this done. All versions in the tree are vulnerable, we haven't released an official fix yet. I'm also on dev away starting tomorrow until Dec 3rd.
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-26 12:40:21 UTC
(In reply to comment #9)
> It's worth noting this issue is libvirt + dnsmasq so you need a fixed
> libvirt to call this done. All versions in the tree are vulnerable, we
> haven't released an official fix yet. I'm also on dev away starting tomorrow
> until Dec 3rd.

Thanks for the info, Doug.

Resetting to ebuild status to take care of libvirt.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-03-07 00:39:35 UTC
CVE-2012-3411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3411):
  Dnsmasq before 2.63test1, when used with certain libvirt configurations,
  replies to requests from prohibited interfaces, which allows remote
  attackers to cause a denial of service (traffic amplification) via a spoofed
  DNS query.
Comment 12 Sergey Popov gentoo-dev 2013-10-02 09:26:26 UTC
Vulnerable versions are gone from tree, let's vote

GLSA vote: no
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-05 11:16:43 UTC
GLSA vote: no.

Closing as [noglsa].
Comment 14 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-21 15:19:04 UTC
re-opening for glsa together with bug 453170 (incomplete fix of this bug)
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-06-25 21:59:31 UTC
This issue was resolved and addressed in
 GLSA 201406-24 at http://security.gentoo.org/glsa/glsa-201406-24.xml
by GLSA coordinator Mikle Kolyada (Zlogene).