Please bump dnsmasq to 2.63 Coyp & Paste from: https://bugs.mageia.org/show_bug.cgi?id=7466#c4 Updated dnsmasq packages fix security vulnerabilities: When dnsmasq before 2.63 is used in conjunctions with certain configurations of libvirtd, network packets from prohibited networks (e.g. packets that should not be passed in) may be sent to the dnsmasq application and processed. This can result in DNS amplification attacks for example. (CVE-2012-3411). Reproducible: Always
net-dns/dnsmasq-2.63 is already in the tree, we can go ahead and stabilize it.
Stable for HPPA.
amd64 stable
stable ppc ppc64
stable arm
arm stable
alpha/ia64/s390/sh/sparc/x86 stable
Thanks, everyone. GLSA vote: yes.
It's worth noting this issue is libvirt + dnsmasq so you need a fixed libvirt to call this done. All versions in the tree are vulnerable, we haven't released an official fix yet. I'm also on dev away starting tomorrow until Dec 3rd.
(In reply to comment #9) > It's worth noting this issue is libvirt + dnsmasq so you need a fixed > libvirt to call this done. All versions in the tree are vulnerable, we > haven't released an official fix yet. I'm also on dev away starting tomorrow > until Dec 3rd. Thanks for the info, Doug. Resetting to ebuild status to take care of libvirt.
CVE-2012-3411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3411): Dnsmasq before 2.63test1, when used with certain libvirt configurations, replies to requests from prohibited interfaces, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed DNS query.
Vulnerable versions are gone from tree, let's vote GLSA vote: no
GLSA vote: no. Closing as [noglsa].
re-opening for glsa together with bug 453170 (incomplete fix of this bug)
This issue was resolved and addressed in GLSA 201406-24 at http://security.gentoo.org/glsa/glsa-201406-24.xml by GLSA coordinator Mikle Kolyada (Zlogene).
