There is an unpatched memory leak CVE in dnsmasq. Here are some references: https://nvd.nist.gov/vuln/detail/CVE-2019-14834 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14834 Here is the upstream fix: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=69bc94779c2f035a9fffdb5327a54c3aeca73ed5 The fix looks low risk to me.
Thanks for reporting a security bug. Make sure you put it in the Gentoo Security component next time so that the security team can pick up on it.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d2cde891f94eed8019bde4deb0612af08cb0d30 commit 5d2cde891f94eed8019bde4deb0612af08cb0d30 Author: Allen-Webb <allenwebb@google.com> AuthorDate: 2020-04-01 14:44:02 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2020-04-01 17:19:21 +0000 net-dns/dnsmasq-2.80-r2: Revbump, fix CVE-2019-14834 Bug: https://bugs.gentoo.org/715764 Signed-off-by: Allen-Webb <allenwebb@google.com> Closes: https://github.com/gentoo/gentoo/pull/15197 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> ...smasq-2.80-r1.ebuild => dnsmasq-2.80-r2.ebuild} | 1 + .../files/dnsmasq-2.80-cve-2019-14834.patch | 39 ++++++++++++++++++++++ 2 files changed, 40 insertions(+)
security: we should be fine to stabilize this
(In reply to Patrick McLean from comment #3) > security: we should be fine to stabilize this Great, thanks for the quick merge!
Didn't catch it was already stable on those arches. Tree is clean. Thanks again. Changing to glsa?
Resetting sanity check; package list is empty or all packages are done.
GLSA Vote: No Thank you all for you work. Closing as [noglsa].
