|Summary:||<net-dns/dnsmasq-2.63, <app-emulation/libvirt-1.0.1: dns amplification attack (CVE-2012-3411)|
|Product:||Gentoo Security||Reporter:||Michael Klapproth <gentoo>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Michael Klapproth 2012-10-01 23:40:07 UTC
Please bump dnsmasq to 2.63 Coyp & Paste from: https://bugs.mageia.org/show_bug.cgi?id=7466#c4 Updated dnsmasq packages fix security vulnerabilities: When dnsmasq before 2.63 is used in conjunctions with certain configurations of libvirtd, network packets from prohibited networks (e.g. packets that should not be passed in) may be sent to the dnsmasq application and processed. This can result in DNS amplification attacks for example. (CVE-2012-3411). Reproducible: Always
Comment 1 Patrick McLean 2012-10-02 02:38:24 UTC
net-dns/dnsmasq-2.63 is already in the tree, we can go ahead and stabilize it.
Comment 2 Jeroen Roovers 2012-10-02 14:13:08 UTC
Stable for HPPA.
Comment 3 Agostino Sarubbo 2012-10-03 11:47:43 UTC
Comment 4 Anthony Basile 2012-10-04 11:32:41 UTC
stable ppc ppc64
Comment 5 Anthony Basile 2012-10-04 11:48:49 UTC
Comment 6 Markus Meier 2012-10-06 08:44:31 UTC
Comment 7 Raúl Porcel (RETIRED) 2012-10-07 14:13:49 UTC
Comment 8 Sean Amoss 2012-10-09 00:49:13 UTC
Thanks, everyone. GLSA vote: yes.
Comment 9 Doug Goldstein 2012-11-22 06:19:19 UTC
It's worth noting this issue is libvirt + dnsmasq so you need a fixed libvirt to call this done. All versions in the tree are vulnerable, we haven't released an official fix yet. I'm also on dev away starting tomorrow until Dec 3rd.
Comment 10 Sean Amoss 2012-11-26 12:40:21 UTC
(In reply to comment #9) > It's worth noting this issue is libvirt + dnsmasq so you need a fixed > libvirt to call this done. All versions in the tree are vulnerable, we > haven't released an official fix yet. I'm also on dev away starting tomorrow > until Dec 3rd. Thanks for the info, Doug. Resetting to ebuild status to take care of libvirt.
Comment 11 GLSAMaker/CVETool Bot 2013-03-07 00:39:35 UTC
CVE-2012-3411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3411): Dnsmasq before 2.63test1, when used with certain libvirt configurations, replies to requests from prohibited interfaces, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed DNS query.
Comment 12 Sergey Popov 2013-10-02 09:26:26 UTC
Vulnerable versions are gone from tree, let's vote GLSA vote: no
Comment 13 Mikle Kolyada 2014-02-05 11:16:43 UTC
GLSA vote: no. Closing as [noglsa].
Comment 14 Kristian Fiskerstrand 2014-06-21 15:19:04 UTC
re-opening for glsa together with bug 453170 (incomplete fix of this bug)
Comment 15 GLSAMaker/CVETool Bot 2014-06-25 21:59:31 UTC
This issue was resolved and addressed in GLSA 201406-24 at http://security.gentoo.org/glsa/glsa-201406-24.xml by GLSA coordinator Mikle Kolyada (Zlogene).