Summary: | <net-dns/dnsmasq-2.63, <app-emulation/libvirt-1.0.1: dns amplification attack (CVE-2012-3411) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Klapproth <gentoo> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | chutzpah |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.mageia.org/show_bug.cgi?id=7466#c4 | ||
See Also: |
https://bugs.mageia.org/show_bug.cgi?id=7466 https://bugzilla.redhat.com/show_bug.cgi?id=833033 |
||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Michael Klapproth
2012-10-01 23:40:07 UTC
net-dns/dnsmasq-2.63 is already in the tree, we can go ahead and stabilize it. Stable for HPPA. amd64 stable stable ppc ppc64 stable arm arm stable alpha/ia64/s390/sh/sparc/x86 stable Thanks, everyone. GLSA vote: yes. It's worth noting this issue is libvirt + dnsmasq so you need a fixed libvirt to call this done. All versions in the tree are vulnerable, we haven't released an official fix yet. I'm also on dev away starting tomorrow until Dec 3rd. (In reply to comment #9) > It's worth noting this issue is libvirt + dnsmasq so you need a fixed > libvirt to call this done. All versions in the tree are vulnerable, we > haven't released an official fix yet. I'm also on dev away starting tomorrow > until Dec 3rd. Thanks for the info, Doug. Resetting to ebuild status to take care of libvirt. CVE-2012-3411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3411): Dnsmasq before 2.63test1, when used with certain libvirt configurations, replies to requests from prohibited interfaces, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed DNS query. Vulnerable versions are gone from tree, let's vote GLSA vote: no GLSA vote: no. Closing as [noglsa]. re-opening for glsa together with bug 453170 (incomplete fix of this bug) This issue was resolved and addressed in GLSA 201406-24 at http://security.gentoo.org/glsa/glsa-201406-24.xml by GLSA coordinator Mikle Kolyada (Zlogene). |