Summary: | <net-dns/dnsmasq-2.72-r2: unchecked return value of the setup_reply() function (CVE-2015-3294) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | chutzpah |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1215747 | ||
Whiteboard: | B2 [glsa cleanup cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-04-28 07:01:45 UTC
Pulled in fix from git to dnsmasq-2.72-r1, it is ready for stabilization. CVE-2015-3294 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3294): The tcp_request function in Dnsmasq before 2.73rc4 does not properly handle the return value of the setup_reply function, which allows remote attackers to read process memory and cause a denial of service (out-of-bounds read and crash) via a malformed DNS request. (In reply to Patrick McLean from comment #1) > Pulled in fix from git to dnsmasq-2.72-r1, it is ready for stabilization. This was missed, do you still want to stable dnsmasq-2.72-r1 or later version as there are two later in tree. Use 2.72-r2 since 2.73 is too new to be stabilized yet, and the only change from -r1 to -r2 is a lua dependency tweak. Arches, please stabilize: =net-dns/dnsmasq-2.72-r1 Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 (In reply to Kristian Fiskerstrand from comment #5) > Arches, please stabilize: > =net-dns/dnsmasq-2.72-r1 > Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 Sorry, misread, that should be =net-dns/dnsmasq-2.72-r2 Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 amd64 stable x86 stable sparc stable arm stable Stable for HPPA. Stable for PPC64. ppc stable alpha stable ia64 stable Arches, Thank you for your work. Maintainer(s), please drop the vulnerable version(s). New GLSA Request filed. It has been 30 days+ since cleanup requested. Maintainer(s), please drop the vulnerable version(s). This issue was resolved and addressed in GLSA 201512-01 at https://security.gentoo.org/glsa/201512-01 by GLSA coordinator Yury German (BlueKnight). Re-Openning for Cleanup Maintainer(s), please drop the vulnerable version(s). Can we please clean up version =net-dns/dnsmasq-2.66 please. Vulnerable since last year. |