Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 632692 (CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495, CVE-2017-14496)

Summary: <net-dns/dnsmasq-2.78: Multiple vulnerabilities
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: arthur, chutzpah, luke
Priority: High Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
Whiteboard: A1 [glsa cve]
Package list:
=net-dns/dnsmasq-2.78
 Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-10-02 14:16:18 UTC 
@maintainers: c.f previous communication, the following issue is now public:

"""
Dnsmasq git repo is now up-to-date, and the 2.78 release it in the
website download directory.
"""
Comment 1 Larry the Git Cow gentoo-dev 2017-10-02 16:38:00 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5383e3fce7a501407d7a2e8c41efa766d3df2d67

commit 5383e3fce7a501407d7a2e8c41efa766d3df2d67
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2017-10-02 16:37:09 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2017-10-02 16:37:48 +0000

    net-dns/dnsmasq: Version bump for #632692
    
    Security version bump for these CVEs:
    CVE-2017-14491
    CVE-2017-14492
    CVE-2017-14493
    CVE-2017-14494
    CVE-2017-14495
    CVE-2017-14496
    
    Also make the relad action use start-stop-daemon.
    
    Bug: https://bugs.gentoo.org/632692
    Closes: https://bugs.gentoo.org/629284
    Package-Manager: Portage-2.3.10, Repoman-2.3.3

 net-dns/dnsmasq/Manifest                   |   1 +
 net-dns/dnsmasq/dnsmasq-2.78.ebuild        | 198 +++++++++++++++++++++++++++++
 net-dns/dnsmasq/files/dnsmasq-init-dhcp-r2 |  29 +++++
 net-dns/dnsmasq/files/dnsmasq-init-r3      |  23 ++++
 4 files changed, 251 insertions(+)}
Comment 2 Patrick McLean gentoo-dev 2017-10-02 16:38:29 UTC 
net-dns/dnsmasq-2.78 is now in the tree, we should be good to stabilize.
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-02 16:54:53 UTC 
(In reply to Patrick McLean from comment #2)
> net-dns/dnsmasq-2.78 is now in the tree, we should be good to stabilize.

Thank you.

@Arches please test and mark stable.

Gentoo Security Padawan
ChrisADR
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-02 23:45:58 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-10-03 10:53:40 UTC 
amd64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-03 15:26:32 UTC 
ia64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-04 08:53:32 UTC 
ppc64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-05 08:43:07 UTC 
ppc stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-05 09:48:17 UTC 
hppa/sparc stable (thanks to Rolf Eike Beer)
Comment 10 Markus Meier gentoo-dev 2017-10-16 18:14:49 UTC 
arm stable
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2017-10-22 21:49:08 UTC 
Stable on alpha.
Comment 12 Aleksandr Wagner (Kivak) 2017-10-22 22:05:41 UTC 
Stabilization is complete, thank you arches.

@ Maintainer(s): Please clean the vulnerable versions from the tree.

@ Security: Please vote on whether a glsa is needed or not.

Gentoo Security Padawan
Kivak
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-10-23 01:47:22 UTC 
This issue was resolved and addressed in
 GLSA 201710-27 at https://security.gentoo.org/glsa/201710-27
by GLSA coordinator Aaron Bauman (b-man).
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2017-10-23 01:48:46 UTC 
re-opened for cleanup.
Comment 15 Pacho Ramos gentoo-dev 2017-12-04 13:00:30 UTC 
*** Bug 630296 has been marked as a duplicate of this bug. ***
Comment 16 Pacho Ramos gentoo-dev 2017-12-04 13:00:34 UTC 
*** Bug 624510 has been marked as a duplicate of this bug. ***