Please bump dnsmasq to 2.63
Coyp & Paste from: https://bugs.mageia.org/show_bug.cgi?id=7466#c4
Updated dnsmasq packages fix security vulnerabilities:
When dnsmasq before 2.63 is used in conjunctions with certain configurations of
libvirtd, network packets from prohibited networks (e.g. packets that
should not be passed in) may be sent to the dnsmasq application and
processed. This can result in DNS amplification attacks for example.
net-dns/dnsmasq-2.63 is already in the tree, we can go ahead and stabilize it.
Stable for HPPA.
stable ppc ppc64
GLSA vote: yes.
It's worth noting this issue is libvirt + dnsmasq so you need a fixed libvirt to call this done. All versions in the tree are vulnerable, we haven't released an official fix yet. I'm also on dev away starting tomorrow until Dec 3rd.
(In reply to comment #9)
> It's worth noting this issue is libvirt + dnsmasq so you need a fixed
> libvirt to call this done. All versions in the tree are vulnerable, we
> haven't released an official fix yet. I'm also on dev away starting tomorrow
> until Dec 3rd.
Thanks for the info, Doug.
Resetting to ebuild status to take care of libvirt.
Dnsmasq before 2.63test1, when used with certain libvirt configurations,
replies to requests from prohibited interfaces, which allows remote
attackers to cause a denial of service (traffic amplification) via a spoofed
Vulnerable versions are gone from tree, let's vote
GLSA vote: no
GLSA vote: no.
Closing as [noglsa].
re-opening for glsa together with bug 453170 (incomplete fix of this bug)
This issue was resolved and addressed in
GLSA 201406-24 at http://security.gentoo.org/glsa/glsa-201406-24.xml
by GLSA coordinator Mikle Kolyada (Zlogene).