Bugzilla – Bug 983273
VUL-1: CVE-2015-8899: dnsmasq: denial of service between local and remote dns entries
Last modified: 2017-06-20 12:45:19 UTC
CVE-2015-8899 via oss-sec Fix crash when an A or AAAA record is defined locally, in a hosts file, and an upstream server sends a reply that the same name is empty. http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=41a8d9e99be9f2cc8b02051dd322cb45e0faac87 https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1581181 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8899 http://seclists.org/oss-sec/2016/q2/470
sle11 sp2 and older do not seem to have the code. we introduce the buggy? code in our 2.71 versions by a local patch dnsmasq-local-cache.patch
so sle11 sp3, sp4, sle12 ga anbd sp1 codestreams affected
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html has some form of reproducer.
(so far not considering an update, as this is largely a local issue)
bugbot adjusting priority
Upstream version 2.75 was affected as well, and I've just upgraded Factory to 2.76, which already contains the fix. (In reply to Marcus Meissner from comment #4) > (so far not considering an update, as this is largely a local issue) So, can we close this, or how shall we proceed?
This is an autogenerated message for OBS integration: This bug (983273) was mentioned in https://build.opensuse.org/request/show/416775 Factory / dnsmasq
please submit if you want to gt it off your list, we will stage it for further updates.
Done.
*** Bug 1012019 has been marked as a duplicate of this bug. ***
Maybe we should release this, given that customers actually hit the crash.
I will queue the incidents for QA now.
SUSE-SU-2016:3199-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 983273 CVE References: CVE-2015-8899 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): dnsmasq-2.71-0.16.3 SUSE Linux Enterprise Debuginfo 11-SP4 (src): dnsmasq-2.71-0.16.3
SUSE-SU-2016:3257-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 983273 CVE References: CVE-2015-8899 Sources used: SUSE OpenStack Cloud Compute 5 (src): dnsmasq-2.71-6.3.1
SUSE-SU-2016:3269-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 983273 CVE References: CVE-2015-8899 Sources used: SUSE OpenStack Cloud 6 (src): dnsmasq-2.71-13.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): dnsmasq-2.71-13.1 SUSE Linux Enterprise Server 12-SP2 (src): dnsmasq-2.71-13.1 SUSE Linux Enterprise Server 12-SP1 (src): dnsmasq-2.71-13.1 SUSE Linux Enterprise Desktop 12-SP2 (src): dnsmasq-2.71-13.1 SUSE Linux Enterprise Desktop 12-SP1 (src): dnsmasq-2.71-13.1
openSUSE-SU-2017:0016-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 983273 CVE References: CVE-2015-8899 Sources used: openSUSE Leap 42.2 (src): dnsmasq-2.71-8.1 openSUSE Leap 42.1 (src): dnsmasq-2.71-9.1
released