A vulnerability was found in dmsmasq. A Denial-of-service will occur when an A or AAAA record is defined locally, in a hosts file, and an upstream server sends a reply that the same name is empty. Upstream bug: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010479.html Upstream fix: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=41a8d9e99be9f2cc8b02051dd322cb45e0faac87
Created dnsmasq tracking bugs for this issue: Affects: fedora-all [bug 1343073]
Low impact as the worst this can cause is a denial of service. Vulnerable code was introduced in v2.73: all RHEL versions ship earlier versions of dnsmasq which are not affected by this issue.
Created attachment 1166437 [details] Patch for version2.75 http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=41a8d9e99be9f2cc8b02051dd322cb45e0faac87
Same as RHEL (see comment #2). All RHOSP versions ship earlier dnsmasq versions (either 2.48 or 2.66), and are not affected by this issue.