Bug 1525876 - Google Security Blog found vulnerabilities former to version 2.78.
Summary: Google Security Blog found vulnerabilities former to version 2.78.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: dnsmasq
Version: 27
Hardware: All
OS: All
unspecified
high
Target Milestone: ---
Assignee: Petr Menšík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-12-14 09:53 UTC by ricky.tigg
Modified: 2017-12-19 19:51 UTC (History)
10 users (show)

Fixed In Version: dnsmasq-2.78-1.fc27
Clone Of:
Environment:
Last Closed: 2017-12-19 19:51:15 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description ricky.tigg 2017-12-14 09:53:56 UTC 
Description of problem:
It is noticeable that regarding DNS vulnerabilities found (CVE-2017-{14491-14496} specifically categorized as security issues, and CVE-2017-13704) and publicized on October 2, 2017 on the Google Security Blog (https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html), respective patches have been committed as illustrated on http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=summary, and are implemented in the version 2.78 as the statement suggests: «Users who have deployed the latest version of Dnsmasq (2.78) will be protected from the attacks discovered here.»

Version-Release number of selected component (if applicable):
dnsmasq-2.77-9.fc27.x86_64

Actual results:
Fedora makes available tu public a component not up to date on its Updates repository, and consequently using any version former to 2.78 is unsafe.

Expected results:
At least version 2.78 to be made available on repository.

Additional info:
Regarding issue CVE-2017-14491, no less than two security fixes have been committed in a short laps time, which may be interpreted generally as some of the committed patches may not have a persistent effect against the vulnerabilities they tended to fix along with the releases of the firsts security patches, and suggests that despite security fixes have been committed, in the cases they are unique to a specific issue, they may not have accomplished entirely their goals.
Comment 1 Petr Menšík 2017-12-15 16:50:14 UTC 
It is not true we offer vulnerable version of dnsmasq. If you check change log, all security vulnerabilities are fixed by downstream patches. These fixes are there, current version is NOT vulnerable. New version is already offered in rawhide, but both should be equally secure.

Tough the same build as rawhide can be use for F27 as well. It offers no greater security, just higher version.
Comment 2 Fedora Update System 2017-12-15 16:55:31 UTC 
dnsmasq-2.78-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f77158a69
Comment 3 Fedora Update System 2017-12-16 14:38:52 UTC 
dnsmasq-2.78-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4f77158a69
Comment 4 ricky.tigg 2017-12-16 19:12:03 UTC 
Following the instructions mentioned in document from the link provided in  Comment 3, the output from the command 
$ sudo dnf install -y dnsmasq --enablerepo=updates-testing
is:
Package dnsmasq-2.77-9.fc27.x86_64 is already installed, skipping.
As a result the component installed remains the one from the Fedora 27 updates repository.
Comment 5 Fedora Update System 2017-12-19 19:51:15 UTC 
dnsmasq-2.78-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.