* bug#47674: dnsmasq is vulnerable to CVE-2021-3448
@ 2021-04-09 15:10 Nicolò Balzarotti
2021-04-09 19:33 ` Leo Famulari
` (3 more replies)
0 siblings, 4 replies; 9+ messages in thread
From: Nicolò Balzarotti @ 2021-04-09 15:10 UTC (permalink / raw)
To: 47674
[-- Attachment #1: Type: text/plain, Size: 920 bytes --]
CVE-2021-3448
A flaw was found in dnsmasq in versions before 2.85. When configured to
use a specific server for a given network interface, dnsmasq uses a
fixed port while forwarding queries. An attacker on the network, able to
find the outgoing port used by dnsmasq, only needs to guess the random
transmission ID to forge a reply and get it accepted by dnsmasq. This
flaw makes a DNS Cache Poisoning attack much easier. The highest threat
from this vulnerability is to data integrity.
guix ships dnsmasq@2.84. guix refresh shows version 2.85 is available,
and there are 43 dependent packages so this can go directly to master.
All dependent packages (refresh -l) build fine except for
python2-libvirt@7.2.0, which is failing also on master
(libvirt-python requires Python >= 3.5 to build). Since it's a python2
package and no other packages depends on it, can we just drop it?
Thanks, Nicolò
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-dnsmasq-Update-to-2.85.patch --]
[-- Type: text/x-patch, Size: 1173 bytes --]
From a0932442c6c72d1e1a2a0f400f8afa487251189d Mon Sep 17 00:00:00 2001
From: nixo <nicolo@nixo.xyz>
Date: Fri, 9 Apr 2021 16:19:03 +0200
Subject: [PATCH] gnu: dnsmasq: Update to 2.85.
* gnu/packages/dns.scm (dnsmasq): Update to 2.85.
---
gnu/packages/dns.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index c940657ce9..3cf88febae 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -278,7 +278,7 @@ prompt the user with the option to go with insecure DNS only.")
(define-public dnsmasq
(package
(name "dnsmasq")
- (version "2.84")
+ (version "2.85")
(source (origin
(method url-fetch)
(uri (string-append
@@ -286,7 +286,7 @@ prompt the user with the option to go with insecure DNS only.")
version ".tar.xz"))
(sha256
(base32
- "0305a0c3snwqcv77sipyynr55xip1fp2843yn04pc4vk9g39acb0"))))
+ "1yhjwgz8g5qrqvxh6bbmg3443zi8qqjks3q872wyb1zn7n0d765d"))))
(build-system gnu-build-system)
(native-inputs
`(("pkg-config" ,pkg-config)))
--
2.31.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* bug#47674: dnsmasq is vulnerable to CVE-2021-3448
2021-04-09 15:10 bug#47674: dnsmasq is vulnerable to CVE-2021-3448 Nicolò Balzarotti
@ 2021-04-09 19:33 ` Leo Famulari
2021-04-09 19:34 ` Leo Famulari
` (2 subsequent siblings)
3 siblings, 0 replies; 9+ messages in thread
From: Leo Famulari @ 2021-04-09 19:33 UTC (permalink / raw)
To: Nicolò Balzarotti; +Cc: 47674
[-- Attachment #1: Type: text/plain, Size: 1022 bytes --]
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
> CVE-2021-3448
>
> A flaw was found in dnsmasq in versions before 2.85. When configured to
> use a specific server for a given network interface, dnsmasq uses a
> fixed port while forwarding queries. An attacker on the network, able to
> find the outgoing port used by dnsmasq, only needs to guess the random
> transmission ID to forge a reply and get it accepted by dnsmasq. This
> flaw makes a DNS Cache Poisoning attack much easier. The highest threat
> from this vulnerability is to data integrity.
>
> guix ships dnsmasq@2.84. guix refresh shows version 2.85 is available,
> and there are 43 dependent packages so this can go directly to master.
>
> All dependent packages (refresh -l) build fine except for
> python2-libvirt@7.2.0, which is failing also on master
> (libvirt-python requires Python >= 3.5 to build). Since it's a python2
> package and no other packages depends on it, can we just drop it?
Yes, sounds good.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#47674: dnsmasq is vulnerable to CVE-2021-3448
2021-04-09 15:10 bug#47674: dnsmasq is vulnerable to CVE-2021-3448 Nicolò Balzarotti
2021-04-09 19:33 ` Leo Famulari
@ 2021-04-09 19:34 ` Leo Famulari
2021-04-09 19:38 ` Leo Famulari
2021-04-10 22:27 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
3 siblings, 0 replies; 9+ messages in thread
From: Leo Famulari @ 2021-04-09 19:34 UTC (permalink / raw)
To: Nicolò Balzarotti; +Cc: 47674-done
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
> From a0932442c6c72d1e1a2a0f400f8afa487251189d Mon Sep 17 00:00:00 2001
> From: nixo <nicolo@nixo.xyz>
> Date: Fri, 9 Apr 2021 16:19:03 +0200
> Subject: [PATCH] gnu: dnsmasq: Update to 2.85.
>
> * gnu/packages/dns.scm (dnsmasq): Update to 2.85.
Looks like this change was already done with commit
c8d809f9a49c2b4ec5500c2685e96168dcd9afa9
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#47674: dnsmasq is vulnerable to CVE-2021-3448
2021-04-09 15:10 bug#47674: dnsmasq is vulnerable to CVE-2021-3448 Nicolò Balzarotti
2021-04-09 19:33 ` Leo Famulari
2021-04-09 19:34 ` Leo Famulari
@ 2021-04-09 19:38 ` Leo Famulari
2021-04-09 19:47 ` Nicolò Balzarotti
2021-04-10 22:27 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
3 siblings, 1 reply; 9+ messages in thread
From: Leo Famulari @ 2021-04-09 19:38 UTC (permalink / raw)
To: Nicolò Balzarotti; +Cc: 47674
On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
> All dependent packages (refresh -l) build fine except for
> python2-libvirt@7.2.0, which is failing also on master
> (libvirt-python requires Python >= 3.5 to build). Since it's a python2
> package and no other packages depends on it, can we just drop it?
I notice that python2-libvirt builds okay on staging:
https://ci.guix.gnu.org/search?query=python2-libvirt&border-high-id=134835
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#47674: dnsmasq is vulnerable to CVE-2021-3448
2021-04-09 19:38 ` Leo Famulari
@ 2021-04-09 19:47 ` Nicolò Balzarotti
2021-04-09 20:07 ` Leo Famulari
0 siblings, 1 reply; 9+ messages in thread
From: Nicolò Balzarotti @ 2021-04-09 19:47 UTC (permalink / raw)
To: Leo Famulari; +Cc: 47674
Leo Famulari <leo@famulari.name> writes:
> On Fri, Apr 09, 2021 at 05:10:43PM +0200, Nicolò Balzarotti wrote:
>> All dependent packages (refresh -l) build fine except for
>> python2-libvirt@7.2.0, which is failing also on master
>> (libvirt-python requires Python >= 3.5 to build). Since it's a python2
>> package and no other packages depends on it, can we just drop it?
>
> I notice that python2-libvirt builds okay on staging:
>
> https://ci.guix.gnu.org/search?query=python2-libvirt&border-high-id=134835
Staging has an older version (5.8 vs 7.2, which has been released in
november 2019 [fn:1] though), and it got updated a few days ago
(28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
fail on staging too. Am I wrong?
[fn:1] https://pypi.org/project/libvirt-python/#history
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#47674: dnsmasq is vulnerable to CVE-2021-3448
2021-04-09 19:47 ` Nicolò Balzarotti
@ 2021-04-09 20:07 ` Leo Famulari
2021-04-10 21:39 ` Nicolò Balzarotti
2021-04-10 22:05 ` Leo Famulari
0 siblings, 2 replies; 9+ messages in thread
From: Leo Famulari @ 2021-04-09 20:07 UTC (permalink / raw)
To: Nicolò Balzarotti; +Cc: 47674
On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
> Staging has an older version (5.8 vs 7.2, which has been released in
> november 2019 [fn:1] though), and it got updated a few days ago
> (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
> fail on staging too. Am I wrong?
Ah, could be. The new staging builds haven't been performed yet.
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#47674: dnsmasq is vulnerable to CVE-2021-3448
2021-04-09 20:07 ` Leo Famulari
@ 2021-04-10 21:39 ` Nicolò Balzarotti
2021-04-10 22:05 ` Leo Famulari
1 sibling, 0 replies; 9+ messages in thread
From: Nicolò Balzarotti @ 2021-04-10 21:39 UTC (permalink / raw)
To: Leo Famulari; +Cc: 47674
Leo Famulari <leo@famulari.name> writes:
> On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
>> Staging has an older version (5.8 vs 7.2, which has been released in
>> november 2019 [fn:1] though), and it got updated a few days ago
>> (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
>> fail on staging too. Am I wrong?
>
> Ah, could be. The new staging builds haven't been performed yet.
Failed both i686 and x86_64 on staging
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#47674: dnsmasq is vulnerable to CVE-2021-3448
2021-04-09 20:07 ` Leo Famulari
2021-04-10 21:39 ` Nicolò Balzarotti
@ 2021-04-10 22:05 ` Leo Famulari
1 sibling, 0 replies; 9+ messages in thread
From: Leo Famulari @ 2021-04-10 22:05 UTC (permalink / raw)
To: Nicolò Balzarotti; +Cc: 47674
On Fri, Apr 09, 2021 at 04:07:07PM -0400, Leo Famulari wrote:
> On Fri, Apr 09, 2021 at 09:47:13PM +0200, Nicolò Balzarotti wrote:
> > Staging has an older version (5.8 vs 7.2, which has been released in
> > november 2019 [fn:1] though), and it got updated a few days ago
> > (28cc447fc5bd0a219ad54836a343826cc34d9bd7) if I'm not wrong, so it should
> > fail on staging too. Am I wrong?
>
> Ah, could be. The new staging builds haven't been performed yet.
Thanks for following up. Sure, I think it's fine to remove a package
if it does not build and has no dependents.
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#47674: dnsmasq is vulnerable to CVE-2021-3448
2021-04-09 15:10 bug#47674: dnsmasq is vulnerable to CVE-2021-3448 Nicolò Balzarotti
` (2 preceding siblings ...)
2021-04-09 19:38 ` Leo Famulari
@ 2021-04-10 22:27 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
3 siblings, 0 replies; 9+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2021-04-10 22:27 UTC (permalink / raw)
To: Nicolò Balzarotti; +Cc: 47674
[-- Attachment #1: Type: text/plain, Size: 378 bytes --]
Nicolò,
Nicolò Balzarotti writes:
> gnu/packages/dns.scm (dnsmasq): Update to 2.85.
I see you managed to aim this beautifully between me searching the
issue tracker for ‘dnsmasq’ and me actually pushing an update, so
well done I guess.
(Also: sorry for the duplicated effort, and thanks for keeping an
eye on the securities. :-)
Kind regards,
T G-R
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-04-10 22:28 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-04-09 15:10 bug#47674: dnsmasq is vulnerable to CVE-2021-3448 Nicolò Balzarotti
2021-04-09 19:33 ` Leo Famulari
2021-04-09 19:34 ` Leo Famulari
2021-04-09 19:38 ` Leo Famulari
2021-04-09 19:47 ` Nicolò Balzarotti
2021-04-09 20:07 ` Leo Famulari
2021-04-10 21:39 ` Nicolò Balzarotti
2021-04-10 22:05 ` Leo Famulari
2021-04-10 22:27 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).