Debian Package Tracker
Register | Log in
Subscribe

dnsmasq

Small caching DNS proxy and DHCP/TFTP server - system daemon

Choose email to subscribe with

general
  • source: dnsmasq (main)
  • version: 2.91-1
  • maintainer: Simon Kelley (DMD)
  • uploaders: Sven Geuer [DMD]
  • arch: all any
  • std-ver: 4.7.2
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 2.80-1+deb10u1
  • o-o-sec: 2.80-1+deb10u3
  • oldstable: 2.85-1
  • old-sec: 2.85-1+deb11u1
  • stable: 2.90-4~deb12u1
  • testing: 2.91-1
  • unstable: 2.91-1
versioned links
  • 2.80-1+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.80-1+deb10u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.85-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.85-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.90-4~deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.91-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • dnsmasq (35 bugs: 0, 27, 8, 0)
  • dnsmasq-base (3 bugs: 0, 1, 2, 0)
  • dnsmasq-base-lua
  • dnsmasq-utils (1 bugs: 0, 1, 0, 0)
action needed
6 security issues in buster high

There are 6 open security issues in buster.

2 important issues:
  • CVE-2023-50387: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
  • CVE-2023-50868: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
4 issues postponed or untriaged:
  • CVE-2021-3448: (postponed; to be fixed through a stable update) A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity.
  • CVE-2022-0934: (needs triaging) A single-byte, non-arbitrary write/use-after-free flaw was found in dnsmasq. This flaw allows an attacker who sends a crafted packet processed by dnsmasq, potentially causing a denial of service.
  • CVE-2019-14834: (needs triaging) A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to cause a denial of service (memory consumption) via vectors involving DHCP response creation.
  • CVE-2023-28450: (needs triaging) An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.
Created: 2024-02-13 Last update: 2024-06-29 13:15
2 bugs tagged patch in the BTS normal
The BTS contains patches fixing 2 bugs, consider including or untagging them.
Created: 2025-01-06 Last update: 2025-05-22 20:00
lintian reports 3 warnings normal
Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2025-03-21 Last update: 2025-04-11 08:00
news
[rss feed]
  • [2025-03-23] dnsmasq 2.91-1 MIGRATED to testing (Debian testing watch)
  • [2025-03-20] Accepted dnsmasq 2.91-1 (source) into unstable (Sven Geuer)
  • [2025-01-29] dnsmasq 2.91~test9-1 MIGRATED to testing (Debian testing watch)
  • [2025-01-23] Accepted dnsmasq 2.91~test9-1 (source) into unstable (Sven Geuer)
  • [2025-01-15] dnsmasq 2.91~test6-1 MIGRATED to testing (Debian testing watch)
  • [2025-01-13] Accepted dnsmasq 2.91~test6-1 (source) into unstable (Sven Geuer)
  • [2025-01-04] Accepted dnsmasq 2.90-4~deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Mark Lee Garrett)
  • [2024-12-20] dnsmasq 2.90-7 MIGRATED to testing (Debian testing watch)
  • [2024-12-17] Accepted dnsmasq 2.90-7 (source) into unstable (Sven Geuer)
  • [2024-12-13] dnsmasq 2.90-6 MIGRATED to testing (Debian testing watch)
  • [2024-12-10] Accepted dnsmasq 2.90-6 (source) into unstable (Sven Geuer)
  • [2024-11-30] Accepted dnsmasq 2.80-1+deb10u3 (source) into oldoldstable (Lee Garrett) (signed by: Mark Lee Garrett)
  • [2024-11-29] Accepted dnsmasq 2.85-1+deb11u1 (source) into oldstable-security (Lee Garrett) (signed by: Mark Lee Garrett)
  • [2024-11-26] dnsmasq 2.90-5 MIGRATED to testing (Debian testing watch)
  • [2024-11-23] Accepted dnsmasq 2.90-5 (source) into unstable (Sven Geuer)
  • [2024-05-20] dnsmasq 2.90-4 MIGRATED to testing (Debian testing watch)
  • [2024-05-17] Accepted dnsmasq 2.90-4 (source) into unstable (Sven Geuer)
  • [2024-05-03] dnsmasq 2.90-3 MIGRATED to testing (Debian testing watch)
  • [2024-03-10] Accepted dnsmasq 2.90-3 (source) into unstable (Sven Geuer)
  • [2024-02-17] dnsmasq 2.90-2 MIGRATED to testing (Debian testing watch)
  • [2024-02-17] dnsmasq 2.90-2 MIGRATED to testing (Debian testing watch)
  • [2024-02-15] Accepted dnsmasq 2.90-2 (source) into unstable (Simon Kelley)
  • [2024-02-13] Accepted dnsmasq 2.90-1 (source) into unstable (Simon Kelley)
  • [2023-02-15] dnsmasq 2.89-1 MIGRATED to testing (Debian testing watch)
  • [2023-02-05] Accepted dnsmasq 2.89-1 (source) into unstable (Simon Kelley)
  • [2022-12-15] dnsmasq 2.88-1 MIGRATED to testing (Debian testing watch)
  • [2022-12-04] Accepted dnsmasq 2.88-1 (source) into unstable (Simon Kelley)
  • [2022-10-20] dnsmasq 2.87-1.1 MIGRATED to testing (Debian testing watch)
  • [2022-10-15] Accepted dnsmasq 2.87-1.1 (source) into unstable (Michael Biebl)
  • [2022-10-06] dnsmasq 2.87-1 MIGRATED to testing (Debian testing watch)
  • 1
  • 2
bugs [bug history graph]
  • all: 37 40
  • RC: 0
  • I&N: 27 30
  • M&W: 10
  • F&P: 0
  • patch: 2
links
  • homepage
  • lintian (0, 3)
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • l10n (-, 39)
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 2.91-1
  • 33 bugs

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing