Register | Log in

dnsmasq

Small caching DNS proxy and DHCP/TFTP server - system daemon

Choose email to subscribe with

general

source: dnsmasq (main)
version: 2.90-4
maintainer: Simon Kelley (DMD)
uploaders: Sven Geuer [DMD]
arch: all any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.80-1+deb10u1
o-o-sec: 2.80-1+deb10u1
oldstable: 2.85-1
stable: 2.89-1
testing: 2.90-4
unstable: 2.90-4

versioned links

2.80-1+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.85-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.89-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.90-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

dnsmasq (47 bugs: 0, 35, 12, 0)
dnsmasq-base (4 bugs: 0, 2, 2, 0)
dnsmasq-base-lua
dnsmasq-utils (1 bugs: 0, 1, 0, 0)

action needed

4 security issues in bullseye high

There are 4 open security issues in bullseye.

2 important issues:

CVE-2023-50387: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
CVE-2023-50868: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

2 issues postponed or untriaged:

CVE-2022-0934: (needs triaging) A single-byte, non-arbitrary write/use-after-free flaw was found in dnsmasq. This flaw allows an attacker who sends a crafted packet processed by dnsmasq, potentially causing a denial of service.
CVE-2023-28450: (needs triaging) An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.

Created: 2022-07-04 Last update: 2024-09-23 23:03

6 security issues in buster high

There are 6 open security issues in buster.

2 important issues:

CVE-2023-50387: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
CVE-2023-50868: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

4 issues postponed or untriaged:

CVE-2021-3448: (postponed; to be fixed through a stable update) A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity.
CVE-2022-0934: (needs triaging) A single-byte, non-arbitrary write/use-after-free flaw was found in dnsmasq. This flaw allows an attacker who sends a crafted packet processed by dnsmasq, potentially causing a denial of service.
CVE-2019-14834: (needs triaging) A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to cause a denial of service (memory consumption) via vectors involving DHCP response creation.
CVE-2023-28450: (needs triaging) An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.

Created: 2024-02-13 Last update: 2024-06-29 13:15

4 bugs tagged patch in the BTS normal

The BTS contains patches fixing 4 bugs, consider including or untagging them.

Created: 2024-02-25 Last update: 2024-11-15 21:31

lintian reports 3 warnings normal

Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2024-05-18 Last update: 2024-07-30 18:02

news

[2024-05-20] dnsmasq 2.90-4 MIGRATED to testing (Debian testing watch)
[2024-05-17] Accepted dnsmasq 2.90-4 (source) into unstable (Sven Geuer)
[2024-05-03] dnsmasq 2.90-3 MIGRATED to testing (Debian testing watch)
[2024-03-10] Accepted dnsmasq 2.90-3 (source) into unstable (Sven Geuer)
[2024-02-17] dnsmasq 2.90-2 MIGRATED to testing (Debian testing watch)
[2024-02-17] dnsmasq 2.90-2 MIGRATED to testing (Debian testing watch)
[2024-02-15] Accepted dnsmasq 2.90-2 (source) into unstable (Simon Kelley)
[2024-02-13] Accepted dnsmasq 2.90-1 (source) into unstable (Simon Kelley)
[2023-02-15] dnsmasq 2.89-1 MIGRATED to testing (Debian testing watch)
[2023-02-05] Accepted dnsmasq 2.89-1 (source) into unstable (Simon Kelley)
[2022-12-15] dnsmasq 2.88-1 MIGRATED to testing (Debian testing watch)
[2022-12-04] Accepted dnsmasq 2.88-1 (source) into unstable (Simon Kelley)
[2022-10-20] dnsmasq 2.87-1.1 MIGRATED to testing (Debian testing watch)
[2022-10-15] Accepted dnsmasq 2.87-1.1 (source) into unstable (Michael Biebl)
[2022-10-06] dnsmasq 2.87-1 MIGRATED to testing (Debian testing watch)
[2022-09-25] Accepted dnsmasq 2.87-1 (source) into unstable (Simon Kelley)
[2021-11-20] dnsmasq 2.86-1.1 MIGRATED to testing (Debian testing watch)
[2021-11-12] Accepted dnsmasq 2.86-1.1 (source) into unstable (Michael Biebl)
[2021-09-08] Accepted dnsmasq 2.86-1 (source) into unstable (Simon Kelley)
[2021-04-17] dnsmasq 2.85-1 MIGRATED to testing (Debian testing watch)
[2021-04-07] Accepted dnsmasq 2.85-1 (source) into unstable (Simon Kelley)
[2021-04-01] Accepted dnsmasq 2.84-1.2 (source) into unstable (Andreas Beckmann)
[2021-03-30] Accepted dnsmasq 2.84-1.1 (source) into unstable (Sébastien Villemot)
[2021-03-22] Accepted dnsmasq 2.76-5+deb9u3 (source) into oldstable (Sylvain Beucler)
[2021-02-06] Accepted dnsmasq 2.80-1+deb10u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Sebastien Delafond)
[2021-02-05] dnsmasq 2.84-1 MIGRATED to testing (Debian testing watch)
[2021-02-02] Accepted dnsmasq 2.80-1+deb10u1 (source) into stable->embargoed, stable (Debian FTP Masters) (signed by: Sebastien Delafond)
[2021-01-25] Accepted dnsmasq 2.84-1 (source) into unstable (Simon Kelley)
[2021-01-23] dnsmasq 2.83-1 MIGRATED to testing (Debian testing watch)
[2021-01-19] Accepted dnsmasq 2.83-1 (source) into unstable (Simon Kelley)

1
2

bugs [bug history graph]

all: 51 54
RC: 0
I&N: 37 40
M&W: 14
F&P: 0
patch: 4

links

homepage
lintian (0, 3)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 39)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.90-4
35 bugs

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing