dnsmasq - Debian Package Tracker

general

source: dnsmasq (main)
version: 2.92-4
maintainer: Simon Kelley (DMD)
uploaders: Sven Geuer [DMD]
arch: all any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.85-1
o-o-sec: 2.85-1+deb11u1
oldstable: 2.90-4~deb12u1
old-sec: 2.90-4~deb12u2
stable: 2.91-1
stable-sec: 2.91-1+deb13u1
testing: 2.92-4
unstable: 2.92-4

versioned links

2.85-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.85-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.90-4~deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.90-4~deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.91-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.91-1+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.92-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.92-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

dnsmasq (35 bugs: 0, 27, 8, 0)
dnsmasq-base (3 bugs: 0, 1, 2, 0)
dnsmasq-base-lua
dnsmasq-utils (1 bugs: 0, 1, 0, 0)

action needed

Debci reports failed tests high

unstable: pass (log)
The tests ran in 0:03:51
Last run: 2026-04-20T18:14:31.000Z
Previous status: unknown

testing: fail (log)
The tests ran in 0:03:22
Last run: 2026-02-22T21:49:46.000Z
Previous status: unknown

stable: pass (log)
The tests ran in 0:02:24
Last run: 2026-04-13T08:28:32.000Z
Previous status: unknown

Created: 2026-02-18 Last update: 2026-05-12 06:48

6 security issues in sid high

There are 6 open security issues in sid.

6 important issues:

CVE-2026-2291: dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS.
CVE-2026-4890: A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
CVE-2026-4891: A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
CVE-2026-4892: A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet.
CVE-2026-4893: An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information.
CVE-2026-5172: A buffer overflow in dnsmasq’s extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the record’s end.

Created: 2026-05-11 Last update: 2026-05-12 06:03

6 security issues in forky high

There are 6 open security issues in forky.

6 important issues:

CVE-2026-2291: dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS.
CVE-2026-4890: A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
CVE-2026-4891: A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
CVE-2026-4892: A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet.
CVE-2026-4893: An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information.
CVE-2026-5172: A buffer overflow in dnsmasq’s extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the record’s end.

Created: 2026-05-11 Last update: 2026-05-12 06:03

6 security issues in bullseye high

There are 6 open security issues in bullseye.

6 important issues:

CVE-2026-2291: dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS.
CVE-2026-4890: A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
CVE-2026-4891: A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
CVE-2026-4892: A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet.
CVE-2026-4893: An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information.
CVE-2026-5172: A buffer overflow in dnsmasq’s extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the record’s end.

Created: 2026-05-11 Last update: 2026-05-12 06:03

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2026-05-12 Last update: 2026-05-12 03:30

6 security issues in buster high

There are 6 open security issues in buster.

2 important issues:

CVE-2023-50387: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
CVE-2023-50868: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

4 issues postponed or untriaged:

CVE-2021-3448: (postponed; to be fixed through a stable update) A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity.
CVE-2022-0934: (needs triaging) A single-byte, non-arbitrary write/use-after-free flaw was found in dnsmasq. This flaw allows an attacker who sends a crafted packet processed by dnsmasq, potentially causing a denial of service.
CVE-2019-14834: (needs triaging) A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to cause a denial of service (memory consumption) via vectors involving DHCP response creation.
CVE-2023-28450: (needs triaging) An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.

Created: 2024-02-13 Last update: 2024-06-29 13:15

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2026-04-06 Last update: 2026-05-12 07:30

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2026-02-24 Last update: 2026-02-24 13:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2026-03-31 Last update: 2026-05-12 07:33

testing migrations

excuses:
- Migration status for dnsmasq (2.92-4 to 2.92-5): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Autopkgtest for aardvark-dns: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for autopkgtest: amd64: Test triggered (will not be considered a regression) ♻ (reference ♻), arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for comitup: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for dbab: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for debci: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for dhcpcd: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for dnsmasq: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for dracut: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered (failure will be ignored), s390x: Test triggered
- ∙ ∙ Autopkgtest for golang-github-containers-dnsname: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for initramfs-tools: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for libvirt: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for lxc: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for netplan.io: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered (failure will be ignored), s390x: Test triggered
- ∙ ∙ Autopkgtest for network-manager: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for postfix-mta-sts-resolver: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for prometheus-dnsmasq-exporter: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for systemd: amd64: Test triggered, arm64: Test triggered, i386: Test triggered, ppc64el: Test triggered, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Lintian check waiting for test results - info
- ∙ ∙ Reproducibility check waiting for results on arm64 - info
- ∙ ∙ Too young, only 0 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/d/dnsmasq.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- Not considered

news

[rss feed]

[2026-05-11] Accepted dnsmasq 2.92-5 (source) into unstable (Sven Geuer)
[2026-05-11] Accepted dnsmasq 2.90-4~deb12u2 (source amd64 all) into oldstable-security (Debian FTP Masters) (signed by: Sven Geuer)
[2026-05-11] Accepted dnsmasq 2.91-1+deb13u1 (source amd64 all) into stable-security (Debian FTP Masters) (signed by: Sven Geuer)
[2026-04-21] dnsmasq 2.92-4 MIGRATED to testing (Debian testing watch)
[2026-04-19] Accepted dnsmasq 2.92-4 (source) into unstable (Sven Geuer)
[2026-02-28] dnsmasq 2.92-3 MIGRATED to testing (Debian testing watch)
[2026-02-24] Accepted dnsmasq 2.92-3 (source) into unstable (Sven Geuer)
[2026-02-23] Accepted dnsmasq 2.92-2 (source) into unstable (Sven Geuer)
[2026-02-23] Accepted dnsmasq 2.92-1+exp1 (source) into unstable (Sven Geuer)
[2026-01-21] dnsmasq 2.92-1 MIGRATED to testing (Debian testing watch)
[2026-01-18] Accepted dnsmasq 2.92-1 (source) into unstable (Sven Geuer)
[2026-01-16] Accepted dnsmasq 2.92-1~exp1 (source) into experimental (Sven Geuer)
[2025-12-12] dnsmasq 2.92~rc3-1 MIGRATED to testing (Debian testing watch)
[2025-12-07] Accepted dnsmasq 2.92~rc3-1 (source) into unstable (Sven Geuer)
[2025-12-04] Accepted dnsmasq 2.92~rc1-1 (source) into unstable (Sven Geuer)
[2025-03-23] dnsmasq 2.91-1 MIGRATED to testing (Debian testing watch)
[2025-03-20] Accepted dnsmasq 2.91-1 (source) into unstable (Sven Geuer)
[2025-01-29] dnsmasq 2.91~test9-1 MIGRATED to testing (Debian testing watch)
[2025-01-23] Accepted dnsmasq 2.91~test9-1 (source) into unstable (Sven Geuer)
[2025-01-15] dnsmasq 2.91~test6-1 MIGRATED to testing (Debian testing watch)
[2025-01-13] Accepted dnsmasq 2.91~test6-1 (source) into unstable (Sven Geuer)
[2025-01-04] Accepted dnsmasq 2.90-4~deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Mark Lee Garrett)
[2024-12-20] dnsmasq 2.90-7 MIGRATED to testing (Debian testing watch)
[2024-12-17] Accepted dnsmasq 2.90-7 (source) into unstable (Sven Geuer)
[2024-12-13] dnsmasq 2.90-6 MIGRATED to testing (Debian testing watch)
[2024-12-10] Accepted dnsmasq 2.90-6 (source) into unstable (Sven Geuer)
[2024-11-30] Accepted dnsmasq 2.80-1+deb10u3 (source) into oldoldstable (Lee Garrett) (signed by: Mark Lee Garrett)
[2024-11-29] Accepted dnsmasq 2.85-1+deb11u1 (source) into oldstable-security (Lee Garrett) (signed by: Mark Lee Garrett)
[2024-11-26] dnsmasq 2.90-5 MIGRATED to testing (Debian testing watch)
[2024-11-23] Accepted dnsmasq 2.90-5 (source) into unstable (Sven Geuer)

bugs [bug history graph]

all: 37 40
RC: 0
I&N: 27 30
M&W: 10
F&P: 0
patch: 2

links

homepage
lintian
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
l10n (-, 42)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.92-1
32 bugs