[Dnsmasq-discuss] Announce: security and release of dnsmasq-2.83.

Simon Kelley simon at thekelleys.org.uk
Tue Jan 19 11:50:46 UTC 2021


Dnsmasq 2.83 is now available from

https://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.83.tar.gz

The main focus in this release is security fixes for a some newly
announced flaws. See

https://www.jsof-tech.com/disclosures/dnspooq

for the details.

There are broadly two sets of problems. The first is subtle errors in
dnsmasq's protections against the chronic weakness of the DNS protocol
to cache-poisoning attacks; the Birthday attack, Kaminsky, etc. The
code is now as secure as it can be, given that the real solution to
this is DNSSEC, both endpoint validation and domains actually signing.
This is covered by CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686.

Unfortunately, given the above, the second set of errors is a good old
fashioned buffer overflow in dnsmasq's DNSSEC code. If DNSSEC validation
is enabled, an installation is at risk. This is covered by
CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687.

Many, many people have worked over a considerable period to find these
problems, fix them, and co-ordinate the security response. They are
named in JSOF's disclosure, but special mention should go to
Shlomi Oberman, Vijay Sarvepilli, Petr Menšík, and Dan Schaper.


Cheers,

Simon.




More information about the Dnsmasq-discuss mailing list