Results 1 to 5 of 5

Thread: Dnsmasq bug < v2.78, & Leap *newer* than TW.

  1. #1
    Join Date
    Jun 2017
    Location
    Australia
    Posts
    582

    Default Dnsmasq bug < v2.78, & Leap *newer* than TW.

    Hello

    I just read this https://arstechnica.com/information-...nd-other-oses/ , which outlines that apparently versions of Dnsmasq before 2.78 have several security vulnerabilities. However:
    they worked with the maintainer of Dnsmasq to patch the vulnerabilities in version 2.78
    In my 20170928 TW, i found this:
    Code:
    gooeygirl@linux-Tower:~> sudo zypper refresh
    [sudo] password for root: 
    Repository 'My_openSUSE_Repo' is up to date.                                                                                                                     
    Repository 'Vivaldi' is up to date.                                                                                                                              
    Repository 'Main Repository (NON-OSS)' is up to date.                                                                                                            
    Retrieving repository 'Main Repository (OSS)' metadata ....................................................................................................[done]
    Building repository 'Main Repository (OSS)' cache .........................................................................................................[done]
    Repository 'Main Update Repository' is up to date.                                                                                                               
    Retrieving repository 'Packman Repository' metadata .......................................................................................................[done]
    Building repository 'Packman Repository' cache ............................................................................................................[done]
    All repositories have been refreshed.
    
    gooeygirl@linux-Tower:~> zypper if Dnsmasq
    Loading repository data...
    Reading installed packages...
    
    Information for package dnsmasq:
    --------------------------------
    Repository     : Main Repository (OSS)                                       
    Name           : dnsmasq                                                     
    Version        : 2.76-2.3                                                    
    Arch           : x86_64                                                      
    Vendor         : openSUSE                                                    
    Installed Size : 1.2 MiB                                                     
    Installed      : Yes                                                         
    Status         : up-to-date                                                  
    Source package : dnsmasq-2.76-2.3.src                                        
    Summary        : Lightweight, Easy-to-Configure DNS Forwarder and DHCP Server
    Description    :                                                             
        Dnsmasq is a lightweight, easy-to-configure DNS forwarder and DHCP
        server. It is designed to provide DNS and, optionally, DHCP, to a small
        network. It can serve the names of local machines that are not in the
        global DNS. The DHCP server integrates with the DNS server and allows
        machines with DHCP-allocated addresses to appear in DNS with names
        configured either in each host or in a central configuration file.
        Dnsmasq supports static and dynamic DHCP leases and BOOTP for network
        booting of diskless machines.
    
    gooeygirl@linux-Tower:~>
    Curious then about Leap's status, in one of my standard Leap VMs i found this:
    Code:
    gooeygirl@linux-i4ba:~> sudo zypper refresh
    [sudo] password for root: 
    Repository 'Vivaldi' is up to date.                                                                                                                                                          
    Repository 'openSUSE-Leap-42.3-0' is up to date.                                                                                                                                             
    Retrieving repository 'Packman Repository' metadata ...................................................................................................................................[done]
    Building repository 'Packman Repository' cache ........................................................................................................................................[done]
    Repository 'openSUSE-Leap-42.3-Non-Oss' is up to date.                                                                                                                                       
    Retrieving repository 'openSUSE-Leap-42.3-Update' metadata ............................................................................................................................[done]
    Building repository 'openSUSE-Leap-42.3-Update' cache .................................................................................................................................[done]
    Repository 'openSUSE-Leap-42.3-Update-Non-Oss' is up to date.                                                                                                                                
    All repositories have been refreshed.
    
    gooeygirl@linux-i4ba:~> zypper if Dnsmasq
    Loading repository data...
    Reading installed packages...
    
    Information for package dnsmasq:
    --------------------------------
    Repository     : openSUSE-Leap-42.3-Update                                   
    Name           : dnsmasq                                                     
    Version        : 2.78-13.1                                                   
    Arch           : x86_64                                                      
    Vendor         : openSUSE                                                    
    Installed Size : 1.2 MiB                                                     
    Installed      : Yes (automatically)                                         
    Status         : up-to-date                                                  
    Source package : dnsmasq-2.78-13.1.src                                       
    Summary        : Lightweight, Easy-to-Configure DNS Forwarder and DHCP Server
    Description    :                                                             
        Dnsmasq is a lightweight, easy-to-configure DNS forwarder and DHCP
        server. It is designed to provide DNS and, optionally, DHCP, to a small
        network. It can serve the names of local machines that are not in the
        global DNS. The DHCP server integrates with the DNS server and allows
        machines with DHCP-allocated addresses to appear in DNS with names
        configured either in each host or in a central configuration file.
        Dnsmasq supports static and dynamic DHCP leases and BOOTP for network
        booting of diskless machines.
    
    gooeygirl@linux-i4ba:~>
    Thus, two [obvious] questions arise from these observations:
    1. How can Leap have newer packages [of anything] than TW?
    2. Will TW receive the patched Dnsmasq very soon?


    Thanks.

  2. #2
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    27,254
    Blog Entries
    15

    Default Re: Dnsmasq bug < v2.78, & Leap *newer* than TW.

    Hi
    Maintenance path (SUSE and openSUSE driven) rather than development path (openSUSE driven)...

    If you compare the changelogs:

    openSUSE Leap (I also see on SLES 12 SP3 and SLED 12 SP3);
    Code:
    * Wed Sep 27 2017 max@suse.com
    - Security update to version 2.78:
      * bsc#1060354, CVE-2017-14491: 2 byte heap based overflow.
      * bsc#1060355, CVE-2017-14492: heap based overflow.
      * bsc#1060360, CVE-2017-14493: stack based overflow.
      * bsc#1060361, CVE-2017-14494: DHCP - info leak.
      * bsc#1060362, CVE-2017-14495: DNS - OOM DoS.
      * bsc#1060364, CVE-2017-14496: DNS - DoS Integer underflow.
      * Fix DHCP relaying, broken in 2.76 and 2.77.
      * For other changes, see
        http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
    
    * Thu Mar 02 2017 max@suse.com
    - Update to version 2.76 (fate#321175, fate#322030, bsc#1035227):
      * Fix PXE booting for UEFI architectures (fate#322030).
      * Prevent a man-in-the-middle attack (bsc#972164, fate#321175).
      * For other changes, see
        http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
    - This update brings a (small) potential incompatibility in the
    Tumbleweed;
    Code:
    * Wed Jan 04 2017 martin.wilck@suse.com
    - Handle binding upstream servers to an interface if interface
      is destroyed and recreated (boo#1018160)
      Added two patches from upstream:
      * added Handle-binding-upstream-servers-to-an-interface.patch
      * added Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch
    
    * Wed Aug 03 2016 max@suse.com
    - Update to 2.76:
    Now, an update (1 day ago) is sitting at the development repo https://build.opensuse.org/package/v...anges?expand=1

    There is still an outstanding review waiting before this one (21 days);
    https://build.opensuse.org/request/show/525886

    Hopefully this one will get through and well as the update....

    You can see everything that is happening and in the queue at;
    https://build.opensuse.org/project/r...enSUSE:Factory
    Last edited by malcolmlewis; 03-Oct-2017 at 19:24.
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  3. #3
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    27,254
    Blog Entries
    15

    Default Re: Dnsmasq bug < v2.78, & Leap *newer* than TW.

    Hi
    Another comment is also not to rely on version numbers since some fixes are backported so the version number won't change (look at the nessus and other audit tool fails because of this) always check the changelog first

    Things only synchronize when the Tumbleweed snapshot is pulled for the next release (which is already done for Leap/SLE 15 as a starting point in the development cycle) so you wind up with three paths;

    - Current Release(s)
    - Test (Leap/SLE 15)
    - Tumbleweed

    Then it's up to the package maintainers to backport security fixes if deemed necessary or just roll into Tumbleweed as a new release and/or push/pull to the Test one...
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  4. #4
    Join Date
    Jun 2017
    Location
    Australia
    Posts
    582

    Default Re: Dnsmasq bug < v2.78, & Leap *newer* than TW.

    Comprehensive & fast reply, thanks Malcolm. I can't pretend that i fully understand all the nitty-gritty you supplied, but i'll comfort myself in the belief that "it's all under control".

  5. #5
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    27,254
    Blog Entries
    15

    Default Re: Dnsmasq bug < v2.78, & Leap *newer* than TW.

    Quote Originally Posted by GooeyGirl View Post
    Comprehensive & fast reply, thanks Malcolm. I can't pretend that i fully understand all the nitty-gritty you supplied, but i'll comfort myself in the belief that "it's all under control".
    Hi
    Well, there is nothing stopping you making a comment on OBS whether it be the development repo, factory etc, raising a bug to highlight this...

    But if you look at the last comment on the open request it was accepted into staging for processing, some things are automatic, somethings need reviewer action... all takes time.

    On another note, this is why in Tumbleweed there is an 'update' repo so something like this can skip all the staging/review process and get direct into the release via this repo, maybe that will happen...?
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •