Dnsmasq bug < v2.78, & Leap *newer* than TW.

Hello

I just read this https://arstechnica.com/information-technology/2017/10/code-execution-flaws-threaten-users-of-routers-linux-and-other-oses/ , which outlines that apparently versions of Dnsmasq before 2.78 have several security vulnerabilities. However:

they worked with the maintainer of Dnsmasq to patch the vulnerabilities in version 2.78

In my 20170928 TW, i found this:

gooeygirl@linux-Tower:~> [b]sudo zypper refresh
[/b][sudo] password for root: 
Repository 'My_openSUSE_Repo' is up to date.                                                                                                                     
Repository 'Vivaldi' is up to date.                                                                                                                              
Repository 'Main Repository (NON-OSS)' is up to date.                                                                                                            
Retrieving repository 'Main Repository (OSS)' metadata ....................................................................................................[done]
Building repository 'Main Repository (OSS)' cache .........................................................................................................[done]
Repository 'Main Update Repository' is up to date.                                                                                                               
Retrieving repository 'Packman Repository' metadata .......................................................................................................[done]
Building repository 'Packman Repository' cache ............................................................................................................[done]
All repositories have been refreshed.

gooeygirl@linux-Tower:~> [b]zypper if Dnsmasq[/b]
Loading repository data...
Reading installed packages...

Information for package dnsmasq:
--------------------------------
Repository     : Main Repository (OSS)                                       
Name           : dnsmasq                                                     
[b]Version        : 2.76-2.3                                                    [/b]
Arch           : x86_64                                                      
Vendor         : openSUSE                                                    
Installed Size : 1.2 MiB                                                     
Installed      : Yes                                                         
[b]Status         : up-to-date                                                  [/b]
Source package : dnsmasq-2.76-2.3.src                                        
Summary        : Lightweight, Easy-to-Configure DNS Forwarder and DHCP Server
Description    :                                                             
    Dnsmasq is a lightweight, easy-to-configure DNS forwarder and DHCP
    server. It is designed to provide DNS and, optionally, DHCP, to a small
    network. It can serve the names of local machines that are not in the
    global DNS. The DHCP server integrates with the DNS server and allows
    machines with DHCP-allocated addresses to appear in DNS with names
    configured either in each host or in a central configuration file.
    Dnsmasq supports static and dynamic DHCP leases and BOOTP for network
    booting of diskless machines.

gooeygirl@linux-Tower:~> 

Curious then about Leap’s status, in one of my standard Leap VMs i found this:

gooeygirl@linux-i4ba:~> [b]sudo zypper refresh
[/b][sudo] password for root: 
Repository 'Vivaldi' is up to date.                                                                                                                                                          
Repository 'openSUSE-Leap-42.3-0' is up to date.                                                                                                                                             
Retrieving repository 'Packman Repository' metadata ...................................................................................................................................[done]
Building repository 'Packman Repository' cache ........................................................................................................................................[done]
Repository 'openSUSE-Leap-42.3-Non-Oss' is up to date.                                                                                                                                       
Retrieving repository 'openSUSE-Leap-42.3-Update' metadata ............................................................................................................................[done]
Building repository 'openSUSE-Leap-42.3-Update' cache .................................................................................................................................[done]
Repository 'openSUSE-Leap-42.3-Update-Non-Oss' is up to date.                                                                                                                                
All repositories have been refreshed.

gooeygirl@linux-i4ba:~> [b]zypper if Dnsmasq[/b]
Loading repository data...
Reading installed packages...

Information for package dnsmasq:
--------------------------------
Repository     : openSUSE-Leap-42.3-Update                                   
Name           : dnsmasq                                                     
[b]Version        : 2.78-13.1                                                   [/b]
Arch           : x86_64                                                      
Vendor         : openSUSE                                                    
Installed Size : 1.2 MiB                                                     
Installed      : Yes (automatically)                                         
[b]Status         : up-to-date                                                  [/b]
Source package : dnsmasq-2.78-13.1.src                                       
Summary        : Lightweight, Easy-to-Configure DNS Forwarder and DHCP Server
Description    :                                                             
    Dnsmasq is a lightweight, easy-to-configure DNS forwarder and DHCP
    server. It is designed to provide DNS and, optionally, DHCP, to a small
    network. It can serve the names of local machines that are not in the
    global DNS. The DHCP server integrates with the DNS server and allows
    machines with DHCP-allocated addresses to appear in DNS with names
    configured either in each host or in a central configuration file.
    Dnsmasq supports static and dynamic DHCP leases and BOOTP for network
    booting of diskless machines.

gooeygirl@linux-i4ba:~> 

Thus, two [obvious] questions arise from these observations:
[ol]
[li]How can Leap have newer packages [of anything] than TW?[/li][li]Will TW receive the patched Dnsmasq very soon?[/li][/ol]

Thanks.

Hi
Maintenance path (SUSE and openSUSE driven) rather than development path (openSUSE driven)…

If you compare the changelogs:

openSUSE Leap (I also see on SLES 12 SP3 and SLED 12 SP3);

* Wed Sep 27 2017 max@suse.com
- Security update to version 2.78:
  * bsc#1060354, CVE-2017-14491: 2 byte heap based overflow.
  * bsc#1060355, CVE-2017-14492: heap based overflow.
  * bsc#1060360, CVE-2017-14493: stack based overflow.
  * bsc#1060361, CVE-2017-14494: DHCP - info leak.
  * bsc#1060362, CVE-2017-14495: DNS - OOM DoS.
  * bsc#1060364, CVE-2017-14496: DNS - DoS Integer underflow.
  * Fix DHCP relaying, broken in 2.76 and 2.77.
  * For other changes, see
    http://www.thekelleys.org.uk/dnsmasq/CHANGELOG

* Thu Mar 02 2017 max@suse.com
- Update to version 2.76 (fate#321175, fate#322030, bsc#1035227):
  * Fix PXE booting for UEFI architectures (fate#322030).
  * Prevent a man-in-the-middle attack (bsc#972164, fate#321175).
  * For other changes, see
    http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
- This update brings a (small) potential incompatibility in the

Tumbleweed;

* Wed Jan 04 2017 martin.wilck@suse.com
- Handle binding upstream servers to an interface if interface
  is destroyed and recreated (boo#1018160)
  Added two patches from upstream:
  * added Handle-binding-upstream-servers-to-an-interface.patch
  * added Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch

* Wed Aug 03 2016 max@suse.com
- Update to 2.76:

Now, an update (1 day ago) is sitting at the development repo https://build.opensuse.org/package/view_file/network/dnsmasq/dnsmasq.changes?expand=1

There is still an outstanding review waiting before this one (21 days);
https://build.opensuse.org/request/show/525886

Hopefully this one will get through and well as the update…

You can see everything that is happening and in the queue at;
https://build.opensuse.org/project/requests/openSUSE:Factory

Hi
Another comment is also not to rely on version numbers since some fixes are backported so the version number won’t change (look at the nessus and other audit tool fails because of this) always check the changelog first

Things only synchronize when the Tumbleweed snapshot is pulled for the next release (which is already done for Leap/SLE 15 as a starting point in the development cycle) so you wind up with three paths;

• Current Release(s)
• Test (Leap/SLE 15)
• Tumbleweed

Then it’s up to the package maintainers to backport security fixes if deemed necessary or just roll into Tumbleweed as a new release and/or push/pull to the Test one…

Comprehensive & fast reply, thanks Malcolm. I can’t pretend that i fully understand all the nitty-gritty you supplied, but i’ll comfort myself in the belief that “it’s all under control”.

Hi
Well, there is nothing stopping you making a comment on OBS whether it be the development repo, factory etc, raising a bug to highlight this…

But if you look at the last comment on the open request it was accepted into staging for processing, some things are automatic, somethings need reviewer action… all takes time.

On another note, this is why in Tumbleweed there is an ‘update’ repo so something like this can skip all the staging/review process and get direct into the release via this repo, maybe that will happen…?