Security update for dnsmasq SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:3530-1 Final 1 1 2021-10-27T07:24:50Z current 2021-10-27T07:24:50Z 2021-10-27T07:24:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for dnsmasq This update for dnsmasq fixes the following issues: Update to version 2.86 - CVE-2021-3448: fixed outgoing port used when --server is used with an interface name. (bsc#1183709) - CVE-2020-14312: Set --local-service by default (bsc#1173646). - Open inotify socket only when used (bsc#1180914). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-SLE-15.3-2021-3530 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2DP73HQCB6UNPUB54KPOZEMBUQDVN6M6/ E-Mail link for openSUSE-SU-2021:3530-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1173646 SUSE Bug 1173646 https://bugzilla.suse.com/1180914 SUSE Bug 1180914 https://bugzilla.suse.com/1183709 SUSE Bug 1183709 https://www.suse.com/security/cve/CVE-2020-14312/ SUSE CVE CVE-2020-14312 page https://www.suse.com/security/cve/CVE-2021-3448/ SUSE CVE CVE-2021-3448 page openSUSE Leap 15.3 dnsmasq-2.86-7.14.1 dnsmasq-utils-2.86-7.14.1 dnsmasq-2.86-7.14.1 as a component of openSUSE Leap 15.3 dnsmasq-utils-2.86-7.14.1 as a component of openSUSE Leap 15.3 A flaw was found in the default configuration of dnsmasq, as shipped with Fedora versions prior to 31 and in all versions Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems. CVE-2020-14312 openSUSE Leap 15.3:dnsmasq-2.86-7.14.1 openSUSE Leap 15.3:dnsmasq-utils-2.86-7.14.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2DP73HQCB6UNPUB54KPOZEMBUQDVN6M6/ https://www.suse.com/security/cve/CVE-2020-14312.html CVE-2020-14312 https://bugzilla.suse.com/1173646 SUSE Bug 1173646 A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity. CVE-2021-3448 openSUSE Leap 15.3:dnsmasq-2.86-7.14.1 openSUSE Leap 15.3:dnsmasq-utils-2.86-7.14.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2DP73HQCB6UNPUB54KPOZEMBUQDVN6M6/ https://www.suse.com/security/cve/CVE-2021-3448.html CVE-2021-3448 https://bugzilla.suse.com/1183709 SUSE Bug 1183709