Hi,
these three CVEs are now fixed in buster and bullseye. This means users who
upgrade to bookworm will be vulnerable to those issues again. Can we get a
decision from the release team on this bug? Is there any information missing to
make a decision?
Kind regards,
Lee
On Wed, 28 Aug 2024 21:35:44 +0200 Lee Garrett <deb...@rocketjump.eu> wrote:
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: dnsm...@packages.debian.org, Simon Kelley <si...@thekelleys.org.uk>,
Sven Geuer <debma...@g-e-u-e-r.de>, deb...@rocketjump.eu
Control: affects -1 + src:dnsmasq
(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)
[ Reason ]
I'm filing a bookwork-pu for dnsmasq after discussion with the maintainers
(CCed) to fix the following CVEs:
- CVE-2023-28450 - Reduce default maximum EDNS.0 UDP packet size due to DNS
Flag Day 2020
- CVE-2023-50387, CVE-2023-50868 - DNSSEC validation CPU exhaustion
("Keytrap")
This is a backport of 2.90-4 from trixie, as the code changes for the two
keytrap CVEs are rather extensive, and backporting them are risky. There are no
behavioural changes of the package to existing config/parameters, so upgrading
does not require users to update their config.
The upstream maintainer (Simon Kelley) has publicly recommended to refrain from
backporting when possible:
"The security fixes are conceptually complex, but they ended up touching
a lot of code, so backporting them is going to be difficult. I'd
encourage anyone who can to upgrade rather than backporting."
Source:
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
[ Impact ]
Users will be affected by the three CVEs mentioned above. CVE-2023-28450 allows
for DoS in certain situations, and the keytrap issues allow for DoS via
resource exhaustion, when the attacker convinces the dnsmasq user to resolve a
specially crafted RR that is secured via DNSSEC.
[ Tests ]
The autopkgtests run through fine, and I have done some minor manual tests.
[ Risks ]
This is a backport of a newer version. The risk of regression is a bit higher
than a targeted fix, I believe however that the risks of backporting an
extensive set of patches is higher.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
This is a no-changes backport of 2.90-4 from trixie, fixing the above three
CVEs.
The upstream changelog for 2.90 is here:
https://thekelleys.org.uk/dnsmasq/CHANGELOG
