CVE-2021-3448 A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity.
guix ships [email protected]. guix refresh shows version 2.85 is available, and there are 43 dependent packages so this can go directly to master. All dependent packages (refresh -l) build fine except for [email protected], which is failing also on master (libvirt-python requires Python >= 3.5 to build). Since it's a python2 package and no other packages depends on it, can we just drop it? Thanks, Nicolò
>From a0932442c6c72d1e1a2a0f400f8afa487251189d Mon Sep 17 00:00:00 2001 From: nixo <[email protected]> Date: Fri, 9 Apr 2021 16:19:03 +0200 Subject: [PATCH] gnu: dnsmasq: Update to 2.85. * gnu/packages/dns.scm (dnsmasq): Update to 2.85. --- gnu/packages/dns.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm index c940657ce9..3cf88febae 100644 --- a/gnu/packages/dns.scm +++ b/gnu/packages/dns.scm @@ -278,7 +278,7 @@ prompt the user with the option to go with insecure DNS only.") (define-public dnsmasq (package (name "dnsmasq") - (version "2.84") + (version "2.85") (source (origin (method url-fetch) (uri (string-append @@ -286,7 +286,7 @@ prompt the user with the option to go with insecure DNS only.") version ".tar.xz")) (sha256 (base32 - "0305a0c3snwqcv77sipyynr55xip1fp2843yn04pc4vk9g39acb0")))) + "1yhjwgz8g5qrqvxh6bbmg3443zi8qqjks3q872wyb1zn7n0d765d")))) (build-system gnu-build-system) (native-inputs `(("pkg-config" ,pkg-config))) -- 2.31.1
