On Tue, Jan 19, 2021 at 11:50:46AM +0000, Simon Kelley wrote: > Dnsmasq 2.83 is now available from > > https://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.83.tar.gz > > The main focus in this release is security fixes for a some newly > announced flaws. See > > https://www.jsof-tech.com/disclosures/dnspooq > for the details. Qouting that URL:
The origin of the name DNSpooq is a merge of 3 elements: DNS spoofing, the idea of a spook spying on Internet traffic, and the ‘q’ at the end of dnsmasq, replacing the ‘k’ of spook with a ‘q’. The spy or spook graphic illustrates the effects of an effective DNS spoofing on the ability to spy on internet traffic. > There are broadly two sets of problems. The first is subtle errors in > dnsmasq's protections against the chronic weakness of the DNS protocol > to cache-poisoning attacks; the Birthday attack, Kaminsky, etc. The > code is now as secure as it can be, given that the real solution to > this is DNSSEC, both endpoint validation and domains actually signing. > This is covered by CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686. > > Unfortunately, given the above, the second set of errors is a good old > fashioned buffer overflow in dnsmasq's DNSSEC code. If DNSSEC validation > is enabled, an installation is at risk. This is covered by > CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687. > > Many, many people have worked over a considerable period to find these > problems, fix them, and co-ordinate the security response. They are > named in JSOF's disclosure, but special mention should go to > Shlomi Oberman, Vijay Sarvepilli, Petr Menšík, and Dan Schaper. > > > Cheers, > Simon. > Thanks Regards Geert Stappers -- Silence is hard to parse _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
