ESB-2017.2473 - [Debian] dnsmasq: Multiple vulnerabilities 2017-10-03

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2473
                          dnsmasq security update
                              3 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           dnsmasq
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Debian GNU/Linux 9
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-14496 CVE-2017-14495 CVE-2017-14494
                   CVE-2017-14493 CVE-2017-14492 CVE-2017-14491

Reference:         ESB-2017.2471
                   ESB-2017.2470

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-3989

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3989-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 02, 2017                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : dnsmasq
CVE ID         : CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494
                 CVE-2017-14495 CVE-2017-14496

Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher, Ron
Bowes and Gynvael Coldwind of the Google Security Team discovered
several vulnerabilities in dnsmasq, a small caching DNS proxy and
DHCP/TFTP server, which may result in denial of service, information
leak or the execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 2.72-3+deb8u2.

For the stable distribution (stretch), these problems have been fixed in
version 2.76-5+deb9u1.

We recommend that you upgrade your dnsmasq packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlnShBtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RIHw//b0TyKIPrb4S53sD41yS6OJZw3wQq9l3P7d8sBdOPHy3jEZEd8tyvoKDX
mm8Fu2qyO2gWywSuOcSbhNZMkHGeGW8803OBPUiLSx/4N+xTw6mAnubbpbLZT7xy
3dLTCoAlq6k5Sq47zpforaV5is5iImExXXh1KX6WHQfRPhlIdBpNHyYKyttjhAm8
OqDjT3jETIYaPPMoJnj+YsG6tc08vF92SQE0AG2xUmc7w5kaGO9dbun/Ed2cLwhl
bmsIP3WqbUFoAc7FCaLo31zQa7UjWnRCiU+HdFV/wFbJM9dZgHaOJI1s3HCykaq7
VjWM0ZLeIJV+ihW+6mO+A1AVTjfWdHtOGGQyE0V6LWqwSnmG/8Nj2HS2IZGKBOYM
7bgK32vL2afRdWP6b12gfCjOF55zeSLp6GozGQCr1KIRcdpJ6O2YWtQI8F7WduQ4
WTYW6kgwFEOyzt2o89tm4prM8OkicBEhIiAWKewr29auQCCFW+hERVVSb7NXMugy
pZKx2Q1QWL7LebS8h8h+75OCtYDx1Rlf/Kn6a5ZfBNomgYllyU/mjjTpbgvMaZ7R
vJb3GSubVgt4KOB39ttZIzchX29CUuELbtUm47USG2kzYlQyIph6h7AaVNcACDJK
O0U/S/MbMViM1Zc0mLsR/wmc1GxEyI8i77y6Zp9L5N+MY3jMqs0=
=W68y
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWdLZV4x+lLeg9Ub1AQi5QA/+JKphj4nMQUgGRVVBDGk5EUKUTiwVV0Ko
LSZzdd0Qt8gTWueDnx3e1ZCcdOXIqmSny9ai/FLTFMwqCa877kaijbp8AhMewJk2
9WJS6hJWZG9sstH8OLsd6Tv4YA85bJ4BEt8NTR4i+JlmYpQJnY6RkvYKFW71kqzg
0eP9iQtxrYdYwMs6Ph/9wC5cVKy3YUWFfx0oNewoHx9ecCGQPatGkOPZQwOuMA70
Rbwtr90BzL/chhY+ZMEwEcPo23u0n+BzOiVQjy5+WDOSnTUep2/geq8ak5Ae4hri
BC86JOeLxHuDxAVuh5bRlafNpXyjJTQNdyg4NArA0847dYZzdzFtNQ7OXW6Spkbi
FJ82Wp2TId4KbpM4fmWz/KSAzwy8qTP7Zv38fzyzSrPCDfrL8gxVmF9DiYVAEGoE
z/6aCcBuKbIX8ti0GH76tZDCjLndugyJ9EXv9XJdZPmBd5sICXC5YcDCXnFmF369
7glrM/vNd5FhiEOtuCZp3PK57ZaCNkLY+k5+Nm+Cu8/43xQLVDbtuKrC8LNVGoCt
ZPAAKDthPFD4vqqRnPiwkL3pJTy+TU5PCEsMGQEdg8ljLmgAzPJ8tbG+bTpmyRjY
R6NMPI+mD44jKzYZOACsa1mft2kehvXvegN3CUxiYdvwAUZipgkVU0EdbTN8bHTW
JqUbgHN4knk=
=aMkI
-----END PGP SIGNATURE-----

« Back to bulletins