USN-4698-2

See a problem?
Source
https://ubuntu.com/security/notices/USN-4698-2
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/USN-4698-2.json
JSON Data
https://api.osv.dev/v1/vulns/USN-4698-2
Published
2021-02-24T13:43:44.306698Z
Modified
2021-02-24T13:43:44.306698Z
Summary
dnsmasq regression
Details

USN-4698-1 fixed vulnerabilities in Dnsmasq. The updates introduced regressions in certain environments related to issues with multiple queries, and issues with retries. This update fixes the problem.

Original advisory details:

Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled memory when sorting RRsets. A remote attacker could use this issue to cause Dnsmasq to hang, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-25681, CVE-2020-25687)

Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled extracting certain names. A remote attacker could use this issue to cause Dnsmasq to hang, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-25682, CVE-2020-25683)

Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly implemented address/port checks. A remote attacker could use this issue to perform a cache poisoning attack. (CVE-2020-25684)

Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly implemented query resource name checks. A remote attacker could use this issue to perform a cache poisoning attack. (CVE-2020-25685)

Moshe Kol and Shlomi Oberman discovered that Dnsmasq incorrectly handled multiple query requests for the same resource name. A remote attacker could use this issue to perform a cache poisoning attack. (CVE-2020-25686)

It was discovered that Dnsmasq incorrectly handled memory during DHCP response creation. A remote attacker could possibly use this issue to cause Dnsmasq to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2019-14834)

References

Affected packages

Ubuntu:20.04:LTS / dnsmasq

Package

Name
dnsmasq

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.80-1.1ubuntu1.3

Ecosystem specific

{
    "availability": "No subscription needed",
    "binaries": [
        {
            "dnsmasq": "2.80-1.1ubuntu1.3",
            "dnsmasq-base-lua": "2.80-1.1ubuntu1.3",
            "dnsmasq-utils": "2.80-1.1ubuntu1.3",
            "dnsmasq-base": "2.80-1.1ubuntu1.3"
        }
    ]
}

Ubuntu:18.04:LTS / dnsmasq

Package

Name
dnsmasq

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.79-1ubuntu0.3

Ecosystem specific

{
    "availability": "No subscription needed",
    "binaries": [
        {
            "dnsmasq": "2.79-1ubuntu0.3",
            "dnsmasq-base-lua": "2.79-1ubuntu0.3",
            "dnsmasq-utils": "2.79-1ubuntu0.3",
            "dnsmasq-base": "2.79-1ubuntu0.3"
        }
    ]
}

Ubuntu:16.04:LTS / dnsmasq

Package

Name
dnsmasq

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.75-1ubuntu0.16.04.8

Ecosystem specific

{
    "availability": "No subscription needed",
    "binaries": [
        {
            "dnsmasq": "2.75-1ubuntu0.16.04.8",
            "dnsmasq-utils": "2.75-1ubuntu0.16.04.8",
            "dnsmasq-base": "2.75-1ubuntu0.16.04.8"
        }
    ]
}