Debian Bug report logs -
#683372
CVE-2012-3411: libvirt-controlled dnsmasq replies to DNS queries from non-virtual networks
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Simon Kelley <simon@thekelleys.org.uk>:
Bug#683372; Package dnsmasq.
(Tue, 31 Jul 2012 08:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Simon Kelley <simon@thekelleys.org.uk>.
(Tue, 31 Jul 2012 08:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: dnsmasq
Severity: important
Tags: security
Hi,
I know you're aware of this bug since you commented it already, but I'm
filing a Debian bug to keep track of this for Wheezy:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3411
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#683372; Package dnsmasq.
(Wed, 01 Aug 2012 16:33:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon Kelley <simon@thekelleys.org.uk>:
Extra info received and forwarded to list.
(Wed, 01 Aug 2012 16:33:08 GMT) (full text, mbox, link).
Message #10 received at 683372@bugs.debian.org (full text, mbox, reply):
On 31/07/12 09:35, Moritz Muehlenhoff wrote:
> Package: dnsmasq
> Severity: important
> Tags: security
>
> Hi,
> I know you're aware of this bug since you commented it already, but I'm
> filing a Debian bug to keep track of this for Wheezy:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3411
>
> Cheers,
> Moritz
>
OK. I think what's needed to fix this is
1) dnsmasq 2.63 release and into Wheezy.
2) Alter libvirt to pass the new --bind-dynamic flag instead of
--bind-interfaces
Cheers,
Simon.
Information forwarded
to debian-bugs-dist@lists.debian.org, Simon Kelley <simon@thekelleys.org.uk>:
Bug#683372; Package dnsmasq.
(Wed, 05 Sep 2012 16:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Simon Kelley <simon@thekelleys.org.uk>.
(Wed, 05 Sep 2012 16:03:03 GMT) (full text, mbox, link).
Message #15 received at 683372@bugs.debian.org (full text, mbox, reply):
On Wed, Aug 01, 2012 at 05:30:47PM +0100, Simon Kelley wrote:
> On 31/07/12 09:35, Moritz Muehlenhoff wrote:
>> Package: dnsmasq
>> Severity: important
>> Tags: security
>>
>> Hi,
>> I know you're aware of this bug since you commented it already, but I'm
>> filing a Debian bug to keep track of this for Wheezy:
>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3411
>>
>> Cheers,
>> Moritz
>>
>
> OK. I think what's needed to fix this is
>
> 1) dnsmasq 2.63 release and into Wheezy.
> 2) Alter libvirt to pass the new --bind-dynamic flag instead of
> --bind-interfaces
This bug can be closed with 2.63-1? Or is there anything missing?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#683372; Package dnsmasq.
(Thu, 06 Sep 2012 08:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon Kelley <simon@thekelleys.org.uk>:
Extra info received and forwarded to list.
(Thu, 06 Sep 2012 08:54:03 GMT) (full text, mbox, link).
Message #20 received at 683372@bugs.debian.org (full text, mbox, reply):
On 05/09/12 16:57, Moritz Muehlenhoff wrote:
> On Wed, Aug 01, 2012 at 05:30:47PM +0100, Simon Kelley wrote:
>> On 31/07/12 09:35, Moritz Muehlenhoff wrote:
>>> Package: dnsmasq
>>> Severity: important
>>> Tags: security
>>>
>>> Hi,
>>> I know you're aware of this bug since you commented it already, but I'm
>>> filing a Debian bug to keep track of this for Wheezy:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3411
>>>
>>> Cheers,
>>> Moritz
>>>
>>
>> OK. I think what's needed to fix this is
>>
>> 1) dnsmasq 2.63 release and into Wheezy.
>> 2) Alter libvirt to pass the new --bind-dynamic flag instead of
>> --bind-interfaces
>
> This bug can be closed with 2.63-1? Or is there anything missing?
>
> Cheers,
> Moritz
>
We're up to 2.63-3 now, due to various irritating packaging regressions.
That needs to be forced into wheezy, and then the torch needs to be
passed to libvirt.
Simon.
Information forwarded
to debian-bugs-dist@lists.debian.org, Simon Kelley <simon@thekelleys.org.uk>:
Bug#683372; Package dnsmasq.
(Fri, 14 Sep 2012 15:27:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Simon Kelley <simon@thekelleys.org.uk>.
(Fri, 14 Sep 2012 15:27:10 GMT) (full text, mbox, link).
Message #25 received at 683372@bugs.debian.org (full text, mbox, reply):
On Thu, Sep 06, 2012 at 09:51:04AM +0100, Simon Kelley wrote:
> On 05/09/12 16:57, Moritz Muehlenhoff wrote:
> > On Wed, Aug 01, 2012 at 05:30:47PM +0100, Simon Kelley wrote:
> >> On 31/07/12 09:35, Moritz Muehlenhoff wrote:
> >>> Package: dnsmasq
> >>> Severity: important
> >>> Tags: security
> >>>
> >>> Hi,
> >>> I know you're aware of this bug since you commented it already, but I'm
> >>> filing a Debian bug to keep track of this for Wheezy:
> >>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3411
> >>>
> >>> Cheers,
> >>> Moritz
> >>>
> >>
> >> OK. I think what's needed to fix this is
> >>
> >> 1) dnsmasq 2.63 release and into Wheezy.
> >> 2) Alter libvirt to pass the new --bind-dynamic flag instead of
> >> --bind-interfaces
> >
> > This bug can be closed with 2.63-1? Or is there anything missing?
> >
> > Cheers,
> > Moritz
> >
>
> We're up to 2.63-3 now, due to various irritating packaging regressions.
> That needs to be forced into wheezy, and then the torch needs to be
> passed to libvirt.
It looks like you still need to file an unblock request, though.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Simon Kelley <simon@thekelleys.org.uk>:
Bug#683372; Package dnsmasq.
(Tue, 02 Jul 2013 17:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Alex <alex@bennee.com>:
Extra info received and forwarded to list. Copy sent to Simon Kelley <simon@thekelleys.org.uk>.
(Tue, 02 Jul 2013 17:03:04 GMT) (full text, mbox, link).
Message #30 received at 683372@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
One of the machines I'm responsible for is a 6.0.7 (squeeze) VM host
and we have just had an abuse report from our hosting company with
this being exploited. We were planning to upgrade to wheezy in the
near term although at the moment it seems that is also vulnerable to
this exploit.
I'll post our firewall work around once we have it in place. If there
is any help we can offer in testing then please let me know.
--
Alex, homepage: http://www.bennee.com/~alex/
Meekness: Uncommon patience in planning a revenge that is worth while.
-- Ambrose Bierce
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Simon Kelley <simon@thekelleys.org.uk>:
Bug#683372; Package dnsmasq.
(Wed, 03 Jul 2013 09:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Alex <alex@bennee.com>:
Extra info received and forwarded to list. Copy sent to Simon Kelley <simon@thekelleys.org.uk>.
(Wed, 03 Jul 2013 09:33:04 GMT) (full text, mbox, link).
Message #35 received at 683372@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
This is the current work-around we have installed into
/etc/network/if-pre-up.d/iptables:
/sbin/iptables-restore <<EOF
# Generated by iptables-save v1.4.8
*filter
:INPUT ACCEPT [318:33352]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [466:71238]
-A INPUT -s ${VM_NET}/28 -d ${VM_HOST}/32 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s ${VM_NET}/28 -d ${VM_HOST}/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d ${VM_HOST}/32 -p udp -m udp --dport 53 -j DROP
-A INPUT -d ${VM_HOST}/32 -p tcp -m tcp --dport 53 -j DROP
COMMIT
EOF
${VM_NET}/28 - is our subnet of IPs used by hosted VMs
${VM_HOST}/32 - is the public IP of the host
--
Alex, homepage: http://www.bennee.com/~alex/
An alcoholic is someone you don't like who drinks as much as you do.
-- Dylan Thomas
[signature.asc (application/pgp-signature, inline)]
Changed Bug title to 'CVE-2012-3411: libvirt-controlled dnsmasq replies to DNS queries from non-virtual networks' from 'CVE-2012-3411'
Request was from Thomas Hood <jdthood@gmail.com>
to control@bugs.debian.org.
(Fri, 19 Jul 2013 17:36:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Simon Kelley <simon@thekelleys.org.uk>:
Bug#683372; Package dnsmasq.
(Sat, 16 May 2015 10:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Santiago Ruano Rincón <santiagorr@riseup.net>:
Extra info received and forwarded to list. Copy sent to Simon Kelley <simon@thekelleys.org.uk>.
(Sat, 16 May 2015 10:30:05 GMT) (full text, mbox, link).
Message #42 received at 683372@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Simon,
On Fri, May 15, 2015 at 04:24:30PM +0200, Santiago Ruano Rincón wrote:
...
> I'm attaching the clean patch to fix CVE-2015-3294.
These other CVEs are related each other and still affect dnsmasq in
squeeze and wheeze:
https://security-tracker.debian.org/tracker/CVE-2012-3411
https://security-tracker.debian.org/tracker/CVE-2013-0198
As far as I understand, your fix to those bugs introduces the new
--bind-dynamic option in dnsmasq. This fix also depends on libvirt, that
needs to be modified to pass --bind-dynamic instead of
--bind-interfaces. Please, correct me if I'm wrong.
Given that in Debian they have been classified as low priority, do you
think it's worth to do adapt those changes into squeeze and wheeze?
Best regards,
Santiago
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Simon Kelley <simon@thekelleys.org.uk>:
Bug#683372; Package dnsmasq.
(Sat, 16 May 2015 10:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Santiago Ruano Rincón <santiagorr@riseup.net>:
Extra info received and forwarded to list. Copy sent to Simon Kelley <simon@thekelleys.org.uk>.
(Sat, 16 May 2015 10:57:05 GMT) (full text, mbox, link).
Message #47 received at 683372@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sat, May 16, 2015 at 12:26:51PM +0200, Santiago Ruano Rincón wrote:
> Hi Simon,
>
> On Fri, May 15, 2015 at 04:24:30PM +0200, Santiago Ruano Rincón wrote:
> ...
> > I'm attaching the clean patch to fix CVE-2015-3294.
>
> These other CVEs are related each other and still affect dnsmasq in
> squeeze and wheeze:
> https://security-tracker.debian.org/tracker/CVE-2012-3411
> https://security-tracker.debian.org/tracker/CVE-2013-0198
>
> As far as I understand, your fix to those bugs introduces the new
> --bind-dynamic option in dnsmasq. This fix also depends on libvirt, that
> needs to be modified to pass --bind-dynamic instead of
> --bind-interfaces. Please, correct me if I'm wrong.
>
> Given that in Debian they have been classified as low priority, do you
> think it's worth to do adapt those changes into squeeze and wheeze?
Note: libvirt has not support by Squeeze LTS
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#683372; Package dnsmasq.
(Sat, 16 May 2015 17:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon Kelley <simon@thekelleys.org.uk>:
Extra info received and forwarded to list.
(Sat, 16 May 2015 17:45:05 GMT) (full text, mbox, link).
Message #52 received at 683372@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 16/05/15 11:26, Santiago Ruano Rincón wrote:
> Hi Simon,
>
> On Fri, May 15, 2015 at 04:24:30PM +0200, Santiago Ruano Rincón
> wrote: ...
>> I'm attaching the clean patch to fix CVE-2015-3294.
>
> These other CVEs are related each other and still affect dnsmasq
> in squeeze and wheeze:
> https://security-tracker.debian.org/tracker/CVE-2012-3411
> https://security-tracker.debian.org/tracker/CVE-2013-0198
>
> As far as I understand, your fix to those bugs introduces the new
> --bind-dynamic option in dnsmasq. This fix also depends on libvirt,
> that needs to be modified to pass --bind-dynamic instead of
> --bind-interfaces. Please, correct me if I'm wrong.
>
> Given that in Debian they have been classified as low priority, do
> you think it's worth to do adapt those changes into squeeze and
> wheeze?
>
Your analysis is correct, and I think it's really not worth the
(large) amount of effort required.
Cheers,
Simon.
> Best regards,
>
> Santiago
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVV3vXAAoJEBXN2mrhkTWiKbQP/2mGC4ewKPjkdllfHaJOqhbE
eycI8mmdVCoyUHGrOOMi6yp985vG7S5tlePsZBTW5INOtSjtq16yqAhwUoy5cjdc
ax1K7iD5qoaQahNj5vlLCZ0/M/y0x452J6vlkjUlkNDnC76RKQrnjZpcoG83NMiK
tfb4rr6W6zuUObTO5U73y4lcM4gMMUp8YRUL9ibtpaBVaW/eCRBBc/i7sOaVTRCG
dKdBRh/XgcNo9a/gBAVYBiu6DeBxpBIHt16fXyoSJ/UzyvXpBO4jWUsmmIlZRw9j
t/lcqL0SQRRRUk2ATyZOSYb7pNgv7RstG7JaXRlSsrKK105xPkUOIvpoDoYyfbxU
/Nq+t4vokzIYLDFIDZO+LZ5qffqAMJEi+zHCWtqXo5CKiTnwDjUtuDu21v5Pz/wB
MQz2gNZfxiOmZoV2mgVwj7Hy471MHKP308pOe3jRfH/L09jwCAh/zFklKvjFA6/+
HfzOgziATtUO6rxWLDMd0FH6C0IINjsUP2EUtrG0ztEHkTg21OPzkHY4H5FUpKUb
YekWLEPBsFuWPkQfAIZlzF8cGvFL67MmWMY5C0Kpy71BDfvemC4GpHaZm9Eb7oN2
L8CuaqEWPH6vLDNGMa1NtCCl+nsOKW8U2x6rnimMV/+MaZsoe2Z19kIrP8WtmgJH
EhgXBERF1nfrU/4yQWJ6
=XVyZ
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Simon Kelley <simon@thekelleys.org.uk>:
Bug#683372; Package dnsmasq.
(Sun, 17 May 2015 08:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Santiago Ruano Rincón <santiagorr@riseup.net>:
Extra info received and forwarded to list. Copy sent to Simon Kelley <simon@thekelleys.org.uk>.
(Sun, 17 May 2015 08:09:05 GMT) (full text, mbox, link).
Message #57 received at 683372@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
> On 16/05/15 11:26, Santiago Ruano Rincón wrote:
> > Hi Simon,
> >
> > On Fri, May 15, 2015 at 04:24:30PM +0200, Santiago Ruano Rincón
> > wrote: ...
> >> I'm attaching the clean patch to fix CVE-2015-3294.
> >
> > These other CVEs are related each other and still affect dnsmasq
> > in squeeze and wheeze:
> > https://security-tracker.debian.org/tracker/CVE-2012-3411
> > https://security-tracker.debian.org/tracker/CVE-2013-0198
> >
> > As far as I understand, your fix to those bugs introduces the new
> > --bind-dynamic option in dnsmasq. This fix also depends on libvirt,
> > that needs to be modified to pass --bind-dynamic instead of
> > --bind-interfaces. Please, correct me if I'm wrong.
> >
> > Given that in Debian they have been classified as low priority, do
> > you think it's worth to do adapt those changes into squeeze and
> > wheeze?
> >
>
> Your analysis is correct, and I think it's really not worth the
> (large) amount of effort required.
>
Ok. Thanks for your answer!
Santiago
[signature.asc (application/pgp-signature, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:16:15 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon