network-manager: CVE-2018-1000135: Full-tunnel VPN misconfigures DNS servers, leaks private information

Debian Bug report logs - #895658
network-manager: CVE-2018-1000135: Full-tunnel VPN misconfigures DNS servers, leaks private information

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: submit@bugs.debian.org

Subject: network-manager: CVE-2018-1000135: Full-tunnel VPN misconfigures DNS servers, leaks private information

Date: Sat, 14 Apr 2018 09:37:05 +0200

Source: network-manager
Version: 1.10.6-2
Severity: normal
Tags: security
Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=746422

Hi,

The following vulnerability was published for network-manager.

CVE-2018-1000135[0]:
| GNOME NetworkManager version 1.10.2 and earlier contains a Information
| Exposure (CWE-200) vulnerability in DNS resolver that can result in
| Private DNS queries leaked to local network's DNS servers, while on
| VPN. This vulnerability appears to have been fixed in Some Ubuntu
| 16.04 packages were fixed, but later updates removed the fix. cf.
| https://bugs.launchpad.net/ubuntu/+bug/1754671 an upstream fix does
| not appear to be available at this time.

There is work in progress in [1], [2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1000135
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000135
[1] https://bugzilla.gnome.org/process_bug.cgi
[2] https://cgit.freedesktop.org/NetworkManager/NetworkManager/log/?h=bg/dns-bgo746422

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Send a report that this bug log contains spam.