Advisories » MGASA-2024-0041

Updated dnsmasq packages fix security vulnerabilities

Publication date: 18 Feb 2024
Modification date: 18 Feb 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-50387 , CVE-2023-50868

Description

This updated dnsmasq package fixes security issues:
Certain DNSSEC aspects of the DNS protocol allow a remote attacker to
trigger a denial of service via extreme consumption of resource caused
by DNSSEC query or response:
- KeyTrap - Extreme CPU consumption in DNSSEC validator.
  (CVE-2023-50387)
- Preparing an NSEC3 closest encloser proof can exhaust CPU resources.
  (CVE-2023-50868)

This update also fixes issues with udp packet size (fix already present
in mageia package for 2.89), possible segfault and caching.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=32853
• https://thekelleys.org.uk/dnsmasq/CHANGELOG
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868

SRPMS

9/core

• dnsmasq-2.90-1.mga9