What's new

CVE 2023-50868 and CVE 2023-50387 in dnsmasq when DNSSEC is enabled

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Is there an option in unbound to do this?
 
For those of you using Pi-Hole, there is a new release, Pi-hole FTL v5.25, which updates the embedded version of dnsmasq to v2.90
5.25.1 released a couple of days ago to address the "resource limit exceeded" messages...

 
Two new CVEs were revealed related to DNSSEC support in dnsmasq. A specially crafted record can generate a DoS against dnsmasq, causing it to exhaust its resources.

Should note that this is not just DNSMASQ, most of the other resolvers that support DNSSEC have the same issue...

Anyways, here's the relevant links to the disclosures/CVE's...


 
I did option 3 by commenting that line in the config file. Is that the right thing to do?

#module-config: "respip validator iterator" # v1.08 add 'respip' for rpz feature @juched
 
3004.388.6_2 and 386.12_6 have been released, including the fixed dnsmasq version.
 
OpenWRT has merged in their fixes with an updated dnsmasq to v2.90 to Master - I suspect the next point release should include it.

Code:
commit 838a27f64f56e75aae98a3ab2556856224d48d8b
Author: Nathaniel Wesley Filardo <nwfilardo@gmail.com>
Date:   Sun Feb 18 13:12:10 2024 +0000

    dnsmasq: version 2.90
    
    Bump to 2.90 to get upstream's fix for DNSSEC KeyTrap (CVE-2023-50387,
    CVE-2023-50868) among many other goodies and fixes (notably, upstream
    568fb024... fixes a UAF in cache_remove_uid that was routinely crashing
    dnsmasq in my deployment).
    
    Catch up our 200-ubus_dns.patch, too.
    
    Signed-off-by: Nathaniel Wesley Filardo <nwfilardo@gmail.com>
 
OpenWRT has merged in their fixes with an updated dnsmasq to v2.90 to Master - I suspect the next point release should include it.

OpenWRT is important as both Mediatek and Qualcomm base their SDK's on OpenWRT.

The public Master has the fix checked in, and this, as I mentioned should be available on the Release Branch on their next release...

Remember that OpenWRT has to support a panoply of chipsets/SoC's and Architectures, so sometimes things might be delayed due to testing across those architectures...
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top