Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-5408-1

Ubuntu Security Notice 5408-1 - Petr Menšík and Richard Johnson discovered that Dnsmasq incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code or expose sensitive information.

Packet Storm
#vulnerability#ubuntu

==========================================================================
Ubuntu Security Notice USN-5408-1
May 10, 2022

dnsmasq vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 22.04 LTS
  • Ubuntu 21.10
  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 ESM
  • Ubuntu 14.04 ESM

Summary:

Dnsmasq could be made to execute arbitrary code or expose
sensitive information if it received a specially crafted input.

Software Description:

  • dnsmasq: Small caching DNS proxy and DHCP/TFTP server

Details:

Petr Menšík and Richard Johnson discovered that Dnsmasq incorrectly handled
certain inputs. An attacker could possibly use this issue to execute
arbitrary code or expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
dnsmasq 2.86-1.1ubuntu0.1
dnsmasq-base 2.86-1.1ubuntu0.1
dnsmasq-utils 2.86-1.1ubuntu0.1

Ubuntu 21.10:
dnsmasq 2.85-1ubuntu2.1
dnsmasq-base 2.85-1ubuntu2.1
dnsmasq-utils 2.85-1ubuntu2.1

Ubuntu 20.04 LTS:
dnsmasq 2.80-1.1ubuntu1.5
dnsmasq-base 2.80-1.1ubuntu1.5
dnsmasq-utils 2.80-1.1ubuntu1.5

Ubuntu 18.04 LTS:
dnsmasq 2.79-1ubuntu0.6
dnsmasq-base 2.79-1ubuntu0.6
dnsmasq-utils 2.79-1ubuntu0.6

Ubuntu 16.04 ESM:
dnsmasq 2.75-1ubuntu0.16.04.10+esm1
dnsmasq-base 2.75-1ubuntu0.16.04.10+esm1
dnsmasq-utils 2.75-1ubuntu0.16.04.10+esm1

Ubuntu 14.04 ESM:
dnsmasq 2.68-1ubuntu0.2+esm1
dnsmasq-base 2.68-1ubuntu0.2+esm1
dnsmasq-utils 2.68-1ubuntu0.2+esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5408-1
CVE-2022-0934

Package Information:
https://launchpad.net/ubuntu/+source/dnsmasq/2.86-1.1ubuntu0.1
https://launchpad.net/ubuntu/+source/dnsmasq/2.85-1ubuntu2.1
https://launchpad.net/ubuntu/+source/dnsmasq/2.80-1.1ubuntu1.5
https://launchpad.net/ubuntu/+source/dnsmasq/2.79-1ubuntu0.6

Related news

Red Hat Security Advisory 2024-1545-03

Red Hat Security Advisory 2024-1545-03 - An update for dnsmasq is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a use-after-free vulnerability.

CVE-2023-43074: DSA-2023-141: Dell Unity, Unity VSA and Unity XT Security Update for Multiple Vulnerability

Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.

Red Hat Security Advisory 2023-0408-01

Red Hat Security Advisory 2023-0408-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. Issues addressed include denial of service and out of bounds read vulnerabilities.

RHSA-2023:0408: Red Hat Security Advisory: OpenShift Virtualization 4.12.0 Images security update

Red Hat OpenShift Virtualization release 4.12 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2021-44716: golang: net/http: limit growth of header canonicalization cache * CVE-2021-44717: golang: syscall: don't close fd 0 on ForkExec error * CVE-2022-1705: golang: net/http: improper sanitizat...

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

Red Hat Security Advisory 2022-8750-01

Red Hat Security Advisory 2022-8750-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. Issues addressed include denial of service and out of bounds read vulnerabilities.

RHSA-2022:8750: Red Hat Security Advisory: OpenShift Virtualization 4.11.1 security and bug fix update

Red Hat OpenShift Virtualization release 4.11.1 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24921: golang: regexp: stack exhaustion via a deeply nested expression * CVE-2022-28327: golang: crypto/elliptic: panic caus...

RHSA-2022:8070: Red Hat Security Advisory: dnsmasq security and bug fix update

An update for dnsmasq is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0934: dnsmasq: Heap use after free in dhcp6_no_relay

RHSA-2022:7633: Red Hat Security Advisory: dnsmasq security and bug fix update

An update for dnsmasq is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0934: dnsmasq: Heap use after free in dhcp6_no_relay

CVE-2022-0934: Invalid Bug ID

A single-byte, non-arbitrary write/use-after-free flaw was found in dnsmasq. This flaw allows an attacker who sends a crafted packet processed by dnsmasq, potentially causing a denial of service.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution