Security update for dnsmasq SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2633-1 Final 1 1 2017-10-02T19:31:12Z current 2017-10-02T19:31:12Z 2017-10-02T19:31:12Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for dnsmasq This update for dnsmasq fixes the following security issues: - CVE-2017-14491: 2 byte heap based overflow. [bsc#1060354] - CVE-2017-14492: heap based overflow. [bsc#1060355] - CVE-2017-14493: stack based overflow. [bsc#1060360] - CVE-2017-14494: DHCP - info leak. [bsc#1060361] - CVE-2017-14495: DNS - OOM DoS. [bsc#1060362] - CVE-2017-14496: DNS - DoS Integer underflow. [bsc#1060364] This update was imported from the SUSE:SLE-12-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.html E-Mail link for openSUSE-SU-2017:2633-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 dnsmasq-2.78-13.1 dnsmasq-utils-2.78-13.1 dnsmasq-2.78-13.1 as a component of openSUSE Leap 42.2 dnsmasq-utils-2.78-13.1 as a component of openSUSE Leap 42.2 dnsmasq-2.78-13.1 as a component of openSUSE Leap 42.3 dnsmasq-utils-2.78-13.1 as a component of openSUSE Leap 42.3 Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response. CVE-2017-14491 openSUSE Leap 42.2:dnsmasq-2.78-13.1 openSUSE Leap 42.2:dnsmasq-utils-2.78-13.1 openSUSE Leap 42.3:dnsmasq-2.78-13.1 openSUSE Leap 42.3:dnsmasq-utils-2.78-13.1 moderate 6.4 AV:N/AC:L/Au:N/C:N/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.html https://www.suse.com/security/cve/CVE-2017-14491.html CVE-2017-14491 https://bugzilla.suse.com/1060354 SUSE Bug 1060354 https://bugzilla.suse.com/1060360 SUSE Bug 1060360 https://bugzilla.suse.com/1060361 SUSE Bug 1060361 https://bugzilla.suse.com/1060362 SUSE Bug 1060362 https://bugzilla.suse.com/1060364 SUSE Bug 1060364 https://bugzilla.suse.com/1063832 SUSE Bug 1063832 https://bugzilla.suse.com/1143944 SUSE Bug 1143944 Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted IPv6 router advertisement request. CVE-2017-14492 openSUSE Leap 42.2:dnsmasq-2.78-13.1 openSUSE Leap 42.2:dnsmasq-utils-2.78-13.1 openSUSE Leap 42.3:dnsmasq-2.78-13.1 openSUSE Leap 42.3:dnsmasq-utils-2.78-13.1 moderate 4.8 AV:A/AC:L/Au:N/C:N/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.html https://www.suse.com/security/cve/CVE-2017-14492.html CVE-2017-14492 https://bugzilla.suse.com/1060355 SUSE Bug 1060355 https://bugzilla.suse.com/1060360 SUSE Bug 1060360 https://bugzilla.suse.com/1060361 SUSE Bug 1060361 https://bugzilla.suse.com/1060362 SUSE Bug 1060362 https://bugzilla.suse.com/1060364 SUSE Bug 1060364 https://bugzilla.suse.com/1063832 SUSE Bug 1063832 Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DHCPv6 request. CVE-2017-14493 openSUSE Leap 42.2:dnsmasq-2.78-13.1 openSUSE Leap 42.2:dnsmasq-utils-2.78-13.1 openSUSE Leap 42.3:dnsmasq-2.78-13.1 openSUSE Leap 42.3:dnsmasq-utils-2.78-13.1 moderate 4.8 AV:A/AC:L/Au:N/C:N/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.html https://www.suse.com/security/cve/CVE-2017-14493.html CVE-2017-14493 https://bugzilla.suse.com/1060360 SUSE Bug 1060360 https://bugzilla.suse.com/1060361 SUSE Bug 1060361 https://bugzilla.suse.com/1060362 SUSE Bug 1060362 https://bugzilla.suse.com/1060364 SUSE Bug 1060364 https://bugzilla.suse.com/1063832 SUSE Bug 1063832 dnsmasq before 2.78, when configured as a relay, allows remote attackers to obtain sensitive memory information via vectors involving handling DHCPv6 forwarded requests. CVE-2017-14494 openSUSE Leap 42.2:dnsmasq-2.78-13.1 openSUSE Leap 42.2:dnsmasq-utils-2.78-13.1 openSUSE Leap 42.3:dnsmasq-2.78-13.1 openSUSE Leap 42.3:dnsmasq-utils-2.78-13.1 moderate 3.3 AV:A/AC:L/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.html https://www.suse.com/security/cve/CVE-2017-14494.html CVE-2017-14494 https://bugzilla.suse.com/1060360 SUSE Bug 1060360 https://bugzilla.suse.com/1060361 SUSE Bug 1060361 https://bugzilla.suse.com/1060362 SUSE Bug 1060362 https://bugzilla.suse.com/1060364 SUSE Bug 1060364 Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service (memory consumption) via vectors involving DNS response creation. CVE-2017-14495 openSUSE Leap 42.2:dnsmasq-2.78-13.1 openSUSE Leap 42.2:dnsmasq-utils-2.78-13.1 openSUSE Leap 42.3:dnsmasq-2.78-13.1 openSUSE Leap 42.3:dnsmasq-utils-2.78-13.1 important 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.html https://www.suse.com/security/cve/CVE-2017-14495.html CVE-2017-14495 https://bugzilla.suse.com/1060360 SUSE Bug 1060360 https://bugzilla.suse.com/1060361 SUSE Bug 1060361 https://bugzilla.suse.com/1060362 SUSE Bug 1060362 https://bugzilla.suse.com/1060364 SUSE Bug 1060364 Integer underflow in the add_pseudoheader function in dnsmasq before 2.78 , when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service via a crafted DNS request. CVE-2017-14496 openSUSE Leap 42.2:dnsmasq-2.78-13.1 openSUSE Leap 42.2:dnsmasq-utils-2.78-13.1 openSUSE Leap 42.3:dnsmasq-2.78-13.1 openSUSE Leap 42.3:dnsmasq-utils-2.78-13.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.html https://www.suse.com/security/cve/CVE-2017-14496.html CVE-2017-14496 https://bugzilla.suse.com/1060360 SUSE Bug 1060360 https://bugzilla.suse.com/1060361 SUSE Bug 1060361 https://bugzilla.suse.com/1060362 SUSE Bug 1060362 https://bugzilla.suse.com/1060364 SUSE Bug 1060364