Date: Thu, 18 Mar 2021 00:09:51 +0000 (UTC) From: Matthias Andree <mandree@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r568701 - head/security/vuxml Message-ID: <202103180009.12I09p8l050187@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mandree Date: Thu Mar 18 00:09:50 2021 New Revision: 568701 URL: https://svnweb.freebsd.org/changeset/ports/568701 Log: vuxml: Add dnsmasq < 2.85 cache poisoning vulnerability. This affects only certain dnsmasq configurations, and use of dnsmasq with NetworkManager. Security: CVE-2021-3448 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Mar 17 23:47:53 2021 (r568700) +++ head/security/vuxml/vuln.xml Thu Mar 18 00:09:50 2021 (r568701) @@ -78,6 +78,47 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="5b72b1ff-877c-11eb-bd4f-2f1d57dafe46"> + <topic>dnsmasq -- cache poisoning vulnerability in certain configurations</topic> + <affects> + <package> + <name>dnsmasq</name> + <range><lt>2.85r1,1</lt></range> + </package> + <package> + <name>dnsmasq-devel</name> + <range><lt>2.85r1,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Simon Kelley reports:</p> + <blockquote cite="https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014835.html">; + <p> + [In configurations where the forwarding server address contains an @ + character for specifying a sending interface or source address, the] + random source port behavior was disabled, making cache poisoning + attacks possible. + </p> + </blockquote> + <p> + This only affects configurations of the form server=1.1.1.1@em0 or + server=1.1.1.1@192.0.2.1, i. e. those that specify an interface to + send through, or an IP address to send from, or use together with + NetworkManager. + </p> + </body> + </description> + <references> + <url>https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014835.html</url>; + <cvename>CVE-2021-3448</cvename> + </references> + <dates> + <discovery>2021-03-17</discovery> + <entry>2021-03-18</entry> + </dates> + </vuln> + <vuln vid="b073677f-253a-41f9-bf2b-2d16072a25f6"> <topic>minio -- MITM attack</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202103180009.12I09p8l050187>