1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
From e01e09c7125b40646aff4a582672e711a18a69a4 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 8 Jan 2021 22:50:03 +0000
Subject: Add CVE numbers to security update descriptions in CHANGELOG
---
CHANGELOG | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,16 +1,17 @@
Fix a remote buffer overflow problem in the DNSSEC code. Any
dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
- referenced by CERT VU#434904.
+ referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
+ CVE-2020-25687.
Be sure to only accept UDP DNS query replies at the address
from which the query was originated. This keeps as much entropy
in the {query-ID, random-port} tuple as possible, to help defeat
- cache poisoning attacks. Refer: CERT VU#434904.
+ cache poisoning attacks. Refer: CVE-2020-25684.
Use the SHA-256 hash function to verify that DNS answers
received are for the questions originally asked. This replaces
the slightly insecure SHA-1 (when compiled with DNSSEC) or
- the very insecure CRC32 (otherwise). Refer: CERT VU#434904.
+ the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
Handle multiple identical near simultaneous DNS queries better.
Previously, such queries would all be forwarded
@@ -24,7 +25,7 @@
of the query. The new behaviour detects repeated queries and
merely stores the clients sending repeats so that when the
first query completes, the answer can be sent to all the
- clients who asked. Refer: CERT VU#434904.
+ clients who asked. Refer: CVE-2020-25686.
version 2.81
|
