Dnsmasq CVEs - please provide updates

root@turris:~# opkg install dnsmasq
Package dnsmasq (2.73-5) installed in root is up to date.

2.78 is the fixed version

4 Likes

FWIW, the LEDE folks are working on a 17.01.3 release for tomorrow on this, apparently (from #lede-dev on IRC). Hopefully this will get fixed here soon, as it’s a pretty critical security issue!

The test repository has the update already, so I guess it’s just a matter of time.

this is now fixed, from what i can tell here:

It didn’t make it to 3.8.2.
Proof:
http://repo.turris.cz/omnia/packages/base/ and also as you can see it was pushed to test branch (not to stable branch), so as @einar said it’s just a matter of time.

I think there will be 3.8.3 very soon. Anyway if you would like to try package dnsmasq from test repository (http://repo.turris.cz/omnia-test/packages/base/) you can try to download it and install it or you can try wait for 3.8.3.

Dear awesome users,
we’re working on these issues, updates are in testing process and will be part of 3.8.3 which is planned to be in RC tomorrow and in production on Friday.

5 Likes

Friday is the best day for new patches and let people spend weekend without internet access :slight_smile:

1 Like

Yes, you’re right. Deploying on Friday…

There is a dillema…leave our users live with CVE all the weekend or take a risk of deploying on Friday. As there is an easy solution of going back to a working snapshot in case of a problem, we are taking a risk.

2 Likes

I would have liked the security update. Pity you decided to not deploy.

Synology routers have the patch since 4. 10. see https://www.synology.com/en-global/releaseNote/RT2600ac

Please don’t forget to build the dnsmasq-full. Only the smaller version is in the test respository from what I can see.

Don’t panic. Half of those CVEs are in DNS which we don’t use. The rest is ability to crash dnsmasq from your local network or obtaining internal variables (which probably don’t contain anything interesting unless your are using dnsmasq as authoritative DNS server) if and only if you configured dnsmasq as DHCPv6 relay. So impact on our users is not that big as it sounds. And we are working on updated version, unfortunately we had critical issue with our oldest routers that we had to resolve first, so we had to delay this update to be able to test a little bit. Apart from that, what you see in the test repository is a minimal build containing only subset of packages we ship as we need something fast to build to run tests on before we build everything, so don’t worry, we are not going to drop most of our packages in our next release.

2 Likes

Understand. I personally using default kresd on Omnia. But I little bit disagree. You offer dnsmasq (full) in own repository, so I understand thats in the “Turris package”.

And I can use any of “official” package and - as I see it, they all should be “known-CVE-free”… So I think that bump also packages, which maybe arent enabled by default configuration, but are avaible from official repository to use, should be handled quickly… I mean in case of that kind of CVEs of course.

Other side is testing. And I agree it is the same priority as bump security fixes ASAP… So, thank you for noticing us!

It was on our radar before forum post already, don’t worry. And we try to update everything that is possible, but due to the limited resources, we have to prioritize based on what affects most our users and how.

2 Likes