Date: Wed, 2 Jul 2008 11:23:51 +0200 From: Nico Golde <oss-security+ml@...lde.de> To: oss-security@...ts.openwall.com Subject: Re: CVE request for dnsmasq DoS Hi Steven, * Steven M. Christey <coley@...us.mitre.org> [2008-07-02 00:05]: > On Mon, 30 Jun 2008, Jamie Strandboge wrote: > > There is a remote DoS in dnsmasq 2.25 (and presumably earlier) that is > > fixed in 2.26. Details can be found at . Can we get a CVE assigned > > for this? > > I'm not sure I fully understand Thierry Carrez' comment about the security > implications of this issue. It seems like an exploit would require a > malicious DHCP server, in which case isn't DHCP service already > compromised? If so, then a crash of dnsmasq (null dereference?) doesn't > seem to be any worse than the loss of DHCP itself. Why is a malicious DCHP server needed? As far as I understood the bug a client that doesn't already have a lease would just need to send a DHCPREQUEST to refresh its non-existant lease. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ