Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 24 Jul 2008 03:23:33 +0200
From: Robert Buchholz <rbu@...too.org>
To: oss-security@...ts.openwall.com
Cc: Josh Bressers <bressers@...hat.com>,
 Jamie Strandboge <jamie@...onical.com>,
 "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request for dnsmasq DoS

On Wednesday 23 July 2008, Josh Bressers wrote:
> On 8 July 2008, Jamie Strandboge wrote:
> > I finally had time to develop a PoC and confirm this on my own. A
> > client need only send a DHCPREQUEST for an IP address not on the
> > same network as dnsmasq. Eg:
> >
> > 1. dnsmasq listening on and giving IP addresses for
> > 192.168.122.0/24 2. client requests IP address on another network,
> > such as 192.168.0.1 3. dnsmasq 2.25 (and presumably earlier)
> > crashes
>
> It seems there is also a problem with newer dnsmasq that is very
> similar to this:
> http://bugs.gentoo.org/show_bug.cgi?id=232523
>
> That problem appears to be pretty much the same thing, but affecting
> versions 2.43 - 2.45

I also had to think of this <2.26 issue when I saw the bug, but I did 
not get to request a CVE yet, so thank you.

> Did this ever get a CVE id?

Yes, the <2.26 one is CVE-2008-3214.

Robert

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ