Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 09 Jul 2012 14:04:35 +0200
From: Jan Lieskovsky <>
To: "Steven M. Christey" <>
CC:, David Woodhouse <>,
        Daniel Berrange <>,
        Daniel Veillard <>
Subject: CVE Request -- dnsmasq: When being run by libvirt open DNS proxy
 (reachable out-of the virtual network set for the particular guest domain
 too) is created

Hello Kurt, Steve, vendors,

   David Woodhouse reported a deficiency in the way dnsmasq,
a lightweight, easy to configure DNS forwarder and DHCP server,
when being run under libvirt, a library providing simple
virtualization API, performed processing of packets coming
outside of virtual network set for the particular guest domain.

   When libvirt was configured to provide a range of public
IP addresses to its guest domains and dnsmasq was instructed
to discard packets originating from other interfaces, than
specified on the command line via the --bind-interface option,
those packets (coming from 'prohibited' interfaces) were not
dropped properly and subsequently processed.

   A remote attacker could use this flaw to cause a distributed
denial of service, as demonstrated in the report [1] via "stream
of spoofed DNS queries producing large results".


Could you allocate a CVE id for this?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ