lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090901215156.GA32579@severus.strandboge.com>
Date: Tue, 1 Sep 2009 16:51:56 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-827-1] Dnsmasq vulnerabilities

===========================================================
Ubuntu Security Notice USN-827-1         September 01, 2009
dnsmasq vulnerabilities
CVE-2009-2957, CVE-2009-2958
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  dnsmasq-base                    2.41-2ubuntu2.2

Ubuntu 8.10:
  dnsmasq-base                    2.45-1ubuntu1.1

Ubuntu 9.04:
  dnsmasq-base                    2.47-3ubuntu0.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

IvAin Arce, Pablo HernAin Jorge, Alejandro Pablo Rodriguez, MartA­n Coco,
Alberto SoliAto Testa and Pablo Annetta discovered that Dnsmasq did not
properly validate its input when processing TFTP requests for files with
long names. A remote attacker could cause a denial of service or execute
arbitrary code with user privileges. Dnsmasq runs as the 'dnsmasq' user by
default on Ubuntu. (CVE-2009-2957)

Steve Grubb discovered that Dnsmasq could be made to dereference a NULL
pointer when processing certain TFTP requests. A remote attacker could
cause a denial of service by sending a crafted TFTP request.
(CVE-2009-2958)


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq_2.41-2ubuntu2.2.diff.gz
      Size/MD5:    22736 b0b1196898ba0a1d49dd3d767c1d685c
    http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq_2.41-2ubuntu2.2.dsc
      Size/MD5:      706 ecf4c36193d5063039a63f33712df6e2
    http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq_2.41.orig.tar.gz
      Size/MD5:   357997 8d0acd6656299a800c4d1be5a1193e39

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/d/dnsmasq/dnsmasq_2.41-2ubuntu2.2_all.deb
      Size/MD5:    11964 e5fa2630695acfe9caa62d0d30a89b01

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq-base_2.41-2ubuntu2.2_amd64.deb
      Size/MD5:   210274 aab9865b6ad46104e28e5db9e98f6c74

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq-base_2.41-2ubuntu2.2_i386.deb
      Size/MD5:   202712 36d3885ee58bdb59ae323c9ea9528f3c

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/dnsmasq/dnsmasq-base_2.41-2ubuntu2.2_lpia.deb
      Size/MD5:   203286 0c2f1dbfefdbc27905284d323be2023d

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/dnsmasq/dnsmasq-base_2.41-2ubuntu2.2_powerpc.deb
      Size/MD5:   210564 53e28b512b863f41a605979c2ae4d51e

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/dnsmasq/dnsmasq-base_2.41-2ubuntu2.2_sparc.deb
      Size/MD5:   204218 2c03e7df659884baeac446d0a87c8e9e

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq_2.45-1ubuntu1.1.diff.gz
      Size/MD5:    15256 100f87ac7b49fd2ad56a1baccd1aeae5
    http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq_2.45-1ubuntu1.1.dsc
      Size/MD5:     1098 74863177e20c0340d7cf225fb60ac182
    http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq_2.45.orig.tar.gz
      Size/MD5:   377466 59106495260bb2d0f184f0d4ae88d740

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/d/dnsmasq/dnsmasq_2.45-1ubuntu1.1_all.deb
      Size/MD5:    12164 c78f9591778ad9fdea8744553cfe21d0

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq-base_2.45-1ubuntu1.1_amd64.deb
      Size/MD5:   219310 7d5435aeb7bd3b1c8c12c8e830f6e167

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq-base_2.45-1ubuntu1.1_i386.deb
      Size/MD5:   212322 c3053944a71e5be108251e1eadcb206c

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/dnsmasq/dnsmasq-base_2.45-1ubuntu1.1_lpia.deb
      Size/MD5:   211744 976e638797537eac32e3fd96ec0a78b9

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/dnsmasq/dnsmasq-base_2.45-1ubuntu1.1_powerpc.deb
      Size/MD5:   217828 78d5925bd54239598042b81230341f95

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/dnsmasq/dnsmasq-base_2.45-1ubuntu1.1_sparc.deb
      Size/MD5:   213498 b43f01c34f8471173bd8177b0300f292

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq_2.47-3ubuntu0.1.diff.gz
      Size/MD5:    15599 54f4b48ec1ec03b06a5fa8b2706c0611
    http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq_2.47-3ubuntu0.1.dsc
      Size/MD5:     1098 786c3dc587ceb870ea724d66ff0085dc
    http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq_2.47.orig.tar.gz
      Size/MD5:   393306 8bf2bd2dcbd5b3e7a689611d20b51126

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/d/dnsmasq/dnsmasq_2.47-3ubuntu0.1_all.deb
      Size/MD5:    13004 11219fb5f0ecd525a1bfb7ce95fd5e81

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq-base_2.47-3ubuntu0.1_amd64.deb
      Size/MD5:   229344 9c43a00001bb1feef5e3340225fc4704

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/d/dnsmasq/dnsmasq-base_2.47-3ubuntu0.1_i386.deb
      Size/MD5:   221568 e28309342282e463efdf10694046b96c

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/d/dnsmasq/dnsmasq-base_2.47-3ubuntu0.1_lpia.deb
      Size/MD5:   221032 19755ca579fa44543f3658d20abbcaac

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/d/dnsmasq/dnsmasq-base_2.47-3ubuntu0.1_powerpc.deb
      Size/MD5:   227238 a30b637a127aa09a0425550be64c5b49

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/d/dnsmasq/dnsmasq-base_2.47-3ubuntu0.1_sparc.deb
      Size/MD5:   222732 0f7dd8d1aabcad788a50b147fd1cb6ba



Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ