Date: Wed, 20 Jan 2021 19:11:52 +0000 (UTC) From: Matthias Andree <mandree@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r562153 - head/security/vuxml Message-ID: <202101201911.10KJBqUl097787@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mandree Date: Wed Jan 20 19:11:51 2021 New Revision: 562153 URL: https://svnweb.freebsd.org/changeset/ports/562153 Log: dns/dnsmasq < 2.83 vulnerabilities (buffer overflow, DNS cache poisoning) Security: 5b5cf6e5-5b51-11eb-95ac-7f9491278677 Security: CVE-2020-25684 Security: CVE-2020-25685 Security: CVE-2020-25686 Security: CVE-2020-25681 Security: CVE-2020-25682 Security: CVE-2020-25683 Security: CVE-2020-25687 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Jan 20 17:37:45 2021 (r562152) +++ head/security/vuxml/vuln.xml Wed Jan 20 19:11:51 2021 (r562153) @@ -58,6 +58,49 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="5b5cf6e5-5b51-11eb-95ac-7f9491278677"> + <topic>dnsmasq -- DNS cache poisoning, and DNSSEC buffer overflow, vulnerabilities</topic> + <affects> + <package> + <name>dnsmasq</name> + <range><lt>2.83</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Simon Kelley reports:</p> + <blockquote cite="http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014599.html"> + <p> + There are broadly two sets of problems. The first is subtle errors + in dnsmasq's protections against the chronic weakness of the DNS + protocol to cache-poisoning attacks; the Birthday attack, Kaminsky, + etc.[...] + </p> + <p> + the second set of errors is a good old fashioned buffer overflow in + dnsmasq's DNSSEC code. If DNSSEC validation is enabled, an + installation is at risk. + </p> + </blockquote> + </body> + </description> + <references> + <url>https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014599.html</url> + <url>https://www.jsof-tech.com/disclosures/dnspooq/</url> + <cvename>CVE-2020-25684</cvename> + <cvename>CVE-2020-25685</cvename> + <cvename>CVE-2020-25686</cvename> + <cvename>CVE-2020-25681</cvename> + <cvename>CVE-2020-25682</cvename> + <cvename>CVE-2020-25683</cvename> + <cvename>CVE-2020-25687</cvename> + </references> + <dates> + <discovery>2020-09-16</discovery> <!-- CVE creation date, vuln apparently known since August to JSOF? --> + <entry>2021-01-20</entry> + </dates> + </vuln> + <vuln vid="6a4805d5-5aaf-11eb-a21d-79f5bc5ef6a9"> <topic>go -- cmd/go: packages using cgo can cause arbitrary code execution at build time; crypto/elliptic: incorrect operations on the P-224 curve</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202101201911.10KJBqUl097787>