Project

General

Profile

Todo #11278

Update dnsmasq to >=2.8.3

Added by Logan Marchione about 1 month ago. Updated 29 days ago.

Status:
Resolved
Priority:
Normal
Category:
DNS Forwarder
Target version:
Start date:
01/21/2021
Due date:
% Done:

0%

Estimated time:

Description

Not really a bug, but are you aware of DNSpooq?
https://www.jsof-tech.com/disclosures/dnspooq/

AFAIK, it was just announced today. I'm assuming FreeBSD has it patched (I don't see an advisory yet). Are there plans to patch pfSense?

Cache Poisoning Vulnerabilities
CVE-2020-25686, CVE-2020-25684, CVE-2020-25685

Buffer Overflow Vulnerabilities
CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, CVE-2020-25681

History

#1 Updated by Jim Pingle about 1 month ago

  • Tracker changed from Bug to Todo
  • Subject changed from DNSpooq (not a bug, but is this planned to be patched?) to Update dnsmasq to >=2.8.3
  • Assignee set to Renato Botelho
  • Target version set to 2.5.0

We are aware, but for the most part it wouldn't impact us. These are all issues in dnsmasq, which while included in pfSense software, has not been the default in many years. Most of them require using DNSSEC with dnsmasq, which is not supported in pfSense, so there is no way to exploit them.

If someone is concerned they could switch to using the DNS Resolver (unbound) instead.

That said, the FreeBSD ports tree now has dnsmasq 2.83 so we can pull that in to 2.5.0 before release.

#2 Updated by Renato Botelho about 1 month ago

  • Status changed from New to Feedback

2.84 is now imported to 2.5.0 repo

#3 Updated by Renato Botelho 29 days ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF