root Posted November 5, 2017 Posted November 5, 2017 You may have read about the recent (one month ago, but hey, what's a month between friends?) security vulnerabilities discovered in dnsmasq. They have been patched in version 2.78 and, quoting the author: This is a bugfix release, and, amongst other things, addresses a set of serious security vulnerabilities. Update should be mandatory. The dnsmasq shipped with Armbian is a rather old 2.75 and it is enabled by default, so I see this as a rather significant risk. I have compiled the latest version and installed it by hand, following the instructions located here (obviously, with 2.78 instead of 2.76). Is there any chance of getting this package updated in the repository for Xenial Xerus (16.04.3 LTS)? My particular Armbian install version is 5.34.171105 (nightly, that is). The same stands for OpenVPN, which comes as an outdated ancient 2.3.10 (current being 2.4.4).
tkaiser Posted November 5, 2017 Posted November 5, 2017 7 minutes ago, root said: The dnsmasq shipped with Armbian ...does not exist. You use Xenial, it's Ubuntu's dnsmasq package what you're using. Armbian only provides a few own packages (bootloader/kernel and 'board support package') http://changelogs.ubuntu.com/changelogs/pool/main/d/dnsmasq/dnsmasq_2.75-1ubuntu0.16.04.3/changelog
root Posted November 5, 2017 Author Posted November 5, 2017 Fair point. For most users, however, this is a philosophic rather than practical distinction. Perhaps a more recent package in the beta.armbian.com stretch repository would help? In the meanwhile, I have updated the package myself, took the best part of 5 minutes.
tkaiser Posted November 5, 2017 Posted November 5, 2017 2 minutes ago, root said: For most users, however, this is a philosophic rather than practical distinction. Perhaps a more recent package in the beta.armbian.com stretch repository would help? Why/how? Armbian enables unattended-upgrades, all the vulnerabilities that were disclosed on 2nd Oct had been backported to Xenial's 2.75-1ubuntu0.16.04.3 package so please check when the fixed dnsmasq version has been installed on your Armbian installation automagically: zgrep '2.75-1ubuntu0.16.04.3' /var/log/dpkg.log*
root Posted November 5, 2017 Author Posted November 5, 2017 Oct 28th, says dpkg logfile. CVE-2017-13704 doesn't show in the changelog for the package though (but that's not an Armbian thing at all, purely Ubuntu - and I'm not being ironic).
tkaiser Posted November 5, 2017 Posted November 5, 2017 9 minutes ago, root said: Oct 28th, says dpkg logfile. Hmm... I only checked one installation where I found it installed prior to posting: 2017-10-02 16:52:36 upgrade dnsmasq-base:armhf 2.75-1ubuntu0.16.04.2 2.75-1ubuntu0.16.04.3 Since root@lime2:~# dpkg -l | grep unattended-upgrades ii unattended-upgrades 0.90ubuntu0.8 all automatic installation of security upgrades my understanding is that it should've been updated automagically that day but I might be wrong here. Anyway: other than fixing a potential configuration error with unattended-upgrades we can't do much here anyway since for obvious reasons we rely on upstream distro security fixes. Only exceptions are kernel related vulnerabilities but here we managed to provide fixes on average within less than 24 hours the last 2 years now (for ALL those +20 kernels we currently maintain since we're crazy/stupid/whatever)
Recommended Posts