Jump to content

Armbian / Ubuntu vs. dnsmasq security issues


root

Recommended Posts

You may have read about the recent (one month ago, but hey, what's a month between friends?) security vulnerabilities discovered in dnsmasq. They have been patched in version 2.78 and, quoting the author:

This is a bugfix release, and, amongst other things, addresses a set of serious security vulnerabilities. Update should be mandatory.

The dnsmasq shipped with Armbian is a rather old 2.75 and it is enabled by default, so I see this as a rather significant risk.

I have compiled the latest version and installed it by hand, following the instructions located here (obviously, with 2.78 instead of 2.76).

Is there any chance of getting this package updated in the repository for Xenial Xerus (16.04.3 LTS)? My particular Armbian install version is 5.34.171105 (nightly, that is).

 

The same stands for OpenVPN, which comes as an outdated ancient 2.3.10 (current being 2.4.4).

Link to comment
Share on other sites

Fair point.  For most users, however, this is a philosophic rather than practical distinction.  Perhaps a more recent package in the beta.armbian.com stretch repository would help?

In the meanwhile, I have updated the package myself, took the best part of 5 minutes.

Link to comment
Share on other sites

2 minutes ago, root said:

For most users, however, this is a philosophic rather than practical distinction.  Perhaps a more recent package in the beta.armbian.com stretch repository would help?

 

Why/how? Armbian enables unattended-upgrades, all the vulnerabilities that were disclosed on 2nd Oct had been backported to Xenial's 2.75-1ubuntu0.16.04.3 package so please check when the fixed dnsmasq version has been installed on your Armbian installation automagically:

zgrep '2.75-1ubuntu0.16.04.3' /var/log/dpkg.log*

 

Link to comment
Share on other sites

9 minutes ago, root said:

Oct 28th, says dpkg logfile.

 

Hmm... I only checked one installation where I found it installed prior to posting:

2017-10-02 16:52:36 upgrade dnsmasq-base:armhf 2.75-1ubuntu0.16.04.2 2.75-1ubuntu0.16.04.3

Since

root@lime2:~# dpkg -l | grep unattended-upgrades
ii  unattended-upgrades            0.90ubuntu0.8                              all          automatic installation of security upgrades

my understanding is that it should've been updated automagically that day but I might be wrong here. Anyway: other than fixing a potential configuration error with unattended-upgrades we can't do much here anyway since for obvious reasons we rely on upstream distro security fixes. Only exceptions are kernel related vulnerabilities but here we managed to provide fixes on average within less than 24 hours the last 2 years now (for ALL those +20 kernels we currently maintain since we're crazy/stupid/whatever) 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines