New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dnsmasq: version 2.90 (CVE 2023-50387, CVE 2023-50868) #14669
Conversation
ef630a6
to
134e5cc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for taking care, BTW this update fixes CVE 2023-50868 as well, so it should be mentioned in the commit description as well.
I compiled with your patch for my DL-WRX36.
Do you want me to test anything else |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Working for me, Thanks
134e5cc
to
33160df
Compare
Commit message updated as per @ynezz feedback. |
how likely a client hit by this? or most upstream resolver will strip attack for us? |
Huh. interesting. #14631 would be a pseudo duplicate. I am mildly perplexed this PR exists, and appears to be still a work in progress, yet my bug was still marked "completed". |
Can this be merged? Do I need to do anything? |
Can anyone post ipk package 2.90 for manual replacement? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Its working without problems!
Bump to 2.90 to get upstream's fix for DNSSEC KeyTrap (CVE-2023-50387, CVE-2023-50868) among many other goodies and fixes (notably, upstream 568fb024... fixes a UAF in cache_remove_uid that was routinely crashing dnsmasq in my deployment). Catch up our 200-ubus_dns.patch, too. Signed-off-by: Nathaniel Wesley Filardo <nwfilardo@gmail.com>
33160df
to
838a27f
Compare
Thanks! Rebased on top of main and merged! |
Great work! Can anyone with permissions cherry-pick it for current release? @robimarko ? |
@stangri this is a relatively busy repo, so see if we can help out and prep the CP (of this commit) as a PR. |
@nbd168 Please review the changes to package/network/services/dnsmasq/patches/200-ubus_dns.patch . I believe they are correct, but upstream's 12ddb2a4b9204846db7c38eefe4080d89dbed708 ("To implement this needed the DNS-doctor code to be untangled from find_soa()") imposed a little bit of work.