Dnsmasq

**bmdz** · 10-03-2017, 06:27 AM

Do any versions of untangle use Dnsmasq version 2.77 and if so which ones?

Thanks

**Jim.Alles** · 10-03-2017, 07:28 PM

No, but that isn't the issue...

**chaycock** · 10-04-2017, 12:20 PM

Originally Posted by Jim.Alles

No, but that isn't the issue...

What is the issue?

**JasonJoel** · 10-05-2017, 05:52 AM

I would like to hear that too... Since I was literally just reviewing some malware snippets that exploit the vulnerabilities in DNSMASQ yesterday... The most interesting aren't the ones specific to 2.77, rather the 2.66 ones were my focus area.

Not sure how you can say 'that is not the issue' then disappear.

**chaycock** · 10-05-2017, 06:11 AM

Originally Posted by Jim.Alles

No, but that isn't the issue...

Which version of DNsmasq is used by 13.1?

**Jim.Alles** · 10-05-2017, 08:38 PM

Oh, I actually disappeared quite a while ago, and I am just making it back!

As far as the past couple of days, I was at a very nice conference hosted by Cornell University (which is where I first heard of this) and had limited time at a computer keyboard. I was also allowing some more time for UT to make a statement, or the O.P to respond; and wanted to phrase this carefully.

From Simon Kelley:
https://www.mail-archive.com/dnsmasq.../msg11664.html

From Google:
https://security.googleblog.com/2017...-and-dhcp.html

And thanks to both for the cooperative effort put forth to keep our networks a little safer.

The specific CVEs:
https://nvd.nist.gov/vuln/search/res...&query=dnsmasq

I also believe that the way I have my NGFW configured, there is no cause for panic.

I would re-phrase the question: "When can we expect dnsmasq-2.78 to be included in an upgrade?".

**jcoffin** · 10-05-2017, 10:01 PM

Originally Posted by Jim.Alles

I would re-phrase the question: "When can we expect dnsmasq-2.78 to be included in an upgrade?".

When Debian includes it.

**dmorris** · 10-05-2017, 11:44 PM

A better question would be "When can we expect fixes for the these issues?"
That answer is: 2.72-3+deb8u2

https://security-tracker.debian.org/...CVE-2017-14491

2.76 will not be used until 14.0
2.78 will likely not be used for many years.
If you just care about version number, you are free to install whatever software you like on your Untangle.

**Jim.Alles** · 10-06-2017, 03:16 AM

A better question would be "When can we expect fixes for these issues?"

Yes, and if anyone feels the need to patch these now for themselves, they were developed per CVE:
http://thekelleys.org.uk/gitweb/?p=d....git;a=summary

have at it!

And thanks UT, for keeping up with these kinds of issues and sorting them out - I wouldn't expect it at all from any off-the-shelf consumer router manufacturer.

**donhwyo** · 10-06-2017, 10:47 AM

Originally Posted by dmorris

A better question would be "When can we expect fixes for the these issues?"
That answer is: 2.72-3+deb8u2

https://security-tracker.debian.org/...CVE-2017-14491

2.76 will not be used until 14.0
2.78 will likely not be used for many years.
If you just care about version number, you are free to install whatever software you like on your Untangle.

2.72-3+deb8u2 is available in debian jessie. I wonder why untangle apt-get update does not get it?

Thread: Dnsmasq

LinkBack

Thread Tools

Dnsmasq

serious security vulnerabilities

Posting Permissions