OracleVM 2.1 : dnsmasq (OVMSA-2009-0022)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing a security update.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

CVE-2009-2957 Heap-based buffer overflow in the tftp_request function
in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, might
allow remote attackers to execute arbitrary code via a long filename
in a TFTP packet, as demonstrated by a read (aka RRQ) request.
CVE-2009-2958 The tftp_request function in tftp.c in dnsmasq before
2.50, when

--enable-tftp is used, allows remote attackers to cause a denial of
service (NULL pointer dereference and daemon crash) via a TFTP read
(aka RRQ) request with a malformed blksize option.

- problems with strings when enabling tftp (CVE-2009-2957,
CVE-2009-2957)

- Resolves: rhbg#519021

- update to new upstream version

- fixes for CVE-2008-1447/CERT VU#800113

- Resolves: rhbz#454869

See also :

http://www.nessus.org/u?e4bbb022

Solution :

Update the affected dnsmasq package.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.5
(CVSS2#E:F/RL:ND/RC:ND)
Public Exploit Available : true

Family: OracleVM Local Security Checks

Nessus Plugin ID: 79464 ()

Bugtraq ID: 30131
36120

CVE ID: CVE-2008-1447
CVE-2009-2957
CVE-2009-2958

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now