EulerOS 2.0 SP2 : dnsmasq (EulerOS-SA-2018-1285)
High Nessus Plugin ID 117729
SynopsisThe remote EulerOS host is missing multiple security updates.
DescriptionAccording to the versions of the dnsmasq packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :
- A memory exhaustion flaw was found in dnsmasq in the EDNS0 code. An attacker could send crafted DNS packets which would trigger memory allocations which would never be freed, leading to unbounded memory consumption and eventually a crash. This issue only affected configurations using one of the options: add-mac, add-cpe-id, or add-subnet. (CVE-2017-14495)
- An integer underflow flaw leading to a buffer over-read was found in dnsmasq in the EDNS0 code. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash. This issue only affected configurations using one of the options: add-mac, add-cpe-id, or add-subnet. (CVE-2017-14496)
As this issue only affects configurations using the add-mac, add-cpe-id, or add-subnet options, and these are not enabled by default in dnsmasq on EulerOS, this vulnerability may not actively affect the system at this time, but has the potential to do so if the configuration changes. Updating the version of these packages is the safest course of action.
Note that Tenable Network Security has extracted most of the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpdate the affected dnsmasq packages.