42 lines
1.6 KiB
Diff
42 lines
1.6 KiB
Diff
From e01e09c7125b40646aff4a582672e711a18a69a4 Mon Sep 17 00:00:00 2001
|
|
From: Simon Kelley <simon@thekelleys.org.uk>
|
|
Date: Fri, 8 Jan 2021 22:50:03 +0000
|
|
Subject: Add CVE numbers to security update descriptions in CHANGELOG
|
|
|
|
---
|
|
CHANGELOG | 9 +++++----
|
|
1 file changed, 5 insertions(+), 4 deletions(-)
|
|
|
|
--- a/CHANGELOG
|
|
+++ b/CHANGELOG
|
|
@@ -1,16 +1,17 @@
|
|
Fix a remote buffer overflow problem in the DNSSEC code. Any
|
|
dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
|
|
- referenced by CERT VU#434904.
|
|
+ referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
|
|
+ CVE-2020-25687.
|
|
|
|
Be sure to only accept UDP DNS query replies at the address
|
|
from which the query was originated. This keeps as much entropy
|
|
in the {query-ID, random-port} tuple as possible, to help defeat
|
|
- cache poisoning attacks. Refer: CERT VU#434904.
|
|
+ cache poisoning attacks. Refer: CVE-2020-25684.
|
|
|
|
Use the SHA-256 hash function to verify that DNS answers
|
|
received are for the questions originally asked. This replaces
|
|
the slightly insecure SHA-1 (when compiled with DNSSEC) or
|
|
- the very insecure CRC32 (otherwise). Refer: CERT VU#434904.
|
|
+ the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
|
|
|
|
Handle multiple identical near simultaneous DNS queries better.
|
|
Previously, such queries would all be forwarded
|
|
@@ -24,7 +25,7 @@
|
|
of the query. The new behaviour detects repeated queries and
|
|
merely stores the clients sending repeats so that when the
|
|
first query completes, the answer can be sent to all the
|
|
- clients who asked. Refer: CERT VU#434904.
|
|
+ clients who asked. Refer: CVE-2020-25686.
|
|
|
|
|
|
version 2.81
|