[Dnsmasq-discuss] CVE-2015-7547 and dnsmasq
Louis Munro
lmunro at inverse.ca
Wed Feb 17 17:51:59 GMT 2016
Thank you Ethan,
That seems to indicate that TCP remains open as an attack vector.
I guess I also need to reject tcp packets larger that 1023 bytes with a src port of 53.
I am going to have to read up a bit on the iptables syntax to get that to work…
Regards,
--
Louis Munro
lmunro at inverse.ca :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
> On Feb 17, 2016, at 12:49 , Ethan Rahn <ethan.rahn at gmail.com> wrote:
>
> Hello Louis,
>
> I asked this last night and got a response from Simon on this.
>
> https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg10244.html <https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg10244.html>
>
> I hope this helps.
>
> Cheers,
>
> Ethan
>
> On Wed, Feb 17, 2016 at 8:46 AM, Louis Munro <lmunro at inverse.ca <mailto:lmunro at inverse.ca>> wrote:
> Hello,
>
> Buffer overflows are in the news again as I am sure people have heard by now.
>
> The post on the google security blog about it seems to indicate that dnsmasq may be used to mitigate the problem, at least until patching could be done.
>
> See: https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html <https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html>
>
> I have some production servers running both dnsmasq (2.48) and the affected glibc.
>
> Do I understand correctly that running dnsmasq in its default configuration should limit dns replies handled to 1280 bytes?
> I see this in the manpage:
>
> -P, --edns-packet-max=<size>
> Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder. Defaults to 1280, which is
> the RFC2671-recommended maximum for ethernet.
>
> Since the vulnerability relies on a reply of at least 2048 bytes, can I assume I am fine until I can update these systems and reboot them (which should be soon, but just not yet…)?
> Does that setting also apply to TCP replies?
>
>
> Best regards,
> --
> Louis Munro
> lmunro at inverse.ca <mailto:lmunro at inverse.ca> :: www.inverse.ca <http://www.inverse.ca/>
> +1.514.447.4918 x125 <tel:%2B1.514.447.4918%20x125> :: +1 (866) 353-6153 x125 <tel:%2B1%20%28866%29%C2%A0353-6153%20x125>
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and PacketFence (www.packetfence.org <http://www.packetfence.org/>)
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss <http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20160217/d4f9e90c/attachment.html>
More information about the Dnsmasq-discuss
mailing list