<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Thank you Ethan,<div class="">That seems to indicate that TCP remains open as an attack vector.</div><div class=""><br class=""></div><div class="">I guess I also need to reject tcp packets larger that 1023 bytes with a src port of 53.</div><div class=""><br class=""></div><div class="">I am going to have to read up a bit on the iptables syntax to get that to work…</div><div class=""><br class=""></div><div class="">Regards,<br class=""><div class="">
<div style="color: rgb(0, 0, 0); font-family: Helvetica;  font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; " class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica;  font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; " class="">--</div><div style="color: rgb(0, 0, 0); font-family: Helvetica;  font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; " class="">Louis Munro<br class=""><a href="mailto:lmunro@inverse.ca" class="">lmunro@inverse.ca</a>  ::  <a href="http://www.inverse.ca" class="">www.inverse.ca</a> <br class="">+1.514.447.4918 x125  :: +1 (866) 353-6153 x125<br class="">Inverse inc. :: Leaders behind SOGo (<a href="http://www.sogo.nu" class="">www.sogo.nu</a>) and PacketFence (<a href="http://www.packetfence.org" class="">www.packetfence.org</a>)</div></div>
</div>
<br class=""><div><blockquote type="cite" class=""><div class="">On Feb 17, 2016, at 12:49 , Ethan Rahn <<a href="mailto:ethan.rahn@gmail.com" class="">ethan.rahn@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Hello Louis,<div class=""><br class=""></div><div class="">I asked this last night and got a response from Simon on this.</div><div class=""><br class=""></div><div class=""><a href="https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg10244.html" class="">https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg10244.html</a><br class=""></div><div class=""><br class=""></div><div class="">I hope this helps.</div><div class=""><br class=""></div><div class="">Cheers,</div><div class=""><br class=""></div><div class="">Ethan</div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Wed, Feb 17, 2016 at 8:46 AM, Louis Munro <span dir="ltr" class=""><<a href="mailto:lmunro@inverse.ca" target="_blank" class="">lmunro@inverse.ca</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class="">Hello,<div class=""><br class=""></div><div class="">Buffer overflows are in the news again as I am sure people have heard by now.</div><div class=""><br class=""></div><div class="">The post on the google security blog about it seems to indicate that dnsmasq may be used to mitigate the problem, at least until patching could be done.</div><div class=""><br class=""></div><div class="">See: <a href="https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html" target="_blank" class="">https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html</a></div><div class=""><br class=""></div><div class="">I have some production servers running both dnsmasq (2.48) and the affected glibc.</div><div class=""><br class=""></div><div class="">Do I understand correctly that running dnsmasq in its default configuration should limit dns replies handled to 1280 bytes?</div><div class="">I see this in the manpage: </div><div class=""><br class=""></div><div class="">       -P, --edns-packet-max=<size><br class="">              Specify the largest EDNS.0 UDP packet which is supported by the DNS forwarder. Defaults to 1280, which is<br class="">              the RFC2671-recommended maximum for ethernet.</div><div class=""><br class=""></div><div class="">Since the vulnerability relies on a reply of at least 2048 bytes, can I assume I am fine until I can update these systems and reboot them (which should be soon, but just not yet…)? </div><div class="">Does that setting also apply to TCP replies?</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Best regards,</div><div class=""><div class="">
<div style="font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class=""><div style="font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class="">--</div><div style="font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class="">Louis Munro<br class=""><a href="mailto:lmunro@inverse.ca" target="_blank" class="">lmunro@inverse.ca</a>  ::  <a href="http://www.inverse.ca/" target="_blank" class="">www.inverse.ca</a> <br class=""><a href="tel:%2B1.514.447.4918%20x125" value="+15144474918" target="_blank" class="">+1.514.447.4918 x125</a>  :: <a href="tel:%2B1%20%28866%29%C2%A0353-6153%20x125" value="+18663536153" target="_blank" class="">+1 (866) 353-6153 x125</a><br class="">Inverse inc. :: Leaders behind SOGo (<a href="http://www.sogo.nu/" target="_blank" class="">www.sogo.nu</a>) and PacketFence (<a href="http://www.packetfence.org/" target="_blank" class="">www.packetfence.org</a>)</div></div>
</div>
<br class=""></div></div><br class="">_______________________________________________<br class="">
Dnsmasq-discuss mailing list<br class="">
<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" class="">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br class="">
<a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" rel="noreferrer" target="_blank" class="">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br class="">
<br class=""></blockquote></div><br class=""></div>
</div></blockquote></div><br class=""></div></body></html>