[Dnsmasq-discuss] CVE-2015-7547 and dnsmasq

Ethan Rahn ethan.rahn at gmail.com
Wed Feb 17 17:49:16 GMT 2016


Hello Louis,

I asked this last night and got a response from Simon on this.

https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg10244.html

I hope this helps.

Cheers,

Ethan

On Wed, Feb 17, 2016 at 8:46 AM, Louis Munro <lmunro at inverse.ca> wrote:

> Hello,
>
> Buffer overflows are in the news again as I am sure people have heard by
> now.
>
> The post on the google security blog about it seems to indicate that
> dnsmasq may be used to mitigate the problem, at least until patching could
> be done.
>
> See:
> https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
>
> I have some production servers running both dnsmasq (2.48) and the
> affected glibc.
>
> Do I understand correctly that running dnsmasq in its default
> configuration should limit dns replies handled to 1280 bytes?
> I see this in the manpage:
>
>        -P, --edns-packet-max=<size>
>               Specify the largest EDNS.0 UDP packet which is supported by
> the DNS forwarder. Defaults to 1280, which is
>               the RFC2671-recommended maximum for ethernet.
>
> Since the vulnerability relies on a reply of at least 2048 bytes, can I
> assume I am fine until I can update these systems and reboot them (which
> should be soon, but just not yet…)?
> Does that setting also apply to TCP replies?
>
>
> Best regards,
> --
> Louis Munro
> lmunro at inverse.ca  ::  www.inverse.ca
> +1.514.447.4918 x125  :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20160217/4edc8378/attachment-0001.html>


More information about the Dnsmasq-discuss mailing list