Ubuntu update for dnsmasq
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2017-15107 CVE-2019-14513 |
| CWE-ID | CWE-20 CWE-125 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Ubuntu Operating systems & Components / Operating system dnsmasq-utils (Ubuntu package) Operating systems & Components / Operating system package or component dnsmasq-base (Ubuntu package) Operating systems & Components / Operating system package or component dnsmasq (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU33708
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-15107
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
A vulnerability was found in the implementation of DNSSEC in Dnsmasq up to and including 2.78. Wildcard synthesized NSEC records could be improperly interpreted to prove the non-existence of hostnames that actually exist.
MitigationUpdate the affected package dnsmasq to the latest version.
Vulnerable software versionsUbuntu: 16.04
dnsmasq-utils (Ubuntu package): before 2.75-1ubuntu0.16.04.10
dnsmasq-base (Ubuntu package): before 2.75-1ubuntu0.16.04.10
dnsmasq (Ubuntu package): before 2.75-1ubuntu0.16.04.10
CPE2.3- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:dnsmasq-utils_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:dnsmasq-base_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:dnsmasq_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-4924-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds read
EUVDB-ID: #VU19919
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-14513
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a boundary error when processing DNS packets. The vulnerability allows an attacker controlled DNS server to send large DNS packets that result in a read operation beyond the buffer allocated for the packet.
Successful exploitation of this vulnerability may result in sensitive data disclosure or denial of service conditions.
MitigationUpdate the affected package dnsmasq to the latest version.
Vulnerable software versionsUbuntu: 16.04
dnsmasq-utils (Ubuntu package): before 2.75-1ubuntu0.16.04.10
dnsmasq-base (Ubuntu package): before 2.75-1ubuntu0.16.04.10
dnsmasq (Ubuntu package): before 2.75-1ubuntu0.16.04.10
CPE2.3- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:dnsmasq-utils_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:dnsmasq-base_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:dnsmasq_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-4924-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
