Ubuntu Security Notice USN-827-1
1st September, 2009
dnsmasq vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 9.04
- Ubuntu 8.10
- Ubuntu 8.04 LTS
Software description
- dnsmasq
Details
IvAin Arce, Pablo HernAin Jorge, Alejandro Pablo Rodriguez, MartAn Coco,
Alberto SoliAto Testa and Pablo Annetta discovered that Dnsmasq did not
properly validate its input when processing TFTP requests for files with
long names. A remote attacker could cause a denial of service or execute
arbitrary code with user privileges. Dnsmasq runs as the 'dnsmasq' user by
default on Ubuntu. (CVE-2009-2957)
Steve Grubb discovered that Dnsmasq could be made to dereference a NULL
pointer when processing certain TFTP requests. A remote attacker could
cause a denial of service by sending a crafted TFTP request.
(CVE-2009-2958)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 9.04:
- dnsmasq-base 2.47-3ubuntu0.1
- Ubuntu 8.10:
- dnsmasq-base 2.45-1ubuntu1.1
- Ubuntu 8.04 LTS:
- dnsmasq-base 2.41-2ubuntu2.2
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system upgrade is sufficient to effect the
necessary changes.