Your message dated Wed, 09 Apr 2014 21:20:06 +0000
with message-id <[email protected]>
and subject line Bug#732610: fixed in dnsmasq 2.69-1
has caused the Debian Bug report #732610,
regarding dnsmasq: listen only to loopback device by default
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
732610: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732610
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dnsmasq
Version: 2.68-1
Severity: normal
I've been involved in two situations already where a default dnsmasq
installation was misused for DDoS nameserver attacks, because
dnsmasq is listening on all network devices without any real
limitations by default.
Something like:
% cat /etc/dnsmasq.d/loopback.conf
interface=lo
no-dhcp-interface=
bind-interfaces
listen-address=127.0.0.1
mitigates this problem for systems where dnsmasq is used e.g. only
for chroots on the local system. I'm not sure if listening on
loopback-only is what users of dnsmasq would expect though. But
maybe there could be an according notice about the possible risks
and how to bind it to loopback-only in README.Debian or so if
dnsmasq continues to listen on all interfaces by default?
regards,
-mika-
--- End Message ---
--- Begin Message ---
Source: dnsmasq
Source-Version: 2.69-1
We believe that the bug you reported is fixed in the latest version of
dnsmasq, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Kelley <[email protected]> (supplier of updated dnsmasq package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 4 Feb 2014 16:28:12 +0000
Source: dnsmasq
Binary: dnsmasq dnsmasq-base dnsmasq-utils
Architecture: source amd64 all
Version: 2.69-1
Distribution: unstable
Urgency: low
Maintainer: Simon Kelley <[email protected]>
Changed-By: Simon Kelley <[email protected]>
Description:
dnsmasq - Small caching DNS proxy and DHCP/TFTP server
dnsmasq-base - Small caching DNS proxy and DHCP/TFTP server
dnsmasq-utils - Utilities for manipulating DHCP leases
Closes: 732610
Changes:
dnsmasq (2.69-1) unstable; urgency=low
.
* New upstream.
* Set --local-service. (closes: #732610)
This tells dnsmasq to ignore DNS requests that don't come from a local
network.
It's automatically ignored if --interface --except-interface,
--listen-address
or --auth-server exist in the configuration, so for most installations,
it will
have no effect, but for otherwise-unconfigured installations, it stops
dnsmasq
from being vulnerable to DNS-reflection attacks.
Checksums-Sha1:
0748640985fc08b5ee4de966fee291fec714902b 1808 dnsmasq_2.69-1.dsc
200bc0b62822916d2719a3ff17b27c0b5107bfda 641596 dnsmasq_2.69.orig.tar.gz
195b51cd94be6f447423e5d479ed9925677f8504 20510 dnsmasq_2.69-1.diff.gz
dedc3314ac6f98c5ff94691b278188e6d2a0c846 389952 dnsmasq-base_2.69-1_amd64.deb
76f7639eb76b9a9b28a708209e8cb3c479efcbfe 17942 dnsmasq-utils_2.69-1_amd64.deb
559c95c0148d105eb361a5cac8753b9470dec707 15280 dnsmasq_2.69-1_all.deb
Checksums-Sha256:
e63fd84db758415350a672c573a160241a087c89e182f42b0d8cf70ffb8bcce7 1808
dnsmasq_2.69-1.dsc
2717f18ff7c6b0d64bfe1f932871287190ef40d190c8ce6f998a961f493733ec 641596
dnsmasq_2.69.orig.tar.gz
3370ed342fdd638d529a0c68651af1577b5f2d14f5ef6daa185c16a755f7fa05 20510
dnsmasq_2.69-1.diff.gz
1caf5690b4a596e6054c76df196c9e34a28f319da36d323902250d3c167f397d 389952
dnsmasq-base_2.69-1_amd64.deb
c41fd60c260d2dda030160340a835b6f9f481e8e5e1e33e6c2ca3d99566c3e39 17942
dnsmasq-utils_2.69-1_amd64.deb
8897825f5d8560b5770ea71e10920bf0a033453e73ba47748b66e6280b254896 15280
dnsmasq_2.69-1_all.deb
Files:
96a2b5b152e900e2dd9a8f467ab968e1 1808 net optional dnsmasq_2.69-1.dsc
a503c7857c19cc32ddecf5520715b9b5 641596 net optional dnsmasq_2.69.orig.tar.gz
09dd93068aec3e394b64f835cfcd20d0 20510 net optional dnsmasq_2.69-1.diff.gz
958c024ef4a54f0775194342ef7163cf 389952 net optional
dnsmasq-base_2.69-1_amd64.deb
61efaf47680a5848d062c5ffb4fabe18 17942 net optional
dnsmasq-utils_2.69-1_amd64.deb
f43aad48f1994a9216536b5c2bbf534f 15280 net optional dnsmasq_2.69-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJTRaG/AAoJEBXN2mrhkTWiKAsP/A/gyHf1JuV5iTaAJq7DTXbM
keWqzx16Rq74kfHDVmZT5EBuoiW2RSlVvBHGKB19HE/LPLDVXeEr1X4hQYtbm1FG
uJydGDwr/1/hsMuLlJtWRg/yC63SSL2qBrlbcHpaTbrtEU2XhKIovsGbbyKhy4BO
3pS8wNTHvyJFxmZBMxopo4H5yJQXqwBcijIzK4j8vecOr2lsXwII8klHEWosPWqm
CGKs1pCt0WwCn19mrTBVRkrYayGfuStashojK+7B3N0fxGhDPkaz5SjxAsdofgJ+
fGk0YBin+U6LdA+UXt9lWaai56PYUDIdSuhfVozNcQGF/Ptt0SOOHfWHOBsaVorW
AIN8LWoFuS0DoWfm4KZzQNmNOCewQlK9CjMggvQ6Qn15VQ5yCORWJYXcrJZ9QXiv
8l1B8o+ucQ6VQ0NOZ2GzGvygu4ovL+ZJXpx6Dvv9+xpQFwLmASUdbWggEMOnxISL
5y2Kf9hMN2sbY0Jsw7PCUnvm68sSUcGlJjxs5xfwwgZ1DcEcLIVJpbAYvWOyQybX
U+8NG/gvb50Tuw90lVm4DXVxniCmaZlnQC6n/4zgxj5PxtT1OyH0XM/GUjsTwfPr
6jWZt64khOmKZACwoAWOoPcj8Jxt31B/vHYi7tK9PTV8D01WvpscFJW4h/5W/gqL
IbAlcwQ3Qa3g5L/Levz7
=745K
-----END PGP SIGNATURE-----
--- End Message ---
