Security update for dnsmasq SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0130-1 Final 1 1 2025-01-15T13:26:53Z current 2025-01-15T13:26:53Z 2025-01-15T13:26:53Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for dnsmasq This update for dnsmasq fixes the following issues: - Version update to 2.90: - CVE-2023-50387: Fixed a Denial Of Service while trying to validate specially crafted DNSSEC responses. (bsc#1219823) - CVE-2023-50868: Fixed a Denial Of Service while trying to validate specially crafted DNSSEC responses. (bsc#1219826) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-130,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-130,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-130,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-130,SUSE-SUSE-MicroOS-5.1-2025-130,SUSE-SUSE-MicroOS-5.2-2025-130,SUSE-Storage-7.1-2025-130 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250130-1/ Link for SUSE-SU-2025:0130-1 https://lists.suse.com/pipermail/sle-security-updates/2025-January/020139.html E-Mail link for SUSE-SU-2025:0130-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1200344 SUSE Bug 1200344 https://bugzilla.suse.com/1207174 SUSE Bug 1207174 https://bugzilla.suse.com/1214884 SUSE Bug 1214884 https://bugzilla.suse.com/1219823 SUSE Bug 1219823 https://bugzilla.suse.com/1219826 SUSE Bug 1219826 https://bugzilla.suse.com/1235517 SUSE Bug 1235517 https://www.suse.com/security/cve/CVE-2023-50387/ SUSE CVE CVE-2023-50387 page https://www.suse.com/security/cve/CVE-2023-50868/ SUSE CVE CVE-2023-50868 page SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP3 dnsmasq-2.90-150100.7.28.1 dnsmasq-utils-2.90-150100.7.28.1 dnsmasq-2.90-150100.7.28.1 as a component of SUSE Enterprise Storage 7.1 dnsmasq-2.90-150100.7.28.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS dnsmasq-2.90-150100.7.28.1 as a component of SUSE Linux Enterprise Micro 5.1 dnsmasq-2.90-150100.7.28.1 as a component of SUSE Linux Enterprise Micro 5.2 dnsmasq-2.90-150100.7.28.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS dnsmasq-2.90-150100.7.28.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. CVE-2023-50387 SUSE Enterprise Storage 7.1:dnsmasq-2.90-150100.7.28.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:dnsmasq-2.90-150100.7.28.1 SUSE Linux Enterprise Micro 5.1:dnsmasq-2.90-150100.7.28.1 SUSE Linux Enterprise Micro 5.2:dnsmasq-2.90-150100.7.28.1 SUSE Linux Enterprise Server 15 SP3-LTSS:dnsmasq-2.90-150100.7.28.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:dnsmasq-2.90-150100.7.28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250130-1/ https://www.suse.com/security/cve/CVE-2023-50387.html CVE-2023-50387 https://bugzilla.suse.com/1219823 SUSE Bug 1219823 https://bugzilla.suse.com/1220717 SUSE Bug 1220717 https://bugzilla.suse.com/1221586 SUSE Bug 1221586 The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. CVE-2023-50868 SUSE Enterprise Storage 7.1:dnsmasq-2.90-150100.7.28.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:dnsmasq-2.90-150100.7.28.1 SUSE Linux Enterprise Micro 5.1:dnsmasq-2.90-150100.7.28.1 SUSE Linux Enterprise Micro 5.2:dnsmasq-2.90-150100.7.28.1 SUSE Linux Enterprise Server 15 SP3-LTSS:dnsmasq-2.90-150100.7.28.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:dnsmasq-2.90-150100.7.28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250130-1/ https://www.suse.com/security/cve/CVE-2023-50868.html CVE-2023-50868 https://bugzilla.suse.com/1219823 SUSE Bug 1219823 https://bugzilla.suse.com/1219826 SUSE Bug 1219826 https://bugzilla.suse.com/1221586 SUSE Bug 1221586