Security update for dnsmasq SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20118-1 Final 1 1 2025-02-03T09:22:40Z current 2025-02-03T09:22:40Z 2025-02-03T09:22:40Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for dnsmasq This update for dnsmasq fixes the following issues: - Update to 2.90: * CVE-2023-50387, CVE-2023-50868: Fixed a Denial Of Service while trying to validate specially crafted DNSSEC responses (bsc#1219823, bsc#1219826). * Fix reversion in --rev-server introduced in 2.88 which caused breakage if the prefix length is not exactly divisible by 8 (IPv4) or 4 (IPv6). * Fix possible SEGV when there server(s) for a particular domain are configured, but no server which is not qualified for a particular domain. * Set the default maximum DNS UDP packet sice to 1232. * Add --no-dhcpv4-interface and --no-dhcpv6-interface for better control over which interfaces are providing DHCP service. * Fix issue with stale caching * Add configurable caching for arbitrary RR-types. * Add --filter-rr option, to filter arbitrary RR-types. - SLP got dropped, remove config (bsc#1214884) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-185 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520118-1/ Link for SUSE-SU-2025:20118-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021209.html E-Mail link for SUSE-SU-2025:20118-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1214884 SUSE Bug 1214884 https://bugzilla.suse.com/1219823 SUSE Bug 1219823 https://bugzilla.suse.com/1219826 SUSE Bug 1219826 https://www.suse.com/security/cve/CVE-2023-28450/ SUSE CVE CVE-2023-28450 page https://www.suse.com/security/cve/CVE-2023-50387/ SUSE CVE CVE-2023-50387 page https://www.suse.com/security/cve/CVE-2023-50868/ SUSE CVE CVE-2023-50868 page SUSE Linux Micro 6.0 dnsmasq-2.90-1.1 dnsmasq-2.90-1.1 as a component of SUSE Linux Micro 6.0 An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020. CVE-2023-28450 SUSE Linux Micro 6.0:dnsmasq-2.90-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520118-1/ https://www.suse.com/security/cve/CVE-2023-28450.html CVE-2023-28450 https://bugzilla.suse.com/1209358 SUSE Bug 1209358 Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. CVE-2023-50387 SUSE Linux Micro 6.0:dnsmasq-2.90-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520118-1/ https://www.suse.com/security/cve/CVE-2023-50387.html CVE-2023-50387 https://bugzilla.suse.com/1219823 SUSE Bug 1219823 https://bugzilla.suse.com/1220717 SUSE Bug 1220717 https://bugzilla.suse.com/1221586 SUSE Bug 1221586 The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. CVE-2023-50868 SUSE Linux Micro 6.0:dnsmasq-2.90-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520118-1/ https://www.suse.com/security/cve/CVE-2023-50868.html CVE-2023-50868 https://bugzilla.suse.com/1219823 SUSE Bug 1219823 https://bugzilla.suse.com/1219826 SUSE Bug 1219826 https://bugzilla.suse.com/1221586 SUSE Bug 1221586