1 From e01e09c7125b40646aff4a582672e711a18a69a4 Mon Sep 17 00:00:00 2001
2 From: Simon Kelley <simon@thekelleys.org.uk>
3 Date: Fri, 8 Jan 2021 22:50:03 +0000
4 Subject: Add CVE numbers to security update descriptions in CHANGELOG
7 CHANGELOG | 9 +++++----
8 1 file changed, 5 insertions(+), 4 deletions(-)
13 Fix a remote buffer overflow problem in the DNSSEC code. Any
14 dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
15 - referenced by CERT VU#434904.
16 + referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
19 Be sure to only accept UDP DNS query replies at the address
20 from which the query was originated. This keeps as much entropy
21 in the {query-ID, random-port} tuple as possible, to help defeat
22 - cache poisoning attacks. Refer: CERT VU#434904.
23 + cache poisoning attacks. Refer: CVE-2020-25684.
25 Use the SHA-256 hash function to verify that DNS answers
26 received are for the questions originally asked. This replaces
27 the slightly insecure SHA-1 (when compiled with DNSSEC) or
28 - the very insecure CRC32 (otherwise). Refer: CERT VU#434904.
29 + the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
31 Handle multiple identical near simultaneous DNS queries better.
32 Previously, such queries would all be forwarded
34 of the query. The new behaviour detects repeated queries and
35 merely stores the clients sending repeats so that when the
36 first query completes, the answer can be sent to all the
37 - clients who asked. Refer: CERT VU#434904.
38 + clients who asked. Refer: CVE-2020-25686.