|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-49441: dnsmasq: integer overflow via forward_query | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | SMASH SMASH <smash_bz> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | abergmann, max, stoyan.manolov |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/409009/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2023-49441:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
SMASH SMASH
2024-06-07 11:32:40 UTC
Version 2.9 got released in 2004 and is NOT the one affected by this bug. The CVE description and the RH bug also got this wrong. I found the affected line of code in Versions 2.83 (where the respective source file got introduced) through 2.89, but in the current version 2.90 it is already fixed. We already have 2.90 in Factory, SLE-15-SP2 and SLE-15-SP4. Version 2.78 on SLE-12-SP1 does not yet contain the affected piece of code. Only ALP and SLFO contain the affected version 2.89. I just submitted 2.90 to SUSE:SLFO:Main. Please let me know if I shall also submit it to ALP. BTW, in the mail thread linked above upstream did not consider this to be a security issue. This is an autogenerated message for OBS integration: This bug (1226091) was mentioned in https://build.opensuse.org/request/show/1179330 Factory / dnsmasq |