| Name | CVE-2020-25686 |
| Description | A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the "Birthday Attacks" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-4844-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| dnsmasq (PTS) | jessie, jessie (lts) | 2.72-3+deb8u7 | vulnerable |
| stretch (security) | 2.76-5+deb9u3 | vulnerable |
| stretch (lts), stretch | 2.76-5+deb9u4 | vulnerable |
| buster, buster (lts) | 2.80-1+deb10u2 | fixed |
| buster (security) | 2.80-1+deb10u1 | fixed |
| bullseye | 2.85-1 | fixed |
| bookworm | 2.89-1 | fixed |
| sid, trixie | 2.90-4 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| dnsmasq | source | buster | 2.80-1+deb10u1 | | DSA-4844-1 | |
| dnsmasq | source | (unstable) | 2.83-1 | | | |
Notes
[stretch] - dnsmasq <ignored> (Minor issue, off-path DNS-non-sec cache poisoning, mitigated by CVE-2020-25684 fix, invasive, regressions)
https://www.openwall.com/lists/oss-security/2021/01/19/1
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=15b60ddf935a531269bb8c68198de012a4967156
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=6a6e06fbb0d4690507ceaf2bb6f0d8910f3d4914
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=04490bf622ac84891aad6f2dd2edf83725decdee (regression)
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=12af2b171de0d678d98583e2190789e544440e02 (regression)
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3f535da79e7a42104543ef5c7b5fa2bed819a78b (regression)
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=25e63f1e56f5acdcf91893a1b92ad1e0f2f552d8 (regression)
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=141a26f979b4bc959d8e866a295e24f8cf456920 (regression)
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=305cb79c5754d5554729b18a2c06fe7ce699687a (regression)
[jessie] - dnsmasq <ignored> (Minor issue, off-path DNS-non-sec cache poisoning, mitigated by CVE-2020-25684 fix, invasive, regressions)