Debian 10236 Published by

The following security updates are available for Debian GNU/Linux 10 Extended LTS:

ELA-1152-1 dnsmasq security update
ELA-1156-1 indent security update




ELA-1152-1 dnsmasq security update

Package : dnsmasq
Version : 2.80-1+deb10u2 (buster)

Related CVEs :
CVE-2019-14834
CVE-2021-3448
CVE-2022-0934
CVE-2023-28450

Multiple vulnerabilities have been fixed in the dnsmasq package, the small caching DNS proxy and DHCP/TFTP server.

CVE-2019-14834
A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to cause a
denial of service (memory consumption) via vectors involving DHCP response creation.

CVE-2021-3448
A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network
interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing
port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by
dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to
data integrity.

CVE-2022-0934
A single-byte, non-arbitrary write/use-after-free flaw was found in dnsmasq. This flaw allows an attacker who sends
a crafted packet processed by dnsmasq, potentially causing a denial of service.

CVE-2023-28450
An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but
should be 1232 because of DNS Flag Day 2020.

ELA-1152-1 dnsmasq security update


ELA-1156-1 indent security update

Package : indent
Version : 2.2.12-1+deb11u1~deb10u1 (buster)

Related CVEs :
CVE-2023-40305
CVE-2024-0911

Multiple issues have been fixed in GNU indent, a C source code formatter.

ELA-1156-1 indent security update