Adding OSSN-0082

Heap and Stack based buffer overflows in dnsmasq prior to version 2.78 Closes-bug: #1721063 Change-Id: Id6e9daf7581dfc02c1621759a12339a9e03d8e75
2017-10-03 13:27:06 +01:00 · 2017-10-03 13:27:06 +01:00 · 8514cbacc7
commit 8514cbacc7
parent 0c53abf328
1 changed files with 38 additions and 0 deletions
--- a/security-notes/OSSN-0082
+++ b/security-notes/OSSN-0082
@ -0,0 +1,38 @@
+Heap and Stack based buffer overflows in dnsmasq prior to version 2.78
+----------------------------------------------------------------------
+
+### Summary ###
+A series of heap and stack based buffer overflows have been discovered in
+versions of dnsmasq prior to release 2.78.
+
+### Affected Services / Software ###
+Any neutron based OpenStack deployment on a version of dnsmasq prior to
+2.78.
+
+### Discussion ###
+The following attack vectors have been assigned the following CVE numbers.
+
+* CVE-2017-14491
+* CVE-2017-14492
+* CVE-2017-14493
+* CVE-2017-14494
+* CVE-2017-14495
+* CVE-2017-14496
+* CVE-2017-13704
+
+Each of these CVE's exposes a neutron based OpenStack deployment to various
+attacks such as leakage of sensitive memory information or causing a denial of
+service. Nodes are exposed to this risk by the crafting of various nefarious
+DNS or DHCP requests.
+
+### Recommended Actions ###
+Operators should update the dnsmasq service using the affected nodes operating
+systems packaging tools to version 2.78 and later, or a distribution packaged
+version that contains relevant backports for these vulnerabilities.
+
+### Contacts / References ###
+Author: Luke Hinds <lhinds@redhat.com>
+This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0082
+Mailing List : [Security] tag on openstack-dev@lists.openstack.org
+OpenStack Security Project : https://launchpad.net/~openstack-ossg
+CVE: CVE-2017-14491