=======================================================
SB-6 2017-10-03 dnsmasq vulnerability
=======================================================

Service bulletin: SB-6
Date: October 3, 2017

This week there was a vulnerability discovered in dnsmasq, which you
can read about in more detail at:

https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

The main concern with this exploit is that a DNS request could cause
either a denial of service, information leakage, or remote control of
the bonder.

There are two different scenarios which could cause a bonder to be
affected by this, which each have a different fix.

Note that only bonders are affected by this, and only bonders that fit
into the following scenarios are at risk.

Scenario 1
-----------

The first scenario is a bonder configured to serve DHCP from a connected
IP through the web admin. The affected versions of bonding are:

-  2016.2-53 or lower
-  6.0.62 or lower
-  6.1.75 or lower

Earlier versions of bonding did not have the DHCP server as an option
and are not affected in this way.

To fix a bond running any of the above patch levels, the following
commands can be run on the bonder:

::

    apt-get update
    apt-get install bonding
    service bonding restart

Scenario 2
-----------

The second scenario is a bonder running a DHCP server as we used to
describe in our documentation before the DHCP server was integrated.
Debian provides a patch to dnsmasq that resolves this problem as long
as the bonder is running Jessie. If the bonder is running Wheezy or
Squeeze, there is no update available. Debian 8 (Jessie) bonders
running dnsmasq with a version less than 2.72-3+deb8u2 are affected by
this.

You can also view the status of if a Wheezy patch has been made
available at:

https://security-tracker.debian.org/tracker/source-package/dnsmasq

To fix a bond running in the above scenario the following commands can
be run:

::

    apt-get update
    apt-get install dnsmasq
    service bonding restart

References
-----------

-  https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
-  https://security-tracker.debian.org/tracker/source-package/dnsmasq
