ALAS2-2020-1469

Amazon Linux 2 Security Advisory: ALAS-2020-1469
Advisory Release Date: 2020-07-31 19:20 Pacific
Advisory Updated Date: 2020-08-05 06:36 Pacific
Severity: Medium
Issue Overview:

A flaw was found in the default configuration of dnsmasq, as shipped with Fedora and Red Hat Enterprise Linux, where it listens on any interface and accepts queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Running dnsmasq in this manner may inadvertently make it an open resolver accessible from any address on the internet. This flaw allows an attacker to conduct a Distributed Denial of Service (DDoS) against other systems. (CVE-2020-14312)


Affected Packages:

dnsmasq


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update dnsmasq to update your system.

New Packages:
aarch64:
    dnsmasq-2.76-10.amzn2.1.1.aarch64
    dnsmasq-utils-2.76-10.amzn2.1.1.aarch64
    dnsmasq-debuginfo-2.76-10.amzn2.1.1.aarch64

i686:
    dnsmasq-2.76-10.amzn2.1.1.i686
    dnsmasq-utils-2.76-10.amzn2.1.1.i686
    dnsmasq-debuginfo-2.76-10.amzn2.1.1.i686

src:
    dnsmasq-2.76-10.amzn2.1.1.src

x86_64:
    dnsmasq-2.76-10.amzn2.1.1.x86_64
    dnsmasq-utils-2.76-10.amzn2.1.1.x86_64
    dnsmasq-debuginfo-2.76-10.amzn2.1.1.x86_64

Additional References

Red Hat: CVE-2020-14312

Mitre: CVE-2020-14312