Security Advisory 2021-01-19-1 - dnsmasq multiple vulnerabilities (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687)


** Package upgrade ** You need to update the affected dnsmasq package variant you're using with the command below. opkg update; opkg upgrade $(opkg list-installed dnsmasq* | cut -d' ' -f1) Then verify, that you're running fixed version. opkg list-installed dnsmasq* The above command should output following: dnsmasq - 2.80-16.2 - for stable 19.07 release dnsmasq - 2.83-1 - for master/snapshot The fix is contained in the following and later versions: * OpenWrt 19.07: 19.07.6 (fixed by [v19.07.6-0-gb12284a14ce9](<https://git.openwrt.org/8055e38794741313f8f4e6059f83c71dc0ab1d1c> "https://git.openwrt.org/8055e38794741313f8f4e6059f83c71dc0ab1d1c" )) * OpenWrt master: 2021-01-19 (fixed by [reboot-15541-ge87c0d934c54](<https://git.openwrt.org/e87c0d934c54d0b07caef1db3af170510acf3cfa> "https://git.openwrt.org/e87c0d934c54d0b07caef1db3af170510acf3cfa" )) ** Configuration based mitigation ** If upgrading is not possible, it is possible to mitigate some of the issues through configuration changes. Note that these settings may have unintended side-effects. Mitigation for DNS cache poisoning is disabling of caching: uci set dhcp.@dnsmasq[0].cachesize='0' Mitigation for DNSSEC vulnerability is disabling of DNSSEC feature: uci set dhcp.@dnsmasq[0].dnssec='0' Reduce the maximum of queries allowed to be forwarded from 150 to 50: uci set dhcp.@dnsmasq[0].dnsforwardmax='50' Then you should commit changes and restart dnsmasq: uci commit dhcp /etc/init.d/dnsmasq restart *[DNS]: Domain Name System