From e01e09c7125b40646aff4a582672e711a18a69a4 Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Fri, 8 Jan 2021 22:50:03 +0000 Subject: [PATCH] Add CVE numbers to security update descriptions in CHANGELOG --- CHANGELOG | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 3b2782f..b70bf26 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -4,17 +4,18 @@ version 2.83 Fix a remote buffer overflow problem in the DNSSEC code. Any dnsmasq with DNSSEC compiled in and enabled is vulnerable to this, - referenced by CERT VU#434904. + referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 + CVE-2020-25687. Be sure to only accept UDP DNS query replies at the address from which the query was originated. This keeps as much entropy in the {query-ID, random-port} tuple as possible, to help defeat - cache poisoning attacks. Refer: CERT VU#434904. + cache poisoning attacks. Refer: CVE-2020-25684. Use the SHA-256 hash function to verify that DNS answers received are for the questions originally asked. This replaces the slightly insecure SHA-1 (when compiled with DNSSEC) or - the very insecure CRC32 (otherwise). Refer: CERT VU#434904. + the very insecure CRC32 (otherwise). Refer: CVE-2020-25685. Handle multiple identical near simultaneous DNS queries better. Previously, such queries would all be forwarded @@ -28,7 +29,7 @@ version 2.83 of the query. The new behaviour detects repeated queries and merely stores the clients sending repeats so that when the first query completes, the answer can be sent to all the - clients who asked. Refer: CERT VU#434904. + clients who asked. Refer: CVE-2020-25686. version 2.82