10-02-2017 11:12 AM
10-02-2017 04:19 PM
@UBNT-afomins @UBNT-ancheng is there an ETA for 1.9.7.hotfix.4 with an updated dnsmasq binary patched against these CVEs, especially with at least one having a remote code exploit and dnsmasq potentially being open to "insecure" networks in certain configurations?
10-03-2017 05:13 AM
10-03-2017 07:52 AM
Check here https://community.ubnt.com/t5/EdgeMAX/dnscrypt-proxy-DNSSEC-and-dnsmasq-on-Edgerouter-Lite/m-p/19116... for a member-contributed build of v2.78. (Second post down, I think.)
May help in the interm, until UBNT can compile and release an official hotfix.
10-03-2017 09:57 AM
Thanks for bringing this up. We are aware and actively working on providing a firmware update to address these vulnerabilities very soon. I will post here as soon as the release is available.
10-03-2017 12:44 PM
@the_slain_man dnsmasq is used for DNS forwarding which is enabled by default. It can also be used for DHCP however, EdgeOS uses ISC dhcpd by default for DHCP. Regardless, it will be important to update to hotfix4 when it is released.
10-03-2017 04:40 PM - last edited on 10-04-2017 08:45 AM by UBNT-afomins
Release including update to come, but for those who want to install it in the mean time, here are the updated dnsmasq packages for MIPS platform (not MIPSEL, which is ER-X and ER-X-SFP only). These are appropraiate for all USG models, ERL, ERPro, ER-POE, ER-8-XG, all ERs except ER-X models.
Download those to ER and install them, like the following after SSH into the device.
sudo su curl -O https://dl.ubnt-ut.com/cmb/dnsmasq_2.78-1-ubnt1_all.deb curl -O https://dl.ubnt-ut.com/cmb/dnsmasq-base_2.78-1-ubnt1_mips.deb curl -O https://dl.ubnt-ut.com/cmb/dnsmasq-utils_2.78-1-ubnt1_mips.deb dpkg -i dnsmasq*
Choose the default "N" for any conflict prompts, and ignore any rc.d warnings.
If you try that, please report back here with results. It's running fine on multiple systems here internally, but would be good to hear from others.
*** UPDATE by UBNT-afomins ***
Here's update dnsmasq for ER-X, ER-X-SFP and EP-R6:
New 1.9.7+hotfix.4 with those fixes will be release early next week.
10-03-2017 04:49 PM - edited 10-03-2017 04:50 PM
> If you try that, please report back here with results. It's running fine on multiple systems here internally, but would be good to hear from others
Installed successfully on an ER-L running v1.9.7+hotfix.3. Appears to be functioning properly.