Hi,
Google announced a lot of security stuff about dnsmasq, is Pi-Hole vulnerable?
Thanks,
MC
All software is vulnerable as it's made by human.
Thats why you shouldnt open up your Pi-hole to public.
If something gets inside your network perimeter this could make things worse.
It's not a responsibility of Pi-Hole to security patch dnsmasq but if you are running an app with dnsmasq you wouldn't want to Equifax.
I'm sort-of glad this happened because I became aware the fact that the Android app named Linux Deploy does not populate /etc/apt/sources.list with security repos. I also found that currently the systemd cgroup for libvirtd/dnsmasq does not restart dnsmasq on "systemctl restart libvirtd" (which APT does when patching). I'm not the only one who sess this, see 1450327 – libvirtd.service spawns dnsmasq, but never kill it on stop or restart
Dnsmasq should be a part of the OS build, not pi-hole directly. For example if you deployed it on a Raspberry Pi, check there. My dnsmasq version with latest update is 2.76-5 (http://www.raspberryconnect.com/raspbian-packages-list/item/80-raspbian-net - Debian -- Details of package dnsmasq in stretch).
Updates for dnsmasq are already in the Raspbian repository. Time to patch.
1 Like