> This is yet another refinement to the fix for CVE-2012-3411: > > https://bugzilla.redhat.com/show_bug.cgi?id=833033 > > It turns out that it would be very intrusive to correctly backport > the > entire --bind-dynamic option to older dnsmasq versions > (e.g. dnsmasq-2.48 that is used on RHEL6.x and CentOS 6.x), but very > simple to patch those versions to just use SO_BINDTODEVICE on all > their listening sockets (SO_BINDTODEVICE also has the desired effect > of permitting only traffic that was received on the interface(s) > where > dnsmasq was set to listen.) > > This patch modifies the dnsmasq capabilities detection to detect the > string: > > --bind-interfaces with SO_BINDTODEVICE > > in the output of "dnsmasq --version", and in that case realize that > using the old --bind-interfaces option is just as safe as > --bind-dynamic (and therefore *not* forbid creation of networks that > use public IP address ranges). ACK. -- Eric Blake eblake@xxxxxxxxxx +1-919-301-3266 Libvirt virtualization library http://libvirt.org -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list