Simon Kelley released dnsmasq 2.92rel2 patching six CERT CVEs affecting nearly all non-ancient versions; 2.93 targets release within a week.
Key Takeaways
Six CVEs cover long-standing bugs; patches and details at thekelleys.org.uk/dnsmasq/CVE/; vendors were pre-disclosed and should ship updates soon.
AI-based security research triggered a flood of bug reports, many duplicates; Kelley spent months triaging before coordinating this disclosure.
Long embargoes deemed pointless given how many independent researchers found the same bugs, implying adversaries likely did too.
2.93rc1 tagging imminent; community testing of the release candidate is explicitly requested to accelerate a stable release.
Kelley warns the AI-generated bug report tsunami will continue, meaning this disclosure cycle will likely repeat.
Hacker News Comment Review
OpenWRT and DD-WRT are actively patching but have not yet shipped releases, leaving a large window of exposure on consumer and embedded routers.
Commenters debated whether dnsmasq’s C codebase justifies a rewrite in Rust or Go, with counterargument that AI-assisted auditing is improving C safety instead.
Debian’s stable packaging process drew criticism for shipping outdated dnsmasq builds; others clarified the correct fix is getting newer versions into testing first.
Notable Comments
@aftbit: OpenWRT confirmed working on patches but no build shipped yet as of posting.
@882542F3884314B: Links to xchglabs.com writeup covering five of the CVEs with technical detail.
