CERT is releasing six CVEs for serious vulnerabilities in dnsmasq, affecting most non-ancient versions. Developer Simon Kelley released patched version 2.92rel2 while preparing comprehensive fixes for the development tree. The vulnerabilities have been pre-disclosed to vendors, though the maintainer questions the value of long embargoes given the rise of AI-based security research.

The maintainer has dealt with a flood of AI-generated bug reports, necessitating careful triage between those requiring vendor pre-disclosure and those better fixed immediately. Kelley prioritizes timely releases over comprehensive fixes, noting coordination efforts across all actors consume significant resources. This approach contrasts with traditional security practices that favor lengthy embargo periods.

With dnsmasq-2.93rc1 imminent and a stable release expected soon, the maintainer faces balancing bug fixes against release timelines. The tsunami of AI-generated reports shows no sign of abating, suggesting this process will repeat frequently. Kelley encourages testing of the release candidate to expedite the timeline while acknowledging ongoing security challenges will persist.