From the Mageia advisory:
This update completes the fix for CVE-2012-3411 provided with dnsmasq-2.63.
It was found that after the upstream patch for CVE-2012-3411 issue was
applied, dnsmasq still:
- replied to remote TCP-protocol based DNS queries (UDP protocol ones
were corrected, but TCP ones not) from prohibited networks, when the
--bind-dynamic option was used,
- when --except-interface lo option was used dnsmasq didn't answer
local or remote UDP DNS queries, but still allowed TCP protocol based
- when --except-interface lo option was not used local / remote TCP
DNS queries were also still answered by dnsmasq.