From ec5f7e589c621cc31665569589eaabd7c4a80186e05f33a9cd93981d912b8511 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 3 May 2024 12:06:52 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main dnsmasq revision 0237bfabcdc9255c5a8966576d9c63f0 --- .gitattributes | 23 + dnsmasq-2.89.tar.xz | 3 + dnsmasq-2.89.tar.xz.asc | 16 + dnsmasq-CVE-2023-28450.patch | 54 + dnsmasq-groups.patch | 16 + dnsmasq.changes | 2026 ++++++++++++++++++++++++++++++++++ dnsmasq.keyring | 116 ++ dnsmasq.reg | 12 + dnsmasq.service | 30 + dnsmasq.spec | 227 ++++ rc.dnsmasq-suse | 90 ++ system-user-dnsmasq.conf | 3 + 12 files changed, 2616 insertions(+) create mode 100644 .gitattributes create mode 100644 dnsmasq-2.89.tar.xz create mode 100644 dnsmasq-2.89.tar.xz.asc create mode 100644 dnsmasq-CVE-2023-28450.patch create mode 100644 dnsmasq-groups.patch create mode 100644 dnsmasq.changes create mode 100644 dnsmasq.keyring create mode 100644 dnsmasq.reg create mode 100644 dnsmasq.service create mode 100644 dnsmasq.spec create mode 100644 rc.dnsmasq-suse create mode 100644 system-user-dnsmasq.conf diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/dnsmasq-2.89.tar.xz b/dnsmasq-2.89.tar.xz new file mode 100644 index 0000000..0ce2ae2 --- /dev/null +++ b/dnsmasq-2.89.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:02bd230346cf0b9d5909f5e151df168b2707103785eb616b56685855adebb609 +size 562700 diff --git a/dnsmasq-2.89.tar.xz.asc b/dnsmasq-2.89.tar.xz.asc new file mode 100644 index 0000000..58ae11e --- /dev/null +++ b/dnsmasq-2.89.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmPe36kACgkQFc3aauGR +NaLJZg/+K/gk5uLUH48BCNAVNtffC1jGLIxQ2usJbXvJ02n9WcidN3dX6MlVBYNq +s5ouNuDZdIgydJjFWgIIqxtsVdeYhJ6sd9fSDX+8iT4zDLw0N1puDE5YZvvqHxFD +0gYuIcu4ukr5tsBL5ClWoVtTDGEi8NZ+PaGCZrnPVuZWPAnNrf3MbiUqPaJxCgA6 +GNnfqm9LKEL5sPwQlErhf1GLFG7UOPXyjfIQilI6+ShCajDmDjvsPs8Y3JqC66rt +6OEFDKbNVoZQDVA53PswLa1mb5gryB6r7gU5ofwS6jr34BNFfkBGFk6wjhZfZenu +OGU3Adk36l5HykAH5fjDs95bVBLoq+N+gG1Yor4qgUmdgSlLvh8lwArXwweWW2Q5 +k/Nkk/MZaIEL+3nqdIMptfGG82rhCuS1jse2DyYcTmJiJdew2Mv+AQAVIm/Km7oa +3HrpxQJ88LLRtWwfKbW9yRipt+JkzrrZun5VftQ85Xn9nELgU5n5rdHUCzXrpu0r +/dFw5JoTfcIsPGQ8a2IIMW6SyWOEkv8EWAq+10mNokpnQMv5RFHmZoGQhx1PmHWy ++mqHh9T2B9KYGHKRjP4apQkX+JSuqmsdLt1sNfzcnwjQQ0nEq0FMub2hNJ8V0S/4 +h/QpdO6qLn9RYSx0Be31BTAZNq71ow6HPjV62i4l+xTpYq9q1Ik= +=yXEY +-----END PGP SIGNATURE----- diff --git a/dnsmasq-CVE-2023-28450.patch b/dnsmasq-CVE-2023-28450.patch new file mode 100644 index 0000000..66ad67e --- /dev/null +++ b/dnsmasq-CVE-2023-28450.patch @@ -0,0 +1,54 @@ +From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Tue, 7 Mar 2023 22:07:46 +0000 +Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232. + +http://www.dnsflagday.net/2020/ refers. + +Thanks to Xiang Li for the prompt. +--- + CHANGELOG | 9 ++++++++- + man/dnsmasq.8 | 3 ++- + src/config.h | 2 +- + 3 files changed, 11 insertions(+), 3 deletions(-) + +--- CHANGELOG.orig ++++ CHANGELOG +@@ -11,7 +11,14 @@ version 2.89 + for reporting the bug and for his great efforts in chasing + it down. + ++ Set the default maximum DNS UDP packet sice to 1232. This ++ has been the recommended value since 2020 because it's the ++ largest value that avoid fragmentation, and fragmentation ++ is just not reliable on the modern internet, especially ++ for IPv6. It's still possible to override this with ++ --edns-packet-max for special circumstances. + ++ + version 2.88 + Fix bug in --dynamic-host when an interface has /16 IPv4 + address. Thanks to Mark Dietzer for spotting this. +--- man/dnsmasq.8.orig ++++ man/dnsmasq.8 +@@ -183,7 +183,8 @@ to zero completely disables DNS function + .TP + .B \-P, --edns-packet-max= + Specify the largest EDNS.0 UDP packet which is supported by the DNS +-forwarder. Defaults to 4096, which is the RFC5625-recommended size. ++forwarder. Defaults to 1232, which is the recommended size following the ++DNS flag day in 2020. Only increase if you know what you are doing. + .TP + .B \-Q, --query-port= + Send outbound DNS queries from, and listen for their replies on, the +--- src/config.h.orig ++++ src/config.h +@@ -19,7 +19,7 @@ + #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */ + #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ + #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ +-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */ ++#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ + #define SAFE_PKTSZ 1232 /* "go anywhere" UDP packet size, see https://dnsflagday.net/2020/ */ + #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ + #define DNSSEC_WORK 50 /* Max number of queries to validate one question */ diff --git a/dnsmasq-groups.patch b/dnsmasq-groups.patch new file mode 100644 index 0000000..803c50f --- /dev/null +++ b/dnsmasq-groups.patch @@ -0,0 +1,16 @@ +--- src/dnsmasq.c.orig ++++ src/dnsmasq.c +@@ -731,11 +731,10 @@ int main (int argc, char **argv) + if (!option_bool(OPT_DEBUG) && getuid() == 0) + { + int bad_capabilities = 0; +- gid_t dummy; + +- /* remove all supplementary groups */ ++ /* set the supplementary groups of the daemon user */ + if (gp && +- (setgroups(0, &dummy) == -1 || ++ (initgroups(daemon->username, gp->gr_gid) == -1 || + setgid(gp->gr_gid) == -1)) + { + send_event(err_pipe[1], EVENT_GROUP_ERR, errno, daemon->groupname); diff --git a/dnsmasq.changes b/dnsmasq.changes new file mode 100644 index 0000000..10a13e6 --- /dev/null +++ b/dnsmasq.changes @@ -0,0 +1,2026 @@ +------------------------------------------------------------------- +Sat May 13 16:48:15 UTC 2023 - Callum Farmer + +- Correct rundir from /var/run to /run for pid file + +------------------------------------------------------------------- +Tue Apr 25 08:32:41 UTC 2023 - Reinhard Max + +- bsc#1209358, CVE-2023-28450, dnsmasq-CVE-2023-28450.patch: + default maximum EDNS.0 UDP packet size should be 1232 + +------------------------------------------------------------------- +Mon Feb 6 09:27:27 UTC 2023 - Paolo Stivanin + +- update to 2.89: + * Fix bug introduced in 2.88 (commit fe91134b) which can result + in corruption of the DNS cache internal data structures and + logging of "cache internal error". This has only been seen + in one place in the wild, and it took considerable effort + to even generate a test case to reproduce it, but there's + no way to be sure it won't strike, and the effect is to break + the cache badly. Installations with DNSSEC enabled are more + likely to see the problem, but not running DNSSEC does not + guarantee that it won't happen. Thanks to Timo van Roermund + for reporting the bug and for his great efforts in chasing + it down. (boo#1207174) +- remove no longer needed rpmlintrc filters + +------------------------------------------------------------------- +Fri Dec 23 07:48:29 UTC 2022 - Dirk Müller + +- update to 2.88: + * Fix bug in --dynamic-host when an interface has /16 IPv4 + * address. + * Add --fast-dns-retry option. This gives dnsmasq the ability + to originate retries for upstream DNS queries itself, rather + than relying on the downstream client. This is most useful + when doing DNSSEC over unreliable upstream networks. It comes + with some cost in memory usage and network bandwidth. + * Add --use-stale-cache option. When set, if a DNS name exists + in the cache, but its time-to-live has expired, dnsmasq will + return the data anyway. + * handle removal of whole files or entries within files. + +------------------------------------------------------------------- +Wed Oct 26 09:21:37 UTC 2022 - Dirk Müller + +- update to 2.87 (bsc#1197872, CVE-2022-0934): + * Allow arbitrary prefix lengths in --rev-server and + --domain=....,local + * Replace --address=/#/..... functionality which got + missed in the 2.86 domain search rewrite. + * Add --nftset option, like --ipset but for the newer nftables. + * Add --filter-A and --filter-AAAA options, to remove IPv4 or IPv6 + addresses from DNS answers. + * Fix crash doing netbooting when --port is set to zero + to disable the DNS server. Thanks to Drexl Johannes + for the bug report. + * Generalise --dhcp-relay. Sending via broadcast/multicast is + now supported for both IPv4 and IPv6 and the configuration + syntax made easier (but backwards compatible). + * Add snooping of IPv6 prefix-delegations to the DHCP-relay system. + * Finesse parsing of --dhcp-remoteid and --dhcp-subscrid. To be treated + as hex, the pattern must consist of only hex digits AND contain + at least one ':'. Thanks to Bengt-Erik Sandstrom who tripped + over a pattern consisting of a decimal number which was interpreted + surprisingly. + * Include client address in TFTP file-not-found error reports. + Thanks to Stefan Rink for the initial patch, which has been + re-worked by me (srk). All bugs mine. + * Note in manpage the change in behaviour of -address. This behaviour + actually changed in v2.86, but was undocumented there. From 2.86 on, + (eg) --address=/example.com/1.2.3.4 ONLY applies to A queries. All other + types of query will be sent upstream. Pre 2.86, that would catch the + whole example.com domain and queries for other types would get + a local NODATA answer. The pre-2.86 behaviour is still available, + by configuring --address=/example.com/1.2.3.4 --local=/example.com/ + * Fix problem with binding DHCP sockets to an individual interface. + Despite the fact that the system call tales the interface _name_ as + a parameter, it actually, binds the socket to interface _index_. + Deleting the interface and creating a new one with the same name + leaves the socket bound to the old index. (Creating new sockets + always allocates a fresh index, they are not reused). We now + take this behaviour into account and keep up with changing indexes. + * Add --conf-script configuration option. + * Enhance --domain to accept, for instance, + --domain=net2.thekelleys.org.uk,eth2 so that hosts get a domain + which relects the interface they are attached to in a way which + doesn't require hard-coding addresses. Thanks to Sten Spans for + the idea. + * Fix write-after-free error in DHCPv6 server code. + CVE-2022-0934 refers. + * Add the ability to specify destination port in + DHCP-relay mode. This change also removes a previous bug + where --dhcp-alternate-port would affect the port used + to relay _to_ as well as the port being listened on. + The new feature allows configuration to provide bug-for-bug + compatibility, if required. Thanks to Damian Kaczkowski + for the feature suggestion. + * Bound the value of UDP packet size in the EDNS0 header of + forwarded queries to the configured or default value of + edns-packet-max. There's no point letting a client set a larger + value if we're unable to return the answer. Thanks to Bertie + Taylor for pointing out the problem and supplying the patch. +- drop dnsmasq-CVE-2022-0934.patch, dnsmasq-resolv-conf.patch (upstream) + +------------------------------------------------------------------- +Fri Sep 9 11:00:25 UTC 2022 - Callum Farmer + +- Ensure the dnsmasq user's group is used +- Remove nogroup requirement + +------------------------------------------------------------------- +Wed Jun 8 14:24:38 UTC 2022 - Callum Farmer + +- Move the dbus-1 system.d file to /usr (bsc#1200344) + +------------------------------------------------------------------- +Tue Apr 5 07:16:18 UTC 2022 - Reinhard Max + +- bsc#1197872, CVE-2022-0934, dnsmasq-CVE-2022-0934.patch: + Heap use after free in dhcp6_no_relay + +------------------------------------------------------------------- +Thu Nov 18 13:59:55 UTC 2021 - Reinhard Max + +- bsc#1192529, dnsmasq-resolv-conf.patch: + Fix a segfault when re-reading an empty resolv.conf +- Remove "nogroup" membership from the dnsmasq user. + +------------------------------------------------------------------- +Wed Oct 20 17:08:15 UTC 2021 - Callum Farmer + +- Use systemd-sysusers from 15.3 onwards + +------------------------------------------------------------------- +Thu Sep 23 08:48:12 UTC 2021 - Reinhard Max + +- jsc#SLE-17936: Sync this state from Factory to SLE-15-SP1. +- SLE bugs that got fixed upstream between 2.79 and 2.86, but for + which we need to keep references when syncing: + * bsc#1176076: dnsmasq-servfail.patch + * bsc#1156543: dnsmasq-siocgstamp.patch + * bsc#1138743: dnsmasq-cache-size.patch + * bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch + * bsc#1180914: Open inotify socket only when used. + * removed dnsmasq-dnspooq.patch +- bsc#1173646, CVE-2020-14312: Set --local-service by default. + +------------------------------------------------------------------- +Fri Sep 17 11:10:17 UTC 2021 - Reinhard Max + +- Update to 2.86: + * Handle DHCPREBIND requests in the DHCPv6 server code. + * Fix bug which caused dnsmasq to lose track of processes forked + to handle TCP DNS connections under heavy load. + * Major rewrite of the DNS server and domain handling code. This + should be largely transparent, but it drastically improves + performance and reduces memory foot-print when configuring + large numbers of domains. + * Revise resource handling for number of concurrent DNS queries. + * Improve efficiency of DNSSEC. + * Connection track mark based DNS query filtering. + * Allow smaller than 64 prefix lengths in synth-domain, with + caveats. + --synth-domain=1234:4567::/56,example.com is now valid. + * Make domains generated by --synth-domain appear in replies + when in authoritative mode. + * Ensure CAP_NET_ADMIN capability is available when conntrack + is configured. + * When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are + given a directory as argument, define the order in which files + within that directory are read (alphabetical order of filename). + +------------------------------------------------------------------- +Tue Sep 14 06:19:17 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). + +------------------------------------------------------------------- +Sun Jun 13 13:28:49 UTC 2021 - Callum Farmer + +- Add now working CONFIG parameter to sysusers generator + +------------------------------------------------------------------- +Wed Jun 2 10:28:12 UTC 2021 - Callum Farmer + +- Change to using systemd-sysusers on TW + +------------------------------------------------------------------- +Mon Apr 19 20:46:49 UTC 2021 - Reinhard Max + +- Update to 2.85: + * Fix problem with DNS retries in 2.83/2.84. + * Tweak sort order of tags in get-version. + * Avoid treating a --dhcp-host which has an IPv6 address as + eligible for use with DHCPv4 on the grounds that it has + no address, and vice-versa. + * Add --dynamic-host option: A and AAAA records which take their + network part from the network of a local interface. Useful + for routers with dynamically prefixes. + * Teach --bogus-nxdomain and --ignore-address to take an IPv4 + subnet. + * CVE-2021-3448, bsc#1183709: Use random source ports where + possible if source addresses/interfaces in use. + * Change the method of allocation of random source ports for DNS. + * Scale the size of the DNS random-port pool based on the + value of the --dns-forward-max configuration. + * Tweak TFTP code to check sender of all received packets, as + specified in RFC 1350 para 4. + +------------------------------------------------------------------- +Mon Feb 8 22:37:20 UTC 2021 - Dirk Müller + +- update to 2.84: + * Change HAVE_NETTLEHASH compile-time to HAVE_CRYPTOHASH + * Tidy initialisation in hash_questions.c + * Optimise sort_rrset for the case where the RR type + * Move fd into frec_src + +------------------------------------------------------------------- +Wed Jan 27 16:24:43 UTC 2021 - Callum Farmer + +- Fix building with lua54 + +------------------------------------------------------------------- +Tue Jan 19 12:24:02 UTC 2021 - Reinhard Max + +- Update to 2.83: + * bsc#1177077: Fixed DNSpooq vulnerabilities + * Use the values of --min-port and --max-port in outgoing + TCP connections to upstream DNS servers. + * Fix a remote buffer overflow problem in the DNSSEC code. + Any dnsmasq with DNSSEC compiled in and enabled is vulnerable + to this, referenced by CVE-2020-25681, CVE-2020-25682, + CVE-2020-25683 CVE-2020-25687. + * Be sure to only accept UDP DNS query replies at the address + from which the query was originated. This keeps as much + entropy in the {query-ID, random-port} tuple as possible, to + help defeat cache poisoning attacks. Refer: CVE-2020-25684. + * Use the SHA-256 hash function to verify that DNS answers + received are for the questions originally asked. This replaces + the slightly insecure SHA-1 (when compiled with DNSSEC) or + the very insecure CRC32 (otherwise). Refer: CVE-2020-25685 + * Handle multiple identical near simultaneous DNS queries better. + Previously, such queries would all be forwarded independently. + This is, in theory, inefficent but in practise not a problem, + _except_ that is means that an answer for any of the forwarded + queries will be accepted and cached. + An attacker can send a query multiple times, and for each + repeat, another {port, ID} becomes capable of accepting the + answer he is sending in the blind, to random IDs and ports. + The chance of a succesful attack is therefore multiplied by the + number of repeats of the query. The new behaviour detects + repeated queries and merely stores the clients sending repeats + so that when the first query completes, the answer can be sent + to all the clients who asked. Refer: CVE-2020-25686. + +------------------------------------------------------------------- +Tue Jul 28 08:00:51 UTC 2020 - Martin Rey + +- Update to 2.82: + * Improve behaviour in the face of network interfaces which come + and go and change index. + * Convert hard startup failure on NETLINK_NO_ENOBUFS under + qemu-user to a warning. + * Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in + --dhcp-option. + * Fix crash under heavy TCP connection load introduced in 2.81. + * Change default lease time for DHCPv6 to one day. + * Alter calculation of preferred and valid times in router + advertisements, so that these do not have a floor applied of + the lease time in the dhcp-range if this is not explicitly + specified and is merely the default. +- Reformat spec file with spec-cleaner + +------------------------------------------------------------------- +Tue May 5 11:26:55 UTC 2020 - Paolo Stivanin + +- Update to 2.81: + * Improve cache behaviour for TCP connections + * Remove the NO_FORK compile-time option, and support for uclinux + * Fix line-counting when reading /etc/hosts and friends + * Fix bug in DNS non-terminal code, added in 2.80, which could + sometimes cause a NODATA rather than an NXDOMAIN reply. + * Support TCP-fastopen (RFC-7413) on both incoming and + outgoing TCP connections, if supported and enabled in the OS. + * Improve kernel-capability manipulation code under Linux + * Add --shared-network config. This enables allocation of addresses + by the DHCP server in subnets where the server (or relay) does not + have an interface on the network in that subnet. Many thanks to + kamp.de for sponsoring this feature. + * Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet + validation check got borked in commit 2b38e382 and release 2.80. + Thanks to Tomasz Szajner for spotting this. + * Fix compilation against nettle version 3.5 and later. + * Fix spurious DNSSEC validation failures when the auth section + of a reply contains unsigned RRs from a signed zone, + with the exception that NSEC and NSEC3 RRs must always be signed. + Thanks to Tore Anderson for spotting and diagnosing the bug. + * Add --dhcp-ignore-clid. This disables reading of DHCP client + identifier option (option 61), so clients are only identified by + MAC addresses. + * Fix a bug which stopped --dhcp-name-match from working when a hostname + is supplied in --dhcp-host. Thanks to James Feeney for spotting this. + * Fix bug which caused very rarely caused zero-length DHCPv6 packets. + Thanks to Dereck Higgins for spotting this. + * Add --tftp-single-port option. + * Enhance --conf-dir to load files in a deterministic order + * Add filtering by tag of --dhcp-host directives + * Remove DSA signature verification from DNSSEC, as specified in + RFC 8624 + * Add --script-on-renewal option. +- Remove Fix-build-with-libnettle-3.5.patch +- Remove 0001-fix-build-after-y2038-changes-in-glibc.patch +- Remove dnsmasq-CVE-2019-14834.patch + +------------------------------------------------------------------- +Sat Nov 30 12:15:42 UTC 2019 - Dominique Leuenberger + +- Remove redundant %else without meaning (if/else/else/endif?) + +------------------------------------------------------------------- +Wed Nov 13 10:46:21 UTC 2019 - Reinhard Max + +- bsc#1154849, CVE-2019-14834, dnsmasq-CVE-2019-14834.patch: + memory leak in the create_helper() function in /src/helper.c +- bsc#1143454: Require user(tftp) instead of creating it ourselves. +- Package contrib/lease-tools/dhcp_release6. +- bsc#1152539: include config files from /etc/dnsmasq.d/*.conf . + +------------------------------------------------------------------- +Wed Sep 4 18:47:39 UTC 2019 - Stefan Brüns + +- Add Fix-build-with-libnettle-3.5.patch + +------------------------------------------------------------------- +Tue Jul 23 13:52:05 UTC 2019 - matthias.gerstner@suse.com + +- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by + firewalld, see [1]. + + [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html + +------------------------------------------------------------------- +Wed Jul 10 06:28:36 UTC 2019 - Jiri Slaby + +- add 0001-fix-build-after-y2038-changes-in-glibc.patch + +------------------------------------------------------------------- +Tue Jun 11 12:31:25 UTC 2019 - Dominique Leuenberger + +- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to + shortcut the build queues by allowing usage of systemd-mini + +------------------------------------------------------------------- +Fri Feb 22 07:10:51 UTC 2019 - Franck Bui + +- Drop use of $FIRST_ARG in .spec + + The use of $FIRST_ARG was probably required because of the + %service_* rpm macros were playing tricks with the shell positional + parameters. This is bad practice and error prones so let's assume + that no macros should do that anymore and hence it's safe to assume + that positional parameters remains unchanged after any rpm macro + call. + +------------------------------------------------------------------- +Wed Jan 23 23:03:22 UTC 2019 - Cristian Rodríguez + +- libidn should not be used anymore, switch to libidn2 + +------------------------------------------------------------------- +Mon Oct 22 08:29:46 UTC 2018 - Jan Engelhardt + +- Ensure neutrality of descriptions. / Replace description with + new upstream description. +- Do not hide failures from user/group additions. +- Replace old $RPM_* shell vars by macros. + +------------------------------------------------------------------- +Sun Oct 21 22:17:10 UTC 2018 - sean@suspend.net + +- Updated to dnsmasq 2.80 + * Add support for RFC 4039 DHCP rapid commit + * Alter the default for dnssec-check-unsigned + * Fix DHCP when --no-ping and --dhcp-sequential-ip are set + * Allow zone transfer in authoritative mode if auth-peer is specified + * FIx missing fatal errors with some malformed options + * Fix crash on startup with a --synth-domain which has no prefix + +------------------------------------------------------------------- +Fri Oct 19 15:01:00 UTC 2018 - cgoll@suse.com + +- enabled lua scripting interface (FATE#327143). + +------------------------------------------------------------------- +Wed Aug 29 16:22:13 UTC 2018 - dmueller@suse.com + +- add missing prereq on the group to be created (bsc#1106446) + +------------------------------------------------------------------- +Mon Jul 16 10:15:54 CEST 2018 - kukuk@suse.de + +- Don't require systemd explicit, fix spec file to handle both + cases correct. In containers we don't have systemd. +- Adjust pre/post install for transactional updates. +- Use %license instead of %doc [bsc#1082318] + +------------------------------------------------------------------- +Mon Dec 4 13:39:32 UTC 2017 - idonmez@suse.com + +- Update keyring + +------------------------------------------------------------------- +Fri Dec 1 14:50:09 UTC 2017 - cbosdonnat@suse.com + +- Get rid of python dependency due to examples. (fate#323526) + +------------------------------------------------------------------- +Mon Oct 2 14:09:59 UTC 2017 - max@suse.com + +- Security update to version 2.78: + * bsc#1060354, CVE-2017-14491: 2 byte heap based overflow. + * bsc#1060355, CVE-2017-14492: heap based overflow. + * bsc#1060360, CVE-2017-14493: stack based overflow. + * bsc#1060361, CVE-2017-14494: DHCP - info leak. + * bsc#1060362, CVE-2017-14495: DNS - OOM DoS. + * bsc#1060364, CVE-2017-14496: DNS - DoS Integer underflow. + * Fix DHCP relaying, broken in 2.76 and 2.77. + * For other changes, see + http://www.thekelleys.org.uk/dnsmasq/CHANGELOG +- Obsoleted patches: + * Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch + * Handle-binding-upstream-servers-to-an-interface.patch + +------------------------------------------------------------------- +Tue Sep 12 08:29:59 UTC 2017 - tchvatal@suse.com + +- Fix /srv/tftpboot permissions wrt bsc#940608 + +------------------------------------------------------------------- +Fri Aug 18 11:16:03 UTC 2017 - dmueller@suse.com + +- reload system dbus to pick up policy change on install (bsc#1054429) + +------------------------------------------------------------------- +Wed Jan 4 17:29:37 UTC 2017 - martin.wilck@suse.com + +- Handle binding upstream servers to an interface if interface + is destroyed and recreated (boo#1018160) + Added two patches from upstream: + * added Handle-binding-upstream-servers-to-an-interface.patch + * added Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch + +------------------------------------------------------------------- +Wed Aug 3 13:46:06 UTC 2016 - max@suse.com + +- Update to 2.76: + + * Include 0.0.0.0/8 in DNS rebind checks. + * Enhance --add-subnet to allow arbitrary subnet addresses. + * Respect the --no-resolv flag in inotify code. Fixes bug + which caused dnsmasq to fail to start if a resolv-file + was a dangling symbolic link, even of --no-resolv set. + * Fix crash when an A or AAAA record is defined locally, + in a hosts file, and an upstream server sends a reply + that the same name is empty (CVE-2015-8899, bsc#983273). + * Fix failure to correctly calculate cache-size when reading a + hosts-file fails. + * Fix wrong answer to simple name query when --domain-needed + set, but no upstream servers configured. + * Return REFUSED when running out of forwarding table slots, + not SERVFAIL. + * Add --max-port configuration. + * Add --script-arp and two new functions for the dhcp-script. + * Extend --add-mac to allow a new encoding of the MAC address + as base64, by configurting --add-mac=base64 + * Add --add-cpe-id option. + + * Don't crash with divide-by-zero if an IPv6 dhcp-range is + declared as a whole /64. + (ie xx::0 to xx::ffff:ffff:ffff:ffff) + * Add support for a TTL parameter in --host-record and --cname. + * Add --dhcp-ttl option. + * Add --tftp-mtu option. + * Check return-code of inet_pton() when parsing dhcp-option. + * Fix wrong value for EDNS UDP packet size when using + --servers-file to define upstream DNS servers. + * Add dhcp_release6 to contrib/lease-tools. + +------------------------------------------------------------------- +Thu Jun 16 12:39:18 UTC 2016 - max@suse.com + +- dnsmasq-groups.patch: Initialize the supplementary groups of the + dnsmasq user (bsc#859298). + +------------------------------------------------------------------- +Tue Feb 2 21:34:39 UTC 2016 - mpluskal@suse.com + +- Add gpg signature + +------------------------------------------------------------------- +Mon Aug 24 18:10:01 UTC 2015 - stefan.bruens@rwth-aachen.de + +- spec file cleanup, get rid of redifinition warnings + +------------------------------------------------------------------- +Tue Aug 11 01:41:02 UTC 2015 - stefan.bruens@rwth-aachen.de + +- Update to 2.75, announce message: + Fix reversion on 2.74 which caused 100% CPU use when a + dhcp-script is configured. Thanks to Adrian Davey for + reporting the bug and testing the fix. + +- Update to 2.74, announce message: + Fix reversion in 2.73 where --conf-file would attempt to + read the default file, rather than no file. + + Fix inotify code to handle dangling symlinks better and + not SEGV in some circumstances. + + DNSSEC fix. In the case of a signed CNAME generated by a + wildcard which pointed to an unsigned domain, the wrong + status would be logged, and some necessary checks omitted. + +- Update to 2.73, announce message: + Fix crash at startup when an empty suffix is supplied to + --conf-dir, also trivial memory leak. Thanks to + Tomas Hozza for spotting this. + + Remove floor of 4096 on advertised EDNS0 packet size when + DNSSEC in use, the original rationale for this has long gone. + Thanks to Anders Kaseorg for spotting this. + + Use inotify for checking on updates to /etc/resolv.conf and + friends under Linux. This fixes race conditions when the files are + updated rapidly and saves CPU by noy polling. To build + a binary that runs on old Linux kernels without inotify, + use make COPTS=-DNO_INOTIFY + + Fix breakage of --domain=,,local - only reverse + queries were intercepted. THis appears to have been broken + since 2.69. Thanks to Josh Stone for finding the bug. + + Eliminate IPv6 privacy addresses and deprecated addresses from + the answers given by --interface-name. Note that reverse queries + (ie looking for names, given addresses) are not affected. + Thanks to Michael Gorbach for the suggestion. + + Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids + for the bug report. + + Add --ignore-address option. Ignore replies to A-record + queries which include the specified address. No error is + generated, dnsmasq simply continues to listen for another + reply. This is useful to defeat blocking strategies which + rely on quickly supplying a forged answer to a DNS + request for certain domains, before the correct answer can + arrive. Thanks to Glen Huang for the patch. + + Revisit the part of DNSSEC validation which determines if an + unsigned answer is legit, or is in some part of the DNS + tree which should be signed. Dnsmasq now works from the + DNS root downward looking for the limit of signed + delegations, rather than working bottom up. This is + both more correct, and less likely to trip over broken + nameservers in the unsigned parts of the DNS tree + which don't respond well to DNSSEC queries. + + Add --log-queries=extra option, which makes logs easier + to search automatically. + + Add --min-cache-ttl option. I've resisted this for a long + time, on the grounds that disbelieving TTLs is never a + good idea, but I've been persuaded that there are + sometimes reasons to do it. (Step forward, GFW). + To avoid misuse, there's a hard limit on the TTL + floor of one hour. Thansk to RinSatsuki for the patch. + + Cope with multiple interfaces with the same link-local + address. (IPv6 addresses are scoped, so this is allowed.) + Thanks to Cory Benfield for help with this. + + Add --dhcp-hostsdir. This allows addition of new host + configurations to a running dnsmasq instance much more + cheaply than having dnsmasq re-read all its existing + configuration each time. + + Don't reply to DHCPv6 SOLICIT messages if we're not + configured to do stateful DHCPv6. Thanks to Win King Wan + for the patch. + + Fix broken DNSSEC validation of ECDSA signatures. + + Add --dnssec-timestamp option, which provides an automatic + way to detect when the system time becomes valid after + boot on systems without an RTC, whilst allowing DNS + queries before the clock is valid so that NTP can run. + Thanks to Kevin Darbyshire-Bryant for developing this idea. + + Add --tftp-no-fail option. Thanks to Stefan Tomanek for + the patch. + + Fix crash caused by looking up servers.bind, CHAOS text + record, when more than about five --servers= lines are + in the dnsmasq config. This causes memory corruption + which causes a crash later. Thanks to Matt Coddington for + sterling work chasing this down. + + Fix crash on receipt of certain malformed DNS requests. + Thanks to Nick Sampanis for spotting the problem. + Note that this is could allow the dnsmasq process's + memory to be read by an attacker under certain + circumstances, so it has a CVE, CVE-2015-3294 + + Fix crash in authoritative DNS code, if a .arpa zone + is declared as authoritative, and then a PTR query which + is not to be treated as authoritative arrived. Normally, + directly declaring .arpa zone as authoritative is not + done, so this crash wouldn't be seen. Instead the + relevant .arpa zone should be specified as a subnet + in the auth-zone declaration. Thanks to Johnny S. Lee + for the bugreport and initial patch. + + Fix authoritative DNS code to correctly reply to NS + and SOA queries for .arpa zones for which we are + declared authoritative by means of a subnet in auth-zone. + Previously we provided correct answers to PTR queries + in such zones (including NS and SOA) but not direct + NS and SOA queries. Thanks to Johnny S. Lee for + pointing out the problem. + + Fix logging of DHCPREPLY which should be suppressed + by quiet-dhcp6. Thanks to J. Pablo Abonia for + spotting the problem. + + Try and handle net connections with broken fragmentation + that lose large UDP packets. If a server times out, + reduce the maximum UDP packet size field in the EDNS0 + header to 1280 bytes. If it then answers, make that + change permanent. + + Check IPv4-mapped IPv6 addresses when --stop-rebind + is active. Thanks to Jordan Milne for spotting this. + + Allow DHCPv4 options T1 and T2 to be set using --dhcp-option. + Thanks to Kevin Benton for patches and work on this. + + Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses + in the correct subnet, even of not in dynamic address + allocation range. Thanks to Steve Hirsch for spotting + the problem. + + Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks + to Nicolas Cavallari for the patch. + + Allow configuration of router advertisements without the + "on-link" bit set. Thanks to Neil Jerram for the patch. + + Extend --bridge-interface to DHCPv6 and router + advertisements. Thanks to Neil Jerram for the patch. + +------------------------------------------------------------------- +Wed Jun 17 01:45:33 UTC 2015 - crrodriguez@opensuse.org + +- dnsmasq.service: Order Before=nss-lookup.target and + Wants=nss-lookup.target as this service may provide + name resolution even for the localhost. + +------------------------------------------------------------------- +Mon Apr 20 12:14:54 UTC 2015 - abergmann@suse.com + +- Move trust-anchors.conf into /etc/dnsmasq.d to be AppArmor conform. + (bnc#908137) + +------------------------------------------------------------------- +Tue Jan 6 09:58:25 UTC 2015 - jslaby@suse.com + +- The change from Wed Dec 24 messed group w/ user IDs. Switch them + back and be more careful w/ what is changed. + +------------------------------------------------------------------- +Mon Dec 29 09:37:54 UTC 2014 - dimstar@opensuse.org + +- Fix symlink of rcFOO to /usr/sbin/service, resolving a dangling + symlink lint warning (and remove the same from rpmlintrc). + +------------------------------------------------------------------- +Thu Dec 25 06:32:18 UTC 2014 - nemysis@gmx.ch + +- Remove from spec group_and_isc.patch, forgotten in previous commit + +------------------------------------------------------------------- +Wed Dec 24 22:29:52 UTC 2014 - nemysis@gmx.ch + +- Update to 2.72, announce message: + + Add ra-advrouter mode, for RFC-3775 mobile IPv6 support. + + Add support for "ipsets" in *BSD, using pf. Thanks to + Sven Falempim for the patch. + + Fix race condition which could lock up dnsmasq when an + interface goes down and up rapidly. Thanks to Conrad + Kostecki for helping to chase this down. + + Add DBus methods SetFilterWin2KOption and SetBogusPrivOption + Thanks to the Smoothwall project for the patch. + + Fix failure to build against Nettle-3.0. Thanks to Steven + Barth for spotting this and finding the fix. + + When assigning existing DHCP leases to intefaces by comparing + networks, handle the case that two or more interfaces have the + same network part, but different prefix lengths (favour the + longer prefix length.) Thanks to Lung-Pin Chang for the + patch. + + Add a mode which detects and removes DNS forwarding loops, ie + a query sent to an upstream server returns as a new query to + dnsmasq, and would therefore be forwarded again, resulting in + a query which loops many times before being dropped. Upstream + servers which loop back are disabled and this event is logged. + Thanks to Smoothwall for their sponsorship of this feature. + + Extend --conf-dir to allow filtering of files. So + --conf-dir=/etc/dnsmasq.d,\*.conf + will load all the files in /etc/dnsmasq.d which end in .conf + + Fix bug when resulted in NXDOMAIN answers instead of NODATA in + some circumstances. + + Fix bug which caused dnsmasq to become unresponsive if it + failed to send packets due to a network interface disappearing. + Thanks to Niels Peen for spotting this. + + Fix problem with --local-service option on big-endian platforms + Thanks to Richard Genoud for the patch. + + +- Add dnsmasq-rpmlintrc, for false positive scripts and symlink +- Add BuildRequires for dos2unix +- Use sed instead of simple patch group_and_isc.patch + + +------------------------------------------------------------------- +Sun Nov 9 09:30:07 UTC 2014 - seife+obs@b1-systems.com + +- fix logging, PrivateDevices=yes kills it (bnc#902511, bnc#904537) + +------------------------------------------------------------------- +Tue Aug 26 14:05:14 CEST 2014 - dsterba@suse.cz + +- enable DNSSEC + - require libnettle + - package trust-anchors.conf +- spec fixes: + - define HAVE_ flags on commandline, otherwise 'dnsmasq --version' + will not correctly reflect the feature status + +------------------------------------------------------------------- +Fri Aug 22 07:08:36 UTC 2014 - meissner@suse.com + +- actually build with relro and pie. (bnc#893057) + +------------------------------------------------------------------- +Wed Aug 6 06:48:20 UTC 2014 - vwallfahrer@suse.com + +- Removed Suse and all other OS/Distribution related subdirs from + contrib, so only the rest gets packaged. The subdirs are not + necessary anymore (bnc#889028). + +------------------------------------------------------------------- +Tue Aug 5 08:19:42 UTC 2014 - vwallfahrer@suse.com + +- Removed README.SUSE file, it was to confusing and not necessary (bnc#889972). + Information is already present in the upstream documentation. +- Split up vendor-files.tar.bz2 into single files +- Comply with systemd packaging guidlines + +------------------------------------------------------------------- +Thu Jun 12 08:15:29 UTC 2014 - cdenicolo@suse.com + +- license update: GPL-2.0 or GPL-3.0 + correct license is dual GPL-2.0 or GPL-3.0; please add COPYING-v3-file to + RPM. + +------------------------------------------------------------------- +Wed Jun 11 15:27:24 UTC 2014 - dmueller@suse.com + +- update to 2.71: + Subtle change to error handling to help DNSSEC validation + when servers fail to provide NODATA answers for + non-existent DS records. + + Tweak code which removes DNSSEC records from answers when + not required. Fixes broken answers when additional section + has real records in it. Thanks to Marco Davids for the bug + report. + + Fix DNSSEC validation of ANY queries. Thanks to Marco Davids + for spotting that too. + + Fix total DNS failure and 100% CPU use if cachesize set to zero, + regression introduced in 2.69. Thanks to James Hunt and + the Ubuntu crowd for assistance in fixing this. + + + Fix crash, introduced in 2.69, on TCP request when dnsmasq + compiled with DNSSEC support, but running without DNSSEC + enabled. Thanks to Manish Sing for spotting that one. + + Fix regression which broke ipset functionality. Thanks to + Wang Jian for the bug report. + + + Implement dynamic interface discovery on *BSD. This allows + the contructor: syntax to be used in dhcp-range for DHCPv6 + on the BSD platform. Thanks to Matthias Andree for + valuable research on how to implement this. + + Fix infinite loop associated with some --bogus-nxdomain + configs. Thanks fogobogo for the bug report. + + Fix missing RA RDNS option with configuration like + --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer + for spotting the problem. + + Add [fd00::] and [fe80::] as special addresses in DHCPv6 + options, analogous to [::]. [fd00::] is replaced with the + actual ULA of the interface on the machine running + dnsmasq, [fe80::] with the link-local address. + Thanks to Tsachi Kimeldorfer for championing this. + + DNSSEC validation and caching. Dnsmasq needs to be + compiled with this enabled, with + + make dnsmasq COPTS=-DHAVE_DNSSEC + + this add dependencies on the nettle crypto library and the + gmp maths library. It's possible to have these linked + statically with + + make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' + + which bloats the dnsmasq binary, but saves the size of + the shared libraries which are much bigger. + + To enable, DNSSEC, you will need a set of + trust-anchors. Now that the TLDs are signed, this can be + the keys for the root zone, and for convenience they are + included in trust-anchors.conf in the dnsmasq + distribution. You should of course check that these are + legitimate and up-to-date. So, adding + + conf-file=/path/to/trust-anchors.conf + dnssec + + to your config is all thats needed to get things + working. The upstream nameservers have to be DNSSEC-capable + too, of course. Many ISP nameservers aren't, but the + Google public nameservers (8.8.8.8 and 8.8.4.4) are. + When DNSSEC is configured, dnsmasq validates any queries + for domains which are signed. Query results which are + bogus are replaced with SERVFAIL replies, and results + which are correctly signed have the AD bit set. In + addition, and just as importantly, dnsmasq supplies + correct DNSSEC information to clients which are doing + their own validation, and caches DNSKEY, DS and RRSIG + records, which significantly improve the performance of + downstream validators. Setting --log-queries will show + DNSSEC in action. + + If a domain is returned from an upstream nameserver without + DNSSEC signature, dnsmasq by default trusts this. This + means that for unsigned zone (still the majority) there + is effectively no cost for having DNSSEC enabled. Of course + this allows an attacker to replace a signed record with a + false unsigned record. This is addressed by the + --dnssec-check-unsigned flag, which instructs dnsmasq + to prove that an unsigned record is legitimate, by finding + a secure proof that the zone containing the record is not + signed. Doing this has costs (typically one or two extra + upstream queries). It also has a nasty failure mode if + dnsmasq's upstream nameservers are not DNSSEC capable. + Without --dnssec-check-unsigned using such an upstream + server will simply result in not queries being validated; + with --dnssec-check-unsigned enabled and a + DNSSEC-ignorant upstream server, _all_ queries will fail. + + Note that DNSSEC requires that the local time is valid and + accurate, if not then DNSSEC validation will fail. NTP + should be running. This presents a problem for routers + without a battery-backed clock. To set the time needs NTP + to do DNS lookups, but lookups will fail until NTP has run. + To address this, there's a flag, --dnssec-no-timecheck + which disables the time checks (only) in DNSSEC. When dnsmasq + is started and the clock is not synced, this flag should + be used. As soon as the clock is synced, SIGHUP dnsmasq. + The SIGHUP clears the cache of partially-validated data and + resets the no-timecheck flag, so that all DNSSEC checks + henceforward will be complete. + + The development of DNSSEC in dnsmasq was started by + Giovanni Bajo, to whom huge thanks are owed. It has been + supported by Comcast, whose techfund grant has allowed for + an invaluable period of full-time work to get it to + a workable state. + + Add --rev-server. Thanks to Dave Taht for suggesting this. + + Add --servers-file. Allows dynamic update of upstream servers + full access to configuration. + + Add --local-service. Accept DNS queries only from hosts + whose address is on a local subnet, ie a subnet for which + an interface exists on the server. This option + only has effect if there are no --interface --except-interface, + --listen-address or --auth-server options. It is intended + to be set as a default on installation, to allow + unconfigured installations to be useful but also safe from + being used for DNS amplification attacks. + + Fix crashes in cache_get_cname_target() when dangling CNAMEs + encountered. Thanks to Andy and the rt-n56u project for + find this and helping to chase it down. + + Fix wrong RCODE in authoritative DNS replies to PTR queries. The + correct answer was included, but the RCODE was set to NXDOMAIN. + Thanks to Craig McQueen for spotting this. + + Make statistics available as DNS queries in the .bind TLD as + well as logging them. + + + Use random addresses for DHCPv6 temporary address + allocations, instead of algorithmically determined stable + addresses. + + Fix bug which meant that the DHCPv6 DUID was not available + in DHCP script runs during the lifetime of the dnsmasq + process which created the DUID de-novo. Once the DUID was + created and stored in the lease file and dnsmasq + restarted, this bug disappeared. + + Fix bug introduced in 2.67 which could result in erroneous + NXDOMAIN returns to CNAME queries. + + Fix build failures on MacOS X and openBSD. + + Allow subnet specifications in --auth-zone to be interface + names as well as address literals. This makes it possible + to configure authoritative DNS when local address ranges + are dynamic and works much better than the previous + work-around which exempted contructed DHCP ranges from the + IP address filtering. As a consequence, that work-around + is removed. Under certain circumstances, this change wil + break existing configuration: if you're relying on the + contructed-range exception, you need to change --auth-zone + to specify the same interface as is used to construct your + DHCP ranges, probably with a trailing "/6" like this: + --auth-zone=example.com,eth0/6 to limit the addresses to + IPv6 addresses of eth0. + + Fix problems when advertising deleted IPv6 prefixes. If + the prefix is deleted (rather than replaced), it doesn't + get advertised with zero preferred time. Thanks to Tsachi + for the bug report. + + Fix segfault with some locally configured CNAMEs. Thanks + to Andrew Childs for spotting the problem. + + Fix memory leak on re-reading /etc/hosts and friends, + introduced in 2.67. + + Check the arrival interface of incoming DNS and TFTP + requests via IPv6, even in --bind-interfaces mode. This + isn't possible for IPv4 and can generate scary warnings, + but as it's always possible for IPv6 (the API always + exists) then we should do it always. + + Tweak the rules on prefix-lengths in --dhcp-range for + IPv6. The new rule is that the specified prefix length + must be larger than or equal to the prefix length of the + corresponding address on the local interface. + + + Fix crash if upstream server returns SERVFAIL when + --conntrack in use. Thanks to Giacomo Tazzari for finding + this and supplying the patch. + + Repair regression in 2.64. That release stopped sending + lease-time information in the reply to DHCPINFORM + requests, on the correct grounds that it was a standards + violation. However, this broke the dnsmasq-specific + dhcp_lease_time utility. Now, DHCPINFORM returns + lease-time only if it's specifically requested + (maintaining standards) and the dhcp_lease_time utility + has been taught to ask for it (restoring functionality). + + Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass + to work with BOOTP and well as DHCP. Thanks to Peter + Korsgaard for spotting the problem. + + Add --synth-domain. Thanks to Vishvananda Ishaya for + suggesting this. + + Fix failure to compile ipset.c if old kernel headers are + in use. Thanks to Eugene Rudoy for pointing this out. + + Handle IPv4 interface-address labels in Linux. These are + often used to emulate the old IP-alias addresses. Before, + using --interface=eth0 would service all the addresses of + eth0, including ones configured as aliases, which appear + in ifconfig as eth0:0. Now, only addresses with the label + eth0 are active. This is not backwards compatible: if you + want to continue to bind the aliases too, you need to add + eg. --interface=eth0:0 to the config. + + Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket + operation on non-socket" error on startup with + configurations which have exactly one --interface option + and do RA but _not_ DHCPv6. Thanks to Trever Adams for the + bug report. + + Generalise --interface-name to cope with IPv6 addresses + and multiple addresses per interface per address family. + + Fix option parsing for --dhcp-host, which was generating a + spurious error when all seven possible items were + included. Thanks to Zhiqiang Wang for the bug report. + + Remove restriction on prefix-length in --auth-zone. Thanks + to Toke Hoiland-Jorgensen for suggesting this. + + Log when the maximum number of concurrent DNS queries is + reached. Thanks to Marcelo Salhab Brogliato for the patch. + + If wildcards are used in --interface, don't assume that + there will only ever be one available interface for DHCP + just because there is one at start-up. More may appear, so + we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug + report. + + Increase timeout/number of retries in TFTP to accomodate + AudioCodes Voice Gateways doing streaming writes to flash. + Thanks to Damian Kaczkowski for spotting the problem. + + Fix crash with empty DHCP string options when adding zero + terminator. Thanks to Patrick McLean for the bug report. + + Allow hostnames to start with a number, as allowed in + RFC-1123. Thanks to Kyle Mestery for the patch. + + Fixes to DHCP FQDN option handling: don't terminate FQDN + if domain not known and allow a FQDN option with blank + name to request that a FQDN option is returned in the + reply. Thanks to Roy Marples for the patch. + + Make --clear-on-reload apply to setting upstream servers + via DBus too. + + When the address which triggered the construction of an + advertised IPv6 prefix disappears, continue to advertise + the prefix for up to 2 hours, with the preferred lifetime + set to zero. This satisfies RFC 6204 4.3 L-13 and makes + things work better if a prefix disappears without being + deprecated first. Thanks to Uwe Schindler for persuasively + arguing for this. + + Fix MAC address enumeration on *BSD. Thanks to Brad Smith + for the bug report. + + Support RFC-4242 information-refresh-time options in the + reply to DHCPv6 information-request. The lease time of the + smallest valid dhcp-range is sent. Thanks to Uwe Schindler + for suggesting this. + + Make --listen-address higher priority than --except-interface + in all circumstances. Thanks to Thomas Hood for the bugreport. + + Provide independent control over which interfaces get TFTP + service. If enable-tftp is given a list of interfaces, then TFTP + is provided on those. Without the list, the previous behaviour + (provide TFTP to the same interfaces we provide DHCP to) + is retained. Thanks to Lonnie Abelbeck for the suggestion. + + Add --dhcp-relay config option. Many thanks to vtsl.net + for sponsoring this development. + + Fix crash with empty tag: in --dhcp-range. Thanks to + Kaspar Schleiser for the bug report. + + Add "baseline" and "bloatcheck" makefile targets, for + revealing size changes during development. Thanks to + Vladislav Grishenko for the patch. + + Cope with DHCPv6 clients which send REQUESTs without + address options - treat them as SOLICIT with rapid commit. + + Support identification of clients by MAC address in + DHCPv6. When using a relay, the relay must support RFC + 6939 for this to work. It always works for directly + connected clients. Thanks to Vladislav Grishenko + for prompting this feature. + + Remove the rule for constructed DHCP ranges that the local + address must be either the first or last address in the + range. This was originally to avoid SLAAC addresses, but + we now explicitly autoconfig and privacy addresses instead. + + Update Polish translation. Thanks to Jan Psota. + + Fix problem in DHCPv6 vendorclass/userclass matching + code. Thanks to Tanguy Bouzeloc for the patch. + + Update Spanish transalation. Thanks to Vicente Soriano. + + Add --ra-param option. Thanks to Vladislav Grishenko for + inspiration on this. + + Add --add-subnet configuration, to tell upstream DNS + servers where the original client is. Thanks to DNSthingy + for sponsoring this feature. + + Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to + Kevin Darbyshire-Bryant for the initial patch. + + Allow A/AAAA records created by --interface-name to be the + target of --cname. Thanks to Hadmut Danisch for the + suggestion. + + Avoid treating a --dhcp-host which has an IPv6 address + as eligable for use with DHCPv4 on the grounds that it has + no address, and vice-versa. Thanks to Yury Konovalov for + spotting the problem. + + Do a better job caching dangling CNAMEs. Thanks to Yves + Dorfsman for spotting the problem. + + + Add the ability to act as an authoritative DNS + server. Dnsmasq can now answer queries from the wider 'net + with local data, as long as the correct NS records are set + up. Only local data is provided, to avoid creating an open + DNS relay. Zone transfer is supported, to allow secondary + servers to be configured. + + Add "constructed DHCP ranges" for DHCPv6. This is intended + for IPv6 routers which get prefixes dynamically via prefix + delegation. With suitable configuration, stateful DHCPv6 + and RA can happen automatically as prefixes are delegated + and then deprecated, without having to re-write the + dnsmasq configuration file or restart the daemon. Thanks to + Steven Barth for extensive testing and development work on + this idea. + + Fix crash on startup on Solaris 11. Regression probably + introduced in 2.61. Thanks to Geoff Johnstone for the + patch. + + Add code to make behaviour for TCP DNS requests that same + as for UDP requests, when a request arrives for an allowed + address, but via a banned interface. This change is only + active on Linux, since the relevant API is missing (AFAIK) + on other platforms. Many thanks to Tomas Hozza for + spotting the problem, and doing invaluable discovery of + the obscure and undocumented API required for the solution. + + Don't send the default DHCP option advertising dnsmasq as + the local DNS server if dnsmasq is configured to not act + as DNS server, or it's configured to a non-standard port. + + Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBCRIBER_ID, + DNSMASQ_REMOTE_ID variables to the environment of the + lease-change script (and the corresponding Lua). These hold + information inserted into the DHCP request by a DHCP relay + agent. Thanks to Lakefield Communications for providing a + bounty for this addition. + + Fixed crash, introduced in 2.64, whilst handling DHCPv6 + information-requests with some common configurations. + Thanks to Robert M. Albrecht for the bug report and + chasing the problem. + + Add --ipset option. Thanks to Jason A. Donenfeld for the + patch. + + Don't erroneously reject some option names in --dhcp-match + options. Thanks to Benedikt Hochstrasser for the bug report. + + Allow a trailing '*' wildcard in all interface-name + configurations. Thanks to Christian Parpart for the patch. + + Handle the situation where libc headers define + SO_REUSEPORT, but the kernel in use doesn't, to cope with + the introduction of this option to Linux. Thanks to Rich + Felker for the bug report. + + Update Polish translation. Thanks to Jan Psota. + + Fix crash if the configured DHCP lease limit is + reached. Regression occurred in 2.61. Thanks to Tsachi for + the bug report. + + Update the French translation. Thanks to Gildas le Nadan. + +------------------------------------------------------------------- +Wed Mar 26 16:56:34 UTC 2014 - crrodriguez@opensuse.org + +- dnsmasq.service: Set PrivateDevices=yes so we run in a + separate namespace with the bare minimum device nodes isolated + from the host. + +------------------------------------------------------------------- +Mon Apr 22 11:34:35 UTC 2013 - meissner@suse.com + +- reintroduced /sbin/rcdnsmasq as /sbin/service link. + +------------------------------------------------------------------- +Sat Apr 20 05:54:35 UTC 2013 - crrodriguez@opensuse.org + +- Do not order after syslog.target which it is neither + required not recommended and currently no longer even exists. + +------------------------------------------------------------------- +Sat Apr 13 16:04:18 UTC 2013 - coolo@suse.com + +- sync /srv/tftpboot directory attributes with atftp package + +------------------------------------------------------------------- +Wed Apr 3 23:09:10 UTC 2013 - crrodriguez@opensuse.org + +- remove all sysvinit support + +------------------------------------------------------------------- +Tue Mar 12 18:09:40 UTC 2013 - vuntz@suse.com + +- Create a utils subpackage to include DHCP lease management utils + (that are living in contrib/wrt): + + Explicitly build them in %build and install the files in + %install. + + Summary and description of the new subpackage are taken from + Fedora. + +------------------------------------------------------------------- +Fri Feb 22 12:53:03 UTC 2013 - rmilasan@suse.com + +- Install dnsmasq.service accordingly (/usr/lib/systemd for 12.3 + and up or /lib/systemd for older versions). + +------------------------------------------------------------------- +Fri Dec 14 15:32:27 UTC 2012 - toganm@opensuse.org + +- Update to version 2.65. For other changes relating to other + versions in between please see the CHANGELOG + + * Fix regression which broke forwarding orgf queries sent via + TCP which are not for A and AAAA and which were directed to + non-default servers. Thanks to Niax for the bug reportst. + + Fix failure to build with DHCP support excluded. Thanks to + Gustavo Zacarias for the patch. + + Fix nasty regression in 27.64 which completely broke cacheing. + +- renamed group_and_isc.diff to group_and_isc.patch rebasinp to -p1 + level as outlined in the documentation at + http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines + +------------------------------------------------------------------- +Thu Oct 4 07:32:36 UTC 2012 - cfarrell@suse.com + +- license update: GPL-2.0 + Most of the source code files give a choice of either GPL-2.0 or GPL-3.0 + (not GPL-2.0+). The website states that the COPYING file in the + distribution is the official license - in this case it is GPL-2.0. This + is consistent with what Fedora state about the package. Accordingly, I^d + be ok with License: GPL-2.0 or License: (GPL-2.0 or GPL-3.0) but not + License: GPL-2.0+ + +------------------------------------------------------------------- +Sun Jun 24 03:51:58 UTC 2012 - crrodriguez@opensuse.org + +- Update to version 2.62, misc bugfixes +- Fix CFLAGS/LDFLAGS usage +- fix the small cache size problem in a different way by tweaking + the build config instead. + +------------------------------------------------------------------- +Sat Jun 23 03:53:32 UTC 2012 - crrodriguez@opensuse.org + +- The default cache size is way too small (150 entries) use a sane + default of 2000 as used in *WRT embeeded routers which is still + very conservative for a desktop/server machine. +- use async logging + +------------------------------------------------------------------- +Sun Apr 29 19:16:43 UTC 2012 - pascal.bleser@opensuse.org + +- update to 2.61: + * add ra-names, ra-stateless and slaac keywords for DHCPv6: dnsmasq can now + synthesise AAAA records for dual-stack hosts which get IPv6 addresses via + SLAAC; it is also now possible to use SLAAC and stateless DHCPv6, and to + tell clients to use SLAAC addresses as well as DHCP ones + * add --dhcp-duid to allow DUID-EN uids to be used + * explicity send DHCPv6 replies to the correct port, instead of relying on + clients to send requests with the correct source address, since at least + one client in the wild gets this wrong + * send a preference value of 255 in DHCPv6 replies when --dhcp-authoritative + is in effect: his tells clients not to wait around for other DHCP servers + * better logging of DHCPv6 options + * add --host-record + * invoke the DHCP script with action "tftp" when a TFTP file transfer + completes: the size of the file, address to which it was sent and complete + pathname are supplied; note that version 2.60 introduced some script + incompatibilties associated with DHCPv6, and this is a further change; to + be safe, scripts should ignore unknown actions, and if not IPv6-aware, + should exit if the environment variable DNSMASQ_IAID is set; the use-case + for this is to track netboot/install + * update contrib/port-forward/dnsmasq-portforward to reflect the above + * set the environment variable DNSMASQ_LOG_DHCP when running the script id + --log-dhcp is in effect, so that script can taylor their logging verbosity + * arrange that addresses specified with --listen-address work even if there + is no interface carrying the address; this is chiefly useful for IPv4 + loopback addresses, where any address in 127.0.0.0/8 is a valid loopback + address, but normally only 127.0.0.1 appears on the lo interface + * fix crash, introduced in 2.60, when a DHCPINFORM is received from a network + which has no valid dhcp-range + * add a new DHCP lease time keyword, "deprecated" for --dhcp-range: this is + only valid for IPv6, and sets the preffered lease time for both DHCP and RA + to zero; the effect is that clients can continue to use the address for + existing connections, but new connections will use other addresses, if they + exist; this makes hitless renumbering at least possible + * fix bug in address6_available() which caused DHCPv6 lease aquistion to fail + if more than one dhcp-range in use + * provide RDNSS and DNSSL data in router advertisements, using the settings + provided for DHCP options option6:domain-search and option6:dns-server + * don't cache data from non-recursive nameservers, since it may erroneously + look like a valid CNAME to a non-exitant name + * call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP on exacly one + interface and --bind-interfaces is set; this makes the OpenStack use-case + of one dnsmasq per virtual interface work + * give correct from-cache answers to explict CNAME queries + * add --tftp-lowercase option + * ensure that the DBus DhcpLeaseUpdated events are generated when a lease + goes through INIT_REBOOT state, even if the dhcp-script is not in use + +------------------------------------------------------------------- +Tue Mar 6 10:13:09 CET 2012 - ug@suse.de + +- some dhcp fixes +- Add Lua integration +- Set TOS on DHCP sockets +- Improve start-up speed when reading large hosts files +- Fix problem if dnsmasq is started without the stdin +- Allow the TFP server or boot server in --pxe-service +- Support DHCPv6. Support is there for the sort of things + the existing v4 server does, including tags, options, + static addresses and relay support +- Support IPv6 router advertisements +- Fix long-standing wrinkle with --localise-queries that + could result in wrong answers when DNS packets arrive + via an interface other than the expected one +- 2.60 + +------------------------------------------------------------------- +Wed Feb 8 16:56:35 CET 2012 - ug@suse.de + +- added correct group for tftp + (bnc#738905) + +------------------------------------------------------------------- +Mon Feb 6 22:25:05 UTC 2012 - crrodriguez@opensuse.org + +- Use systemd macros correctly +- build with PIE and full RELRO. + +------------------------------------------------------------------- +Thu Jan 19 04:22:44 UTC 2012 - crrodriguez@opensuse.org + +- --enable-dbus must be explicit in systemd unit +- default user is provided in config file or takes defaults on + group_and_isc.diff + +------------------------------------------------------------------- +Wed Jan 18 21:34:25 UTC 2012 - crrodriguez@opensuse.org + +- dnsmasq has dbus support, use it for systemd service. + +------------------------------------------------------------------- +Fri Nov 25 13:14:41 CET 2011 - ug@suse.de + +- removed systemd config for pre-12.1 + +------------------------------------------------------------------- +Thu Nov 24 20:45:37 UTC 2011 - crrodriguez@opensuse.org + +- Must be of type forking and change uid to dnsmasq + +------------------------------------------------------------------- +Thu Nov 24 20:19:11 UTC 2011 - crrodriguez@opensuse.org + +- Add systemd startup script + +------------------------------------------------------------------- +Thu Oct 20 15:58:50 CEST 2011 - ug@suse.de + +- dnsmasq still announced itself as 2.59-RC1 + no other code changes than just the correct version string + +------------------------------------------------------------------- +Tue Oct 18 23:13:12 CEST 2011 - ug@suse.de + +- fixed binding to IPv6 link-local addresses + (regression from 2.58) +- 2.59 + +------------------------------------------------------------------- +Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de + +- Remove redundant tags/sections from specfile + (cf. packaging guidelines) +- Use %_smp_mflags for parallel build + +------------------------------------------------------------------- +Fri Aug 26 21:12:04 CEST 2011 - ug@suse.de + +- Support scope-ids in IPv6 addresses of nameservers from + /etc/resolv.conf and in --server options +- Fix bug which resulted in truncated files and timeouts for + some TFTP transfers +- Allow the TFTP-server address in --dhcp-boot to be a + domain-name which is looked up in /etc/hosts +- Tweak the behaviour of --domain-needed +- Add support for Linux conntrack connection marking +- Don't return NXDOMAIN to an AAAA query if we have CNAME + which points to an A record only +- logging fixes +- many DHCP fixes and features (see Changelog) +- update to 2.58 + +------------------------------------------------------------------- +Wed Mar 2 09:52:12 CET 2011 - ug@suse.de + +- Add IPv6 support to the TFTP server +- Log DNS queries at level LOG_INFO +- Add --add-mac option +- some logging fixes +- Don't complain about strings longer than + 255 characters in txt records +- extended the --domain option +- Never cache DNS replies which have the 'cd' bit set +- Add --proxy-dnssec flag +- Allow a filename of "-" for --conf-file +- some smaller bugfixes +- update to 2.57 + +------------------------------------------------------------------- +Tue Jun 8 09:31:21 CEST 2010 - ug@suse.de + +* Fix crash when /etc/ethers is in use. +* Fix crash in netlink_multicast(). +* Allow the empty domain "." in dhcp domain-search (119) + options. +* 2.55 (there was no 2.54) + +------------------------------------------------------------------- +Mon Jun 7 11:47:58 CEST 2010 - ug@suse.de + +* Fixed bug which caused bad things to happen if a + resolv.conf file which exists is subsequently removed +* Rationalised the DHCP tag system +* Added --tag-if to allow boolean operations on tags +* Add broadcast/unicast information to DHCP logging +* Allow --dhcp-broadcast to be unconditional +* Fixed incorrect behaviour with NOT conditionals in + dhcp-options +* If we send vendor-class encapsulated options based on the + vendor-class supplied by the client, and no explicit + vendor-class option is given, echo back the vendor-class + from the client. +* Fix bug which stopped dnsmasq from matching both a + circuitid and a remoteid +* Add --dhcp-proxy +* Added interface: part to dhcp-range +* and a lot more ... checke the CHANGELOG in the package + +* 2.53 + +------------------------------------------------------------------- +Mon Jan 25 09:31:02 CET 2010 - ug@suse.de + +* adds support for RFC 3925 vendor identifying vendor + options. + +* has some minor enhancements to the PXE subsystem and external + hooks for tracking DHCP leases. + +* 2.52 + +------------------------------------------------------------------- +Fri Nov 20 16:07:32 CET 2009 - ug@suse.de + +* Add support for internationalised DNS. + +* Add two more environment variables for lease-change scripts: + First, DNSMASQ_SUPPLIED_HOSTNAME; this is set to the hostname + supplied by a client, even if the actual hostname used is + over-ridden by dhcp-host or dhcp-ignore-names directives. + Also DNSMASQ_RELAY_ADDRESS which gives the address of + a DHCP relay, if used. + +* Fix regression which broke echo of relay-agent + options. Thanks to Michael Rack for spotting this. + +* Don't treat option 67 as being interchangeable with + dhcp-boot parameters if it's specified as + dhcp-option-force. + +* Make the code to call scripts on lease-change compile-time + optional. It can be switched off by editing src/config.h + or building with "make COPTS=-DNO_SCRIPT". + +* Make the TFTP server cope with filenames from Windows/DOS + which use '\' as pathname separator. Thanks to Ralf for + the patch. + +* Warn if an IP address is duplicated in /etc/ethers. + +* Teach --conf-dir to take an option list of file suffices + which will be ignored when scanning the directory. Useful + for backup files etc. Thanks to Helmut Hullen for the + suggestion. + +* Add new DHCP option named tftpserver-address + +* Don't do any PXE processing, even for clients with the + correct vendorclass, unless at least one pxe-prompt or + pxe-service option is given. + +* Limit the blocksize used for TFTP transfers to a value + which avoids packet fragmentation, based on the MTU of the + local interface. Many netboot ROMs can't cope with + fragmented packets. + +* Honour dhcp-ignore configuration for PXE and proxy-PXE + requests. + +* 2.51 + +------------------------------------------------------------------- +Tue Nov 3 19:09:13 UTC 2009 - coolo@novell.com + +- updated patches to apply with fuzz=0 + +------------------------------------------------------------------- +Tue Sep 1 10:30:14 CEST 2009 - ug@suse.de + +- Fix security problem which allowed any host permitted to + do TFTP to possibly compromise dnsmasq by remote buffer + overflow when TFTP enabled. +- version 2.50 + +------------------------------------------------------------------- +Tue Jun 16 10:57:25 CEST 2009 - ug@suse.de + +- Fix regression in 2.48 which disables the lease-change + script +- version 2.49 + +------------------------------------------------------------------- +Fri Jun 5 10:29:10 CEST 2009 - ug@suse.de + +-Fixed bug which broke binding of servers to physical + interfaces when interface names were longer than four + characters. +- Fixed netlink code +- Don't read included configuration files more than once +- Mark log messages from the various subsystems in dnsmasq +- Fix possible infinite DHCP protocol loop when an IP + address nailed to a hostname +- Allow --addn-hosts to take a directory +- Support --bridge-interface on all platforms +- Added support for advanced PXE functions +- Improvements to DHCP logging +- Added --test command-line switch +- version 2.48 + +------------------------------------------------------------------- +Mon Mar 16 09:57:55 CET 2009 - ug@suse.de + +- dbus documentation added + +------------------------------------------------------------------- +Tue Mar 10 16:24:17 CET 2009 - ug@suse.de + +- Enable dbus support by jnelson + +------------------------------------------------------------------- +Fri Feb 6 10:09:35 CET 2009 - ug@suse.de + +- Handle duplicate address detection on IPv6 more + intelligently +- Add DBus introspection +- Update Dbus configuration file +- Support arbitrarily encapsulated DHCP options +- dhcp-option = encap:175, 190, "iscsi-client0" +- dhcp-option = encap:175, 191, "iscsi-client0-secret" +- Enhance --dhcp-match to allow testing of the contents of a + client-sent option, as well as its presence +- No longer complain about blank lines in + /etc/ethers +- Fix binding of servers to physical devices +- Reply to DHCPINFORM requests even when the supplied ciaddr + doesn't fall in any dhcp-range +- Allow the source address of an alias to be a range +- version 2.47 + +------------------------------------------------------------------- +Tue Nov 11 13:57:17 CET 2008 - kukuk@suse.de + +- Add /usr/sbin/useradd to PreReq + +------------------------------------------------------------------- +Sat Sep 13 00:51:49 CEST 2008 - mrueckert@suse.de + +- fix manpage.diff to actually apply +- mark files below /etc as config +- do not install README.SUSE in %install as %doc will clean the + directory anyway. + +------------------------------------------------------------------- +Fri Sep 12 15:10:55 CEST 2008 - ug@suse.de + +- user dnsmasq moved to group nogroup (bnc#401648) +- added README.SUSE +- added warning to init script when /etc/ppp is in use + since it's not readable anymore + +------------------------------------------------------------------- +Tue Aug 19 10:41:48 CEST 2008 - ug@suse.de + +- init script fixed + +------------------------------------------------------------------- +Mon Aug 11 16:32:03 CEST 2008 - ug@suse.de + +- Fix crash when unknown client attempts to renew a DHCP + lease, problem introduced in version 2.43. Thanks to + Carlos Carvalho for help chasing this down. + +- Fix potential crash when a host which doesn't have a lease + does DHCPINFORM. Again introduced in 2.43. This bug has + never been reported in the wild. + +- Fix crash in netlink code introduced in 2.43. Thanks to + Jean Wolter for finding this. + +- Change implementation of min_port to work even if min-port + as large. +- 2.4.45 + +------------------------------------------------------------------- +Mon Jul 14 09:45:15 CEST 2008 - ug@suse.de + +- This release fixes the DNS spoofing vulnerabilities announced in + CERT VU#800113. It adds source port randomization for communication with + upstream nameservers and replaces the C library PRNG with stronger code. It + makes failure to drop root privileges a hard error (previous versions would + log the error and continue, running as root.) Other changes include an + update to avoid triggering Linux kernel messages about an out-of-date + capabilities ABI, support for NAPTR records, and RFC 5107 + server-id-override. +- 2.43 + +------------------------------------------------------------------- +Thu Jun 19 16:42:54 CEST 2008 - ug@suse.de + +- running as user dnsmasq now (bnc#401643) + +------------------------------------------------------------------- +Thu Jun 5 15:33:40 CEST 2008 - ug@suse.de + +* Add --dhcp-alternate-port option. Thanks to Jan Psota for + the suggestion. +* Updated Polish translations - thank to Jan Psota. +* Provide --dhcp-bridge on all BSD variants. +* Define _LARGEFILE_SOURCE which removes an arbitrary 2GB + limit on logfiles. Thanks to Paul Chambers for spotting + the problem. +* Fix RFC3046 agent-id echo code, broken for many + releases. Thanks to Jeremy Laine for spotting the problem + and providing a patch. +* Add --dhcp-scriptuser option. +* Support new capability interface on suitable Linux + kernels, removes "legacy support in use" messages. Thanks + to Jorge Bastos for pointing this out. +* Fix subtle bug in cache code which could cause dnsmasq to + lock spinning CPU in rare circumstances. Thanks to Alex + Chekholko for bug reports and help debugging. +* Support netascii transfer mode for TFTP. +- 2.42 + +------------------------------------------------------------------- +Wed Feb 13 09:54:14 CET 2008 - ug@suse.de + +- Allow the DNS function to be completely disabled, by + setting the port to zero "--port=0" +- Fix a bug where NXDOMAIN could be returned for a query + even if the name's value was known for a different query + type. +- Fixed possible crash bug in DBus IPv6 code +- Add --dhcp-no-override option +- Add --tftp-port-range option +- Add --stop-dns-rebind option +- Added --all-servers option +- Add --dhcp-optsfile option +- Fixed broken --alias functionality +- Add --dhcp-match flag +- Added --dhcp-broadcast, to force broadcast replies +- multiple bugs fixed +- 2.41 + +------------------------------------------------------------------- +Fri Jan 4 06:32:08 CET 2008 - crrodriguez@suse.de + +- bzip tarball +- use find_lang macro. + +------------------------------------------------------------------- +Thu Dec 6 17:21:05 CET 2007 - ug@suse.de + +- version 2.40 +- Fix handling of fully-qualified names in --dhcp-host +- Fixed error in manpage +- Fixed misaligned memory access which caused problems on + Blackfin CPUs +- lots of new options (see changelog for details) + +------------------------------------------------------------------- +Wed May 2 10:17:37 CEST 2007 - ug@suse.de + +- version 2.39 +- names like "localhost." in /etc/hosts with trailing period + are treated as fully-qualified. +- Tolerate and ignore spaces around commas in the + configuration file in all circumstances +- /a is no longer a valid escape in quoted strings. +- Added symbolic DHCP option names +- Overhauled the log code +- --log-facility can now take a file-name +- Added --log-dhcp flag +- Added 127.0.0.0/8 and 169.254.0.0/16 to the address + ranges affected by --bogus-priv +- Fixed failure of TFTP server with --listen-address +- Added --dhcp-circuitid and --dhcp-remoteid for RFC3046 +- Added --dhcp-subscrid for RFC3993 subscriber-id relay +- Corrected garbage-collection +- Allow absolute paths for TFTP transfers even when + --tftp-root is set, as long as the path matches the root +- Updated translations +- Added --interface-name option + +------------------------------------------------------------------- +Thu Mar 15 16:00:11 CET 2007 - ug@suse.de + +- SuSEFirewall service files fixed and enhanced + +------------------------------------------------------------------- +Tue Mar 6 11:55:37 CET 2007 - ug@suse.de + +- SuSEFirewall service file added + +------------------------------------------------------------------- +Tue Feb 13 09:33:37 CET 2007 - ug@suse.de + +- version 2.38 + + Don't send length zero DHCP option 43 and cope with + encapsulated options whose total length exceeds 255 octets + by splitting them into multiple option 43 pieces. + + Avoid queries being retried forever when --strict-order is + set and an upstream server returns a SERVFAIL + error. Thanks to Johannes Stezenbach for spotting this. + + Fix BOOTP support, broken in version 2.37. + + Add example dhcp-options for Etherboot. + + Add \e (for ASCII ESCape) to the set of valid escapes + in config-file strings. + + Added --dhcp-option-force flag and examples in the + configuration file which use this to control PXELinux. + + Added --tftp-no-blocksize option. + + Set netid tag "bootp" when BOOTP (rather than DHCP) is in + use. This makes it easy to customise which options are + sent to BOOTP clients. (BOOTP allows only 64 octets for + options, so it can be necessary to trim things.) + + Fix rare hang in cache code, a 2.37 regression. This + probably needs an infinite DHCP lease and some bad luck to + trigger. Thanks to Detlef Reichelt for bug reports and + testing. + +------------------------------------------------------------------- +Mon Feb 5 16:29:39 CET 2007 - ug@suse.de + + Add better support for RFC-2855 DHCP-over-firewire and RFC +-4390 DHCP-over-InfiniBand. A good suggestion from Karl Svec. + + Some efficiency tweaks to the cache code for very large + /etc/hosts files. Should improve reverse (address->name) + lookups and garbage collection. Thanks to Jan 'RedBully' + Seiffert for input on this. + + Fix regression in 2.36 which made bogus-nxdomain + and DNS caching unreliable. Thanks to Dennis DeDonatis + and Jan Seiffert for bug reports. + + Make DHCP encapsulated vendor-class options sane. Be + warned that some conceivable existing configurations + using these may break, but they work in a much + simpler and more logical way now. Prepending + "vendor:" to an option encapsulates it + in option 43, and the option is sent only if the + client-supplied vendor-class substring-matches with + the given client-id. Thanks to Dennis DeDonatis for + help with this. + + Apply patch from Jan Seiffert to tidy up tftp.c + + Add support for overloading the filename and servername + fields in DHCP packet. This gives extra option-space when + these fields are not being used or with a modern client + which supports moving them into options. + + Added a LIMITS section to the man-page, with guidance on + maximum numbers of clients, file sizes and tuning. + +- version 2.37 + +------------------------------------------------------------------- +Mon Jan 22 15:20:06 CET 2007 - ug@suse.de + +- version 2.36 + +------------------------------------------------------------------- +Mon Oct 30 09:28:53 CET 2006 - ug@suse.de + +- version 2.35 +- better performance on parsing huge /etc/hosts files + +------------------------------------------------------------------- +Tue Oct 17 09:14:10 CEST 2006 - ug@suse.de + +- version 2.34 +- Tweak network-determination code +- Improve handling of high DNS loads +- Fixed intermittent infinite loop when re-reading + /etc/ethers after SIGHUP +- Provide extra information to the lease-change script +- Run the lease change script as root +- Add contrib/port-forward/* which is a script to set up + port-forwards using the DHCP lease-change script +- Fix unaligned access problem +- Fixed problem with DHCPRELEASE +- Updated French translation +- Upgraded the name hash function in the DNS cache +- Added --clear-on-reload flag +- Treat a nameserver address of 0.0.0.0 as "nothing" +- Added Webmin module in contrib/webmin + +------------------------------------------------------------------- +Fri Aug 11 10:17:41 CEST 2006 - ug@suse.de + +- init-script more LSB conform + patch by Matthias Andree + +------------------------------------------------------------------- +Mon Aug 7 09:10:16 CEST 2006 - ug@suse.de + +- version 2.33 +- Provide extra information to lease-change script +- Fix breakage with some DHCP relay implementations +- compilation warning fixes +- minor DNS and DHCP fixes and enhancements + +------------------------------------------------------------------- +Mon Jun 12 13:49:39 CEST 2006 - ug@suse.de + +- version 2.32 + +------------------------------------------------------------------- +Wed May 17 13:51:37 CEST 2006 - ug@suse.de + +- version 2.31 + +------------------------------------------------------------------- +Wed Jan 25 21:35:31 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Mon Jan 23 14:45:47 CET 2006 - ug@suse.de + +- Fixed crash when attempting to send a DHCP NAK to a host + which believes it has a lease on an unknown network. + That bug was invented in 2.25 +- version 2.26 + +------------------------------------------------------------------- +Mon Jan 16 12:29:50 CET 2006 - ug@suse.de + +- moved dnsmasq.no to dnsmasq.np + see bug #42748 + +------------------------------------------------------------------- +Mon Jan 16 10:15:13 CET 2006 - ug@suse.de + +- version update to 2.25 + +------------------------------------------------------------------- +Mon Nov 28 11:57:20 CET 2005 - ug@suse.de + +- version update to 2.24 + +------------------------------------------------------------------- +Mon Oct 17 14:41:02 CEST 2005 - ug@suse.de + +- "-fno-strict-aliasing" now + +------------------------------------------------------------------- +Wed Oct 12 17:02:29 CEST 2005 - ug@suse.de + +- version update to 2.23 + +------------------------------------------------------------------- +Wed Aug 24 10:26:55 CEST 2005 - ug@suse.de + +- Fix DNS query forwarding for empty queries and forward + queries even when the recursion-desired bit is clear. + This allows "dig +trace" to work + Bug #106717 + +------------------------------------------------------------------- +Fri Aug 5 10:38:00 CEST 2005 - cthiel@suse.de + +- update to version 2.22 + +------------------------------------------------------------------- +Wed Apr 13 14:04:44 CEST 2005 - mls@suse.de + +- fix slp registration + +------------------------------------------------------------------- +Mon Jan 24 10:56:13 CET 2005 - ug@suse.de + +- version update from 2.19 to 2.20 +- Allow more than one instance of dnsmasq to run on a + machine, each providing DHCP service on a different + interface +- Protect against overlong names and overlong + labels in configuration and from DHCP. +- Fix interesting corner case in CNAME handling. This occurs + when a CNAME has a target which "shadowed" by a name in + /etc/hosts or from DHCP +- Added support for SRV records +- Fixed sign confusion in the vendor-id matching code +- Added the ability to match the netid tag in a + dhcp-range +- Added preference values for MX records +- Added the --localise-queries option. + + +------------------------------------------------------------------- +Fri Jan 21 10:33:00 CET 2005 - ug@suse.de + +- version update to 2.19 +- minor fixes in IPV6 and DHCP Code + +------------------------------------------------------------------- +Fri Nov 26 13:53:00 CET 2004 - ug@suse.de + +- version update to 2.18 +- lots of DHCP fixes +- some IPV6 fixes + +------------------------------------------------------------------- +Fri Nov 19 15:50:11 CET 2004 - ug@suse.de + +- SLP support via /etc/slp.reg.d/dnsmasq.reg file added + +------------------------------------------------------------------- +Fri Aug 20 10:52:05 CEST 2004 - ug@suse.de + +- version update from 2.11 to 2.13 +- Added extra checks to ensure that DHCP created DNS entries + cannot generate multiple DNS address->name entries. +- Don't set the the filterwin2k option in the example config + file and add warnings that is breaks Kerberos. +- Log types of incoming queries as well as source and domain. +- Log NODATA replies generated as a result of the filterwin2k + option. + +------------------------------------------------------------------- +Mon Aug 9 12:12:24 CEST 2004 - ug@suse.de + +- version update from 2.8 to 2.11 + +------------------------------------------------------------------- +Tue Jun 1 17:09:51 CEST 2004 - ug@suse.de + +- chgrp to "dialout" and not to "dip" +- backward compatibility turned off + +------------------------------------------------------------------- +Mon May 24 17:28:52 CEST 2004 - ug@suse.de + +- added to distribution + diff --git a/dnsmasq.keyring b/dnsmasq.keyring new file mode 100644 index 0000000..b8a47fd --- /dev/null +++ b/dnsmasq.keyring @@ -0,0 +1,116 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFMbjUMBEACsU1Xk8+uu/EsGVJTh9Tn31C2e0ycd0voBVT7cTdtXpzeiNR+o +/zUAi95ds7FiecpZJp1nRO4vNzvaaAPZhFsFVLzZYyIVABgTXsskT88xbZvzb4W5 +KKRWVhoTQxVDgj1+dXLUXULTB6rg02WEhqnix/qf/zFdM9I4/3pRHJn9k+3XKygR +on+nYtljfn3AKBelCo1y28istC6wCncoH11b/qdQtlfxVXaJY4HF27V0MqFFmDMg +cuhOHR7DnhymeDh7GmLfTHJ4LUFG+TecqCjiYhyWcuv2wuSb0EPXUKHJQVViQ8qg +KyPm1ly6uFP0CYdVavO7/oJwKFBIChECrj7BQ4GsImMHeuSzfWno7qy6Fxoxx2+g +0F9cdXWvcxFDGPQsL5vXp8KYNwBrzmijRzQ2ZAnrbG+ilFCkJCbxXcrhzpd4tKwE +0dgcyPL1Ma/lrznhL4ZuOzjVMgLNne7WiPpBNRqI1GoT0pUn6as4pU3En8B+K7zy +MLVfHvI1+iH45fP5bZwYSbXCa85v4+xqljYrzs9giaROEsXe/tsXvuc6JPCcmJXk +CUO3c3QVxqDFt9OYuTHIR8hqehDPLgFgzKqVuoAwMkhTf/zZNGlsy4jvKXQNcZ50 +uD4mWO3e+gykNW/OH+88IoCR0rgjQ6trMLOceZFnrtvxwRL//lMndGCTYQARAQAB +tB1TaW1vbiBLZWxsZXkgPHNya0BkZWJpYW4ub3JnPohGBBARCAAGBQJTIekzAAoJ +ECnhT5k5Gzkoj68AoLY6cFPxNnlydNDCV5iyFSzEl12RAKCl5yuxvzKxW1q7uVcG +CsD9f9Z5/YhGBBARCAAGBQJTL0SDAAoJEBbi9PX8geFZnAsAnAs9JR/9UxY1QnWF +HA2j7uSlQYt1AJ4zM23PcfSyZ9SfzgJJEEVggkMiEIkCHAQQAQgABgUCUyHp8gAK +CRAC0CBFCPsO9xaxD/9IX6DfMxFh5n6o0LebuyWJsk0I90wKJ53TmjBl83qgeF8F +pENzucALqZJ3AUXvqKt3n9tKDYfNHpOniEjL/kzlZcW/iO2b7QpdgqcOMe/Xb3ux +IAsWhgqWbgriWcTtP+omSdz+YaUtZ9abljmNX9B9X1nDG/KRPk6HnHHN42I52+SZ +XikIKT5u3Xm0YPSkgjaf9Mw9V8NUAMuWGtYGsGnuVorKfpDlW8jgaJUGcdKIqwZU +RpfTJS4NjMZlJTZEtokbgE80eqUepJBi+zKjpAc+keDQrq9ZZkWmAU5ceUtgw0n3 +U1L4NfsGqUSJvad1ZCoJjNm2BFQkr8N3obqvZ7rT/kI+focLCpBmvUxF1jq8QlL0 +ul3m4Yg55AVMQMFnbalxQBvbRxk10rUn4GCKV9W4y8sCzZbt8A3Eu0Aexd00K+WS +qvryh0wjwLrDdl3hHpcvi1+hheX16Y4qI3lKIKkr0cck3FIC5fq8feVPJH7+wbWF +rGe27hOfVPbMElGCHYOIq4ksfqGefsXul/V9kRRQT8DpVJ9uan5roJd+f2a+CcXn +VDKUqQUJq5eFXlay6wS1aU0AJ4mMpcGD53wuQDoWYl5wxthnMFN1xo3k7At9dGkC +QKw4NaTaVck2WE6e2ZV9rowsOeWXrhL/eP7XCco4eKF/5zZ7FEzLl5AJQrCpVIkC +HAQQAQgABgUCUy9EqgAKCRBjziC6xJxBSJJ/EAC41IxcJQazTbF0m+dBFzXQeQnG +b/CDtieBVrhZl916rI/a1A6NN1/rk4xIg4Iit+lYc8Oxwl+w/d+NseiMV/HzWImc +WY53HH1qoH0oPXkUPhaGCr4TKTxOI9lQQeJVT1FHw3pP/uYh76VU0noZnWJKTb0P +WDr6gznoajHZ3fLRzwWcIrVOzoPWl5GIiIyr6CMZxx1UnKKb/JkjdarMe+6X/9aZ +0QXPCBeqHTfBvHeJBLbNd2/CDIH6AFtWmT7prE4hti6kC9M1dhBX0fPiKZagMWVc +Z1jMIzNvpDIfjpE2B8SUBvxRwKSdCMvCdrACNc8QeCsfrJqu5hH0fUsEvFggcDig +FhAJTGafgCsMs4XqRnrx4zx58HFW7i4C2SWKX1fw1TKeHIj0MNYmhARPnZ6SiO06 +vfU0JccK1SZORhs8TAnEA5EwF/ckQ+XPZusZGBxJtpwkblEThDDaF8olM5BOI2Tg +OkvBisKEsrwK2adFLuMBm2HdTZbsWpzs4V8qzfO6j/ZFFEIbd+M5Vftog6ngKehu ++TQ3FcOES1Skx4/Sjuo9bw53GsXJDdgKjG73iLHVLp1rebXjc66N2aUzQazsBzJ6 +rhs3cWiQvOszFyKg7qzBfOCH1EYLMyRGsHO1aASldB/w9twGWIX6wNXZph6sYE32 +qZs30VffQgoZpadCwokCNwQTAQgAIQUCUyDDdAIbAwULCQgHAwUVCgkICwUWAgMB +AAIeAQIXgAAKCRAVzdpq4ZE1oqFGD/9LkbZFigc1jbZ5zIbmGkGvfniWp1mJhEcp +gKNfb2MMiu1lKULccIvfVyIY5WDrrpoPnHLnhYA9OXHcwVADGBayoVOQgIePrMV0 +V24uYjUh9+9zGRwQrCLo0rl/l07GKH0S1dxDUeyhJRYZGYEqW2+3XDJqIbfsDzSm +PNCyjVvqSvkkt0YyuNbH0+cVEoJ1Q2HmfEhvgd4LlHZDyhMVqKlKmlnCa8DmhwK+ +EyzJgLKITqjxBO3NOqPmYZlp8irLXyHAH1sDafaBwRjV9cNX2TLTwn3wDdUmoAwM +z1jopi/61A0kEglENYaa+NH/UnqfWOo7riXuZNwGVP/F/KlMV+JdXMY34fcSIQMW +k9cpxzhpuOJjwhoK7g/yq8q9578QXv4VR6ndH+LeHDRrm2Ftnih/Ut8unqqDteMJ +nd3YxSK3Ep78WgVBL9y2Qo3CyKY6VSXlshWZokwyrwVS8uLqIGAUzLwsKTYi1nms +Db7mQZqUbPBxYN2mrroD7Pr1/XAV8oNxw6l84nzfzObEKvNZLFtWctNpFJXhWhtm +/AeQBdkYKcMyTrwQt9Q0XMYKUGE05U+oAdtTvgCRJLltqzmt5yMpTPncNmXVoA5Y +vEVdCU6/Gxpn3Aea8ckBmIqxxQY1QFdEr2nvxPNASbkvHDNDr9XUlKQDqjherurK +BIBEiKCMnLQmU2ltb24gS2VsbGV5IDxzaW1vbkB0aGVrZWxsZXlzLm9yZy51az6I +RgQQEQgABgUCUxuNwQAKCRAo/IaaKJuCt0K1AJ9VX7VMWs0ECf4+hyf6d0qGutHy +cgCeMSyQgaaL/XbiUbhPaxdTgWjGQ3iIRgQQEQgABgUCUyHpMwAKCRAp4U+ZORs5 +KMjoAJ463imlnHBKRGUmZ45Z3OwxJx7kvgCePl6vO1lSo/XCdOaPE0UpCsSWJRCI +RgQQEQgABgUCUy9EgwAKCRAW4vT1/IHhWQW1AJ0dyPzHcxuJAbQnnMHj8zLynSkt +UgCfQshlIc2/HKFEbTM2yJR/Re45ui+JAhwEEAEIAAYFAlMh6fIACgkQAtAgRQj7 +Dvch0g//cWB0hAsMJ3jBQDuJxBh8gEJ4b8g8190brWXl9faXPqjpuYi1A/tRFcfP +gL408NN9+8iBzmuZ2SNwqYJgYZo9fEPbxIJrWZ+hDF2kRAr3nbEY1End0OfghdAF +G6NSUKmYVVHWCxGWHL3zYBJipeiKFR8D/JqB/3MQxXOWOhnZRQHicpcpz3Wdy2/e +AxMmvFUHNpkhvC+sumQ1vMn+jPJ6UBu39XMiW/ZTySapR2WhZ6Stg39Q7ziVwfPB +UB9alvvsPbiKLM3VowzkhpsDrmsztxjJqX2TyT5B+ZV6BVyjeQTv5f4LxENY7Jqd +eFWRyanXDux0R5LC0C7zQ0Eot2puKJNsZtyp9ja8idStkJlARq1ruArcGm4L4aCh +sa9BgAwkCVZS6kQgvlCKfeydJDrGY/BWI8ANyNVOcPMCYklKsPLvvDgghRpta0ul +0Mv8Gxgz8GYwmZ2jRyAko/M3lxPWJIU39nzLP0vDS0FD8rtYN/yKCBjZ2nRE8xJg +HdNhSZ3FJVKNOcgwHFYPyKsIDPGrSUKhFi2BNEB63Kjlonmggiffn8diocSp0aqS +gF0qL/jNCmA5CFfTkBPioqBs8XZazdmRZm3yCiy2DMB9LMTJICY224T/CoX8QyFK +EpMvYFE8MMq6SVYypF2esjRaUqPjLZ/Dhy9dpy6s8kDjU8Gnq8eJAhwEEAEIAAYF +AlMvRKQACgkQY84gusScQUi4WA//agQcVXsdp8Wr6zFeFXdAIWCWuYiNePDW6g+x +GS57gg1sIvsK6p3zItE6FB5YdS6d+r13dOlvCckhyIgMS9Mw6aurXU+uX+ojk0We +lusbnm8SoKgt5GbMXBM3HmEdXTgipUYUALGe0PQST/2Wn0g/zTptrMXTzp3mJvCA +OEF8Fg1Tmsq1fBTiAwZAS5j4ZtQRjRK3YQgQmLL6mEje4BSQTbM13IjTCbQZl1jc +k7B7TQHiiELsxEYGAgtvy7kziJaHiOs+pjO5lWbj7K2qkWuYhiE7xiOKnkM4k6fs +aiLvGD0KxOu4kDKkmWQsb92oXooiXdOpeBRaRGBIOR+BTA/SVuK752sS8F3PMdf2 +VUEIcpboIXrRPY+6D0GwN+d6MlAggLpHeFIjWLVCzQm2c3ynSghQmo5yHyGPCKjR +rlr5roylYgwJNu2yJSkHsjShMSMfCZK+Fj0ASxZlwpE/o2EDCcf0ekqDcK6WudEq +H00/svuNxqUkOeXtyn35MtEmZPjv5u6Fu4Cj48M4f1Ji7Dm/SDVyd4GEvwg0938A +PlLAAPoF53k9yMoGKn1PHZ5NrpldtICJvKv0kGIsoTDPj2QpCl3h8qHlP0mzu9g1 +isP2bWSP9W/cV67nNRwSif1FzTyUcqByIuHWfwEUP85PN/W3gTJxptALAdctfpXk +5azWTOaJAjoEEwEIACQCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlMgw44C +GQEACgkQFc3aauGRNaLaZg/+PR41J3P7omGv6XD+TiAXfJQoR5RfzQoeLNUQEnir +/XBulg45203cYHEurchEhSTn2f4WVtFgxJrgId7XGYdf8oIZIjBd82fpwdMwhbfc +v/6iqzWL0+2vaPmBqE7iwDTatI888q5TyXppGe8L5/VjX0aBvmVIPyEE9BFQas+v +v5byUkU542FxPApGsv0W0P1pKabLl0F7ItPFPuaD0+K1kwBrWbuGhBKMV9jGHB4q +dX/21FBczgAf3J9yJ22vm6orCwwhptxde+DSn7vqZNjDtHGrkUWDzKAQBy1g4BmT +l6IoVgYKZXAVBGMtYUjS+80VV+QE9meVqmtX1aJJEnf0/BRdv9CeD46hZArwXwi/ +AWFs300pEfzwcC+9T5xc3jlSdYdWxeQDV7XwK2VCOhxjFqTm+ehP2Gh14Wfpc34j +N9jMJ3OowxzN5iZxGYzkHLFhM+0IKEeWEjxRWOoJgV5PmNvG7IBbzt8O9xo550h7 +JmXZVsfSpkFpzJPy0Puz1JeyH/niCeDwKkhEHXQTk/4O+EODRxruJbwIYGeO2lNf +Pn2Hcb1aHvSclx7GGOYDzI4jN0UcYroJpvHZU+0X2ClpCTAW5IshgHkOkdUQ1c7S ++5zPTeLbW+pxTlbWClA0NYMbSn68//i/DMstyBEwtTWYJLmg5V3HWzRd/6BwKZfD +Suu5Ag0EUyDDoQEQAMfQfa2tw3+OJFGMQEzLJSoXYN8/HnZEgKNlcMuYzhheQLgu +/MfcQJ7mnCIdn6xdPaalfLmYx63tM47/NGEM1+MSEvovPiRG0OLxzSgwei9DiGeN +EgsPTLXSZ5EVSXCM1+e9mT1ExT9aGLNnpCd6kIyWIcKCVMot+XC70R9prWLeyKSh +0FAZ0Pwv9i23osJVGOtJjND+WZ0uCeN29ocfN0b64yF4nPRc9IbcmYIDgNU3RybK +2Z/dupbthTisRjHRI3iX3/tiymXF3J0sSvsCluWIJWmyltS3Xyk/wfKVJz6OouiJ +jTj5utXVnCGptCDw+DCcj89vx1N0+0Dhm1cQcNZvXjMbVDTsuU+eVpJbxU6y8N+n +XpAXjEw4jMi3zNpqKtkyv2YpoqY5HhGLybgrY0zwSQOyMNf9lZ5J7znq5gEmiMXn +G9OPEw7PPSvm6QfbHPY/jAOgxsu7Fme7k303D5KkyGkkbzQiYyEtMZvbOMH/uECi +2uHGB72qiGpEYjMtHhihaRCBl+0bY8sH83He690qNQHSdStjaKXcecduE/v5iO0m +OYIHdsEHhKlWsE1GXXVLofBr68UBhYV6/AGXko4Pr+dXLzauN4kALDx6WltFu3qU +voD+uEoLq7IXULMo5Pyd7bO4qGQMKykaXTb5o6dqdu4GzWIUw1fr9kLEmo29ABEB +AAGJAh8EGAEIAAkFAlMgw6ECGwwACgkQFc3aauGRNaIjqA/+PXuaM6JHuudLycmB +0iKAwyB5csOFGpF3b9FgMR68TC4jzi5J5hJZASl0cO/e0ytQsrDUBbH74y+WaA4l +dwBVYr0j/2hqzIjrnGMtgWeHFPLV3sKw8DGuNx1/cOoljJXzi1WWSHIwDvaj3uZ9 +CwHt+4/abR7kdvMcnFhQVA4zuzZWFqpp+CDkkJNVwB9zxtAQwGTGF4cQ0IvTkhCo +6DQhZZVTeyn+nBKxzzWijniWc0LyRsum03MxZ6E7UVIInCTjdXTalnO8wColwIx5 +FV4nTMxdsKKgnIXmLexBdd03bW9TkowWf2C2XfDN+pDS8X3MzO6zAyogqJhAiBFj +nRzkOw0cw1VTL00o8uiWdMeu7OKOKeQbUilMAn4MweKB57mc582kjeGmwdZgWFA4 +BJ2eiH7HwjxiynwMdZwQEBdOTNLbggHk3/mScF8U1KcJhjAFf7Ne+Z0feG/8GgKl +5aj3ucl821+dfpzB79lLo+kmd1qkDyDiUR5yN6P8l8k6IAUJz2KUe0BjtO6VFFw0 +xni05dkrXdfo7IO79ictHmEn+g3QO8ZLUGRwdtZ1cMhTkm7FhH8Bdby0y4Soqluv +Hbri++cC91i1I3a92kHi/8O45rnLhVt+sOfxY1QnSIYh5OFwGMqMCNDTEL7ESiFa +FhSXkmzzVntlyvOBMlgz3IGh2hA= +=00xm +-----END PGP PUBLIC KEY BLOCK----- diff --git a/dnsmasq.reg b/dnsmasq.reg new file mode 100644 index 0000000..d070172 --- /dev/null +++ b/dnsmasq.reg @@ -0,0 +1,12 @@ +############################################################################# +# +# OpenSLP registration file +# +# register domain name service (DNS) daemon +# +############################################################################# + +service:domain://$HOSTNAME:53,en,65535 +watch-port-udp=53 +description=Domain Name Service + diff --git a/dnsmasq.service b/dnsmasq.service new file mode 100644 index 0000000..5a6e26d --- /dev/null +++ b/dnsmasq.service @@ -0,0 +1,30 @@ +[Unit] +Description=DNS caching server. +After=network.target +Wants=nss-lookup.target +Before=nss-lookup.target + +[Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions +Type=dbus +BusName=uk.org.thekelleys.dnsmasq +ExecStartPre=/usr/sbin/dnsmasq --test +ExecStart=/usr/sbin/dnsmasq --log-async --enable-dbus --keep-in-foreground +ExecReload=/bin/kill -HUP $MAINPID +#### kills logging, so not enabled +# PrivateDevices=yes +#### + +[Install] +WantedBy=multi-user.target diff --git a/dnsmasq.spec b/dnsmasq.spec new file mode 100644 index 0000000..54a960c --- /dev/null +++ b/dnsmasq.spec @@ -0,0 +1,227 @@ +# +# spec file for package dnsmasq +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150300 +%bcond_without tftp_user_package +%else +%bcond_with tftp_user_package +%endif +Name: dnsmasq +Version: 2.89 +Release: 0 +Summary: DNS Forwarder and DHCP Server +License: GPL-2.0-only OR GPL-3.0-only +Group: Productivity/Networking/DNS/Servers +URL: https://thekelleys.org.uk/dnsmasq/ +Source0: https://thekelleys.org.uk/%{name}/%{name}-%{version}.tar.xz +Source1: https://thekelleys.org.uk/%{name}/%{name}-%{version}.tar.xz.asc +Source2: %{name}.keyring +Source3: dnsmasq.reg +Source4: dnsmasq.service +Source5: rc.dnsmasq-suse +Source6: system-user-dnsmasq.conf +Patch0: dnsmasq-groups.patch +Patch1: dnsmasq-CVE-2023-28450.patch +BuildRequires: dbus-1-devel +BuildRequires: dos2unix +BuildRequires: libidn2-devel +BuildRequires: libnettle-devel +BuildRequires: lua-devel +BuildRequires: pkgconfig +BuildRequires: pkgconfig(libnetfilter_conntrack) +BuildRequires: pkgconfig(systemd) +Provides: dns_daemon +%if %{with tftp_user_package} +BuildRequires: sysuser-tools +Requires(pre): user(tftp) +%sysusers_requires +%else +Requires(pre): %{_sbindir}/useradd +%endif + +%description +Dnsmasq provides network infrastructure for small networks: DNS, +DHCP, router advertisement and network boot. + +The DNS subsystem supprots forwarding of all query types, and caching +of common record types, DNSSEC included. The DHCP subsystem supports +DHCPv4, DHCPv6, BOOTP and PXE. RA can be used stand-alone or in +conjunction with DHCPv6. + +%package utils +Summary: Utilities for manipulating DHCP server leases +Group: Productivity/Networking/DNS/Servers + +%description utils +Utilities that use the standard DHCP protocol to query/remove a DHCP +server's leases. + +%prep +%autosetup -p0 + +# Remove the executable bit from python example files to +# avoid unwanted automatic dependencies +find contrib -name *.py -exec chmod a-x '{}' + + +# Some docs have the DOS line ends +dos2unix contrib/systemd/dbus_activation + +# SED-FIX-UPSTREAM -- Fix paths +sed -i -e 's|\(PREFIX *= *\)%{_prefix}/local|\1/usr|; + s|$(LDFLAGS)|$(CFLAGS) $(LDFLAGS)|' \ + Makefile + +# use lua5.3 instead of lua5.2 +sed -i -e 's|lua5.2|lua%{lua_version}|' Makefile + +# SED-FIX-UPSTREAM -- Fix man page +sed -i -e 's|The default is "dip",|The default is "dnsmasq",|' \ + man/dnsmasq.8 + +# SED-FIX-UPSTREAM -- Fix cachesize, group , user and pid location +sed -i -e 's|CACHESIZ 150|CACHESIZ 2000|; + s|CHUSER "nobody"|CHUSER "dnsmasq"|; + s|CHGRP "dip"|CHGRP "dnsmasq"|; + s|RUNFILE "/var/run/dnsmasq.pid"|RUNFILE "%{_rundir}/dnsmasq.pid"|' \ + src/config.h + +# Tweaks to the default configuration: +# - Fix trust-anchor.conf location +# - Include /etc/dnsmasq.d/*.conf by default +# - Only answer queries coming from the local network +sed -i -e '/trust-anchors.conf/c\#conf-file=%{_sysconfdir}/dnsmasq.d/trust-anchors.conf' \ + -e '/conf-dir=.*conf/s/^\#//' \ + -e '0,/^$/{/^$/a \ +# Accept DNS queries only from hosts whose address is on a local\ +# subnet, ie a subnet for which an interface exists on the server.\ +# It is intended to be set as a default on installation, to allow\ +# unconfigured installations to be useful but also safe from being\ +# used for DNS amplification attacks.\ +local-service\ + +}' \ + dnsmasq.conf.example + +%build +mv po/no.po po/nb.po +export CFLAGS="%{optflags} -std=gnu99 -fPIC -DPIC -fpie" +export LDFLAGS="-Wl,-z,relro,-z,now -pie" +# the dnsmasq make system hashes the configuration flags, so we have to supply the +# same flags for make and make install, else everything gets recompiled +%define _copts "-DHAVE_DBUS -DHAVE_CONNTRACK -DHAVE_LIBIDN2 -DHAVE_DNSSEC -DHAVE_LUASCRIPT" +%make_build AWK=gawk all-i18n CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS" COPTS=%{_copts} +%if %{with tftp_user_package} +%sysusers_generate_pre %{SOURCE6} dnsmasq system-user-dnsmasq.conf +%endif + +%if %{without tftp_user_package} +%pre +if ! %{_bindir}/getent group tftp >/dev/null; then + %{_sbindir}/groupadd -r tftp +fi +if ! %{_bindir}/getent passwd tftp >/dev/null; then + %{_sbindir}/useradd -c "TFTP account" -d /srv/tftpboot -G tftp -g tftp \ + -r -s /bin/false tftp +fi +if ! %{_bindir}/getent passwd dnsmasq >/dev/null; then + %{_sbindir}/useradd -r -d %{_localstatedir}/lib/empty -s /bin/false -c "dnsmasq" -g nogroup -G tftp dnsmasq +fi +%else + +%pre -f dnsmasq.pre +%endif +%service_add_pre %{name}.service + +%post +%service_add_post %{name}.service +# reload dbus after install or upgrade to apply new policies +if [ -z "${TRANSACTIONAL_UPDATE}" -a -x %{_bindir}/systemctl ]; then + %{_bindir}/systemctl reload dbus.service 2>/dev/null || : +fi + +%preun +%service_del_preun %{name}.service + +%postun +%service_del_postun %{name}.service +# reload dbus after uninstall, our policies are gone again +if [ $1 -eq 0 -a -z "${TRANSACTIONAL_UPDATE}" \ + -a -x %{_bindir}/systemctl ]; then + %{_bindir}/systemctl reload dbus.service 2>/dev/null || : +fi + +%install +make install-i18n DESTDIR=%{buildroot} PREFIX=%{_prefix} AWK=gawk COPTS=%{_copts} +install -d -m 755 %{buildroot}/%{_sysconfdir}/slp.reg.d +install -m 644 dnsmasq.conf.example %{buildroot}/%{_sysconfdir}/dnsmasq.conf +install -m 644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/slp.reg.d/ +install -d 755 %{buildroot}%{_datadir}/dbus-1/system.d/ +install -m 644 dbus/dnsmasq.conf %{buildroot}%{_datadir}/dbus-1/system.d/dnsmasq.conf +install -D -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/dnsmasq.service +%if %{without tftp_user_package} +install -d -m 0755 %{buildroot}/srv/tftpboot +%else +mkdir -p %{buildroot}%{_sysusersdir} +install -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/ +%endif +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcdnsmasq +install -d -m 755 %{buildroot}/%{_sysconfdir}/dnsmasq.d +install -m 644 trust-anchors.conf %{buildroot}/%{_sysconfdir}/dnsmasq.d/trust-anchors.conf + +# utils subpackage +mkdir -p %{buildroot}/%{_bindir} %{buildroot}/%{_mandir}/man1 +make -C contrib/lease-tools %{?_smp_mflags} +install -m 755 contrib/lease-tools/dhcp_release %{buildroot}/%{_bindir}/dhcp_release +install -m 644 contrib/lease-tools/dhcp_release.1 %{buildroot}/%{_mandir}/man1/dhcp_release.1 +install -m 755 contrib/lease-tools/dhcp_release6 %{buildroot}/%{_bindir}/dhcp_release6 +install -m 644 contrib/lease-tools/dhcp_release6.1 %{buildroot}/%{_mandir}/man1/dhcp_release6.1 +install -m 755 contrib/lease-tools/dhcp_lease_time %{buildroot}/%{_bindir}/dhcp_lease_time +install -m 644 contrib/lease-tools/dhcp_lease_time.1 %{buildroot}/%{_mandir}/man1/dhcp_lease_time.1 +make -C contrib/lease-tools clean +rm -rf contrib/Suse +rm -rf contrib/Solaris10 +rm -rf contrib/dnsmasq_MacOSX-pre10.4 +rm -rf contrib/slackware-dnsmasq +rm -rf contrib/MacOSX-launchd + +%find_lang %{name} --with-man + +%files -f %{name}.lang +%license COPYING COPYING-v3 +%doc CHANGELOG FAQ doc.html setup.html dnsmasq.conf.example contrib dbus +%config(noreplace) %{_sysconfdir}/dnsmasq.conf +%{_sbindir}/dnsmasq +%{_sbindir}/rcdnsmasq +%dir %{_sysconfdir}/slp.reg.d/ +%config %attr(0644,root,root) /%{_sysconfdir}/slp.reg.d/dnsmasq.reg +%{_mandir}/man8/dnsmasq.8%{?ext_man} +%{_datadir}/dbus-1/system.d/dnsmasq.conf +%{_unitdir}/dnsmasq.service +%dir %{_sysconfdir}/dnsmasq.d +%config(noreplace) %{_sysconfdir}/dnsmasq.d/trust-anchors.conf +%if %{without tftp_user_package} +%dir %attr(0755,tftp,tftp) /srv/tftpboot +%else +%{_sysusersdir}/system-user-dnsmasq.conf +%endif + +%files utils +%{_bindir}/dhcp_* +%{_mandir}/man1/dhcp_* + +%changelog diff --git a/rc.dnsmasq-suse b/rc.dnsmasq-suse new file mode 100644 index 0000000..bec7997 --- /dev/null +++ b/rc.dnsmasq-suse @@ -0,0 +1,90 @@ +#! /bin/sh +# +# init.d/dnsmasq +# +### BEGIN INIT INFO +# Provides: dnsmasq +# Required-Start: $network $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 3 5 +# Default-Stop: +# Description: Starts internet name service masq caching server (DNS) +### END INIT INFO + +NAMED_BIN=/usr/sbin/dnsmasq +NAMED_PID=/var/run/dnsmasq.pid +NAMED_CONF=/etc/dnsmasq.conf + +if [ ! -x $NAMED_BIN ] ; then + echo -n "dnsmasq not installed! " + exit 5 +fi + +. /etc/rc.status +rc_reset + +case "$1" in + start) + if grep "^[^#].*/etc/ppp/" /etc/dnsmasq.conf >/dev/null 2>&1; then + echo + echo "Warning! dnsmasq can not read the /etc/ppp directory anymore"; + echo " but /etc/ppp seems to be used in your config"; + echo " use /var/run/ instead like /var/run/dnsmasq-forwarders.conf"; + echo + fi + echo -n "Starting name service masq caching server " + checkproc -p $NAMED_PID $NAMED_BIN + if [ $? -eq 0 ] ; then + echo -n "- Warning: dnsmasq already running! " + else + [ -e $NAMED_PID ] && echo -n "- Warning: $NAMED_PID exists! " + fi + startproc -p $NAMED_PID $NAMED_BIN -u dnsmasq + rc_status -v + ;; + stop) + echo -n "Shutting name service masq caching server " + checkproc -p $NAMED_PID $NAMED_BIN + [ $? -ne 0 ] && echo -n "- Warning: dnsmasq not running! " + killproc -p $NAMED_PID -TERM $NAMED_BIN + rc_status -v + ;; + try-restart|force-reload) + if $0 status ; then + $0 restart + else + rc_reset + fi + rc_status + ;; + restart) + if checkproc -p $NAMED_PID $NAMED_BIN ; then + $0 stop + fi + $0 start + rc_status + ;; + reload) + echo -n "Reloading name service masq caching server unsupported " + rc_failed 3 + rc_status -v + ;; + sighup) + echo -n "Sending SIGHUP to name service masq caching server " + killproc -p $NAMED_PID -HUP $NAMED_BIN + rc_status -v + ;; + status) + echo -n "Checking for name service masq caching server " + checkproc -p $NAMED_PID $NAMED_BIN + rc_status -v + ;; + probe) + test $NAMED_CONF -nt $NAMED_PID && echo reload + ;; + *) + echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|sighup|probe}" + exit 1 + ;; +esac +rc_exit diff --git a/system-user-dnsmasq.conf b/system-user-dnsmasq.conf new file mode 100644 index 0000000..2eac272 --- /dev/null +++ b/system-user-dnsmasq.conf @@ -0,0 +1,3 @@ +#Type Name ID GECOS Home directory Shell +u dnsmasq - "dnsmasq" /var/lib/empty - +m dnsmasq tftp - - -