Accepting request 1301142 from server:dns

Update to version 2.1.13

OBS-URL: https://build.opensuse.org/request/show/1301142
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dnscrypt-proxy?expand=0&rev=24

dnscrypt-proxy-2.1.13.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7f6a3d2613f91ace402f2f682929529565a54d6d7e4213403e7e6a0db448bddc
+size 4180107

dnscrypt-proxy-2.1.5.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:044c4db9a3c7bdcf886ff8f83c4b137d2fd37a65477a92bfe86bf69587ea7355
-size 4065395

dnscrypt-proxy.changes

@@ -1,3 +1,102 @@
+-------------------------------------------------------------------
+Sun Aug 24 12:00:00 UTC 2025 - cunix@mail.de
+
+- Update to version 2.1.13
+  * Manual configuration reload via SIGHUP is now supported regardless of the
+    hot-reload setting, providing more flexibility for system administrators
+  * Fixed a regression in IP prefix matching for allow/block lists that could
+    cause incorrect filtering behavior
+  * the generate-domains-blocklist script now handles poor network conditions
+    more gracefully
+
+-------------------------------------------------------------------
+Thu May 29 12:00:00 UTC 2025 - cunix@mail.de
+
+- Update to version 2.1.12
+  * weighted Power of Two (WP2) load balancing strategy has been
+    implemented as the default
+  * optional Prometheus metrics endpoint has been added for monitoring
+  * additional records in queries are now properly removed before forwarding
+  * simple view UI has been removed
+
+-------------------------------------------------------------------
+Wed May 21 12:00:00 UTC 2025 - cunix@mail.de
+
+- Update to version 2.1.11
+  * web-based monitoring user interface added
+  * configuration files hot-reloading implemented
+  * HTTP/3 probing
+  * added parallel downloading of block lists
+
+-------------------------------------------------------------------
+Fri Mar 28 03:02:02 UTC 2025 - Gerald Chen <gerald_chen@foxmail.com>
+
+- Updated to version 2.1.8
+  * Dependencies have been updated, notably the QUIC implementation, which could
+    be vulnerable to denial-of-service attacks.
+  * In forwarding rules, the target can now optionally include a non-standard
+    DNS port number. The port number is also now optional when using IPv6.
+  * An annoying log message related to permissions on Windows has been
+    suppressed.
+  * Resolver IP addresses can now be refreshed more frequently. Additionally,
+    jitter has been introduced to prevent all resolvers from being refreshed
+    simultaneously. Further changes have been implemented to mitigate issues
+    arising from multiple concurrent attempts to resolve a resolver's IP
+    address.
+  * An empty value for "tls_cipher_suite" is now equivalent to leaving the
+    property undefined. Previously, it disabled all TLS cipher suites, which had
+    little practical justification.
+  * In forwarding rules, an optional `*.` prefix is now accepted.
+
+
+-------------------------------------------------------------------
+Sat Jan 11 18:00:00 UTC 2025 - cunix@mail.de
+
+- Update to version 2.1.7
+  * Reintroduces support for XSalsa20 enryption in DNSCrypt,
+    which was removed in 2.1.6. Unfortunately, a bunch of servers still
+    only support that encryption system.
+  * Added check for lying resolvers was added for DNSCrypt, similar to 
+    the one that was already present for DoH and ODoH.
+
+- Minimum golang version now at 1.23
+
+- With vendored quic-go at 0.48.2 since update to 2.1.6
+  boo#1222473 and boo#1235156 should be fixed.
+
+- Trimmed long lines in last changelog entry
+
+-------------------------------------------------------------------
+Sat Jan 11 02:44:22 UTC 2025 - Gerald Chen <gerald_chen@foxmail.com>
+- Update to version 2.1.6
+  * Forwarding: in the list of servers for a zone, the `$BOOTSTRAP`
+    keyword can be included as a shortcut to forward to the bootstrap
+    servers. And the `$DHCP` keyword can be included to forward to the
+    DNS resolvers provided by the local DHCP server. Based on work by YX
+    Hao, thanks! DHCP forwarding should be considered experimental and my
+    not work on all operating systems. A rule for a zone can mix and
+    match multiple forwarder types, such as `10.0.0.1,10.0.0.254,$DHCP,
+    192.168.1.1,$BOOTSTRAP`. Note that this is not implemented for
+    captive portals yet.
+  * Lying resolvers are now skipped, instead of just printing an error.
+    This doesn't apply to captive portal and forwarding entries, which
+    are the only reasonable use case for lying resolvers.
+  * Support for XSalsa20 in DNSCrypt has been removed. This was not
+    documented, and was supserseded by XChaCha20 in 2016.
+  * Source files are now fetched with compression.
+  * DNS64: compatibility has been improved.
+  * Forwarding: the root domain (`.`) can now be forwarded.
+  * The ARC caching algorithm has been replaced by the SIEVE algorithm.
+  * Properties of multiple servers are now updated simultaneously. The
+    concurrency level can be adjusted with the new
+    `cert_refresh_concurrency` setting. Contributed by YX Hao.
+  * MSI packages for DNSCrypt can now easily be built.
+  * New command-line flag: `-include-relays` to include relays in `-list`
+    and `-list-all`.
+  * Support for DNS extended error codes has been added.
+  * Documentation updates, bug fixes, dependency updates.
+- Drop quic-go.patch, for dnscrypt-proxy already pulls fixed quic-go v0.48.2
+
 -------------------------------------------------------------------
 Sun Apr 21 12:00:00 UTC 2024 - cunix@mail.de
 

dnscrypt-proxy.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package dnscrypt-proxy
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -25,7 +25,7 @@
 %define services    %{name}.socket %{name}.service %{name}-resolvconf.service
 
 Name:           dnscrypt-proxy
-Version:        2.1.5
+Version:        2.1.13
 Release:        0
 Summary:        A tool for securing communications between a client and a DNS resolver
 License:        ISC
@@ -43,15 +43,13 @@ Source5:        README.openSUSE
 Source6:        %{name}.socket.conf
 # dnscrypt user configuration
 Source7:        %{user_group}-user.conf
-# can be dropped in next release with quic-go v0.42 included (boo#1222473)
-Patch0:         quic-go.patch
 BuildRequires:  golang-packaging
 BuildRequires:  pkgconfig
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  sysuser-tools
-BuildRequires:  golang(API) >= 1.20
-BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  vendored_licenses_packager
+BuildRequires:  golang(API) >= 1.24
+BuildRequires:  pkgconfig(libsystemd)
 %sysusers_requires
 %{?systemd_requires}
 # For systemd pidfile solution.

example-dnscrypt-proxy.toml.sed

@@ -2,8 +2,7 @@
 s/listen_addresses = \['127.0.0.1:53']/#listen_addresses = ['127.0.0.1:53']\nlisten_addresses = []/
 
 # point to shipped distro specific documentation
-12c\\n##********************************************************************##\n##                                                                    ##
-13c\##                    README.openSUSE in directory                    ##\n##              \/usr\/share\/doc\/packages\/dnscrypt-proxy                ##\n##                       might be useful to read.                     ##\n##                                                                    ##\n##********************************************************************##
+12c\\n##********************************************************************##\n##                                                                    ##\n##                    README.openSUSE in directory                    ##\n##              \/usr\/share\/doc\/packages\/dnscrypt-proxy                ##\n##                       might be useful to read.                     ##\n##                                                                    ##\n##********************************************************************##\n\n
 
 # absolute paths by default
 s/# log_file = 'dnscrypt-proxy.log'/# log_file = '\/var\/log\/dnscrypt-proxy\/dnscrypt-proxy.log'/
@@ -22,12 +21,13 @@ s/# allowed_names_file = 'allowed-names.txt'/# allowed_names_file = '\/etc\/dnsc
 s/# log_file = 'allowed-names.log'/# log_file = '\/var\/log\/dnscrypt-proxy\/allowed-names.log'/
 s/# allowed_ips_file = 'allowed-ips.txt'/# allowed_ips_file = '\/etc\/dnscrypt-proxy\/allowed-ips.txt'/
 s/# log_file = 'allowed-ips.log'/# log_file = '\/var\/log\/dnscrypt-proxy\/allowed-ips.log'/
-s/    cache_file = 'public-resolvers.md'/    cache_file = '\/var\/lib\/dnscrypt-proxy\/public-resolvers.md'/
-s/    cache_file = 'relays.md'/    cache_file = '\/var\/lib\/dnscrypt-proxy\/relays.md'/
-s/  #   cache_file = 'odoh-servers.md'/  #   cache_file = '\/var\/lib\/dnscrypt-proxy\/odoh-servers.md'/
-s/  #   cache_file = 'odoh-relays.md'/  #   cache_file = '\/var\/lib\/dnscrypt-proxy\/odoh-relays.md'/
-s/  #   cache_file = 'quad9-resolvers.md'/  #   cache_file = '\/var\/lib\/dnscrypt-proxy\/quad9-resolvers.md'/
-s/  #   cache_file = 'parental-control.md'/  #   cache_file = '\/var\/lib\/dnscrypt-proxy\/parental-control.md'/
+s/cache_file = 'public-resolvers.md'/cache_file = '\/var\/lib\/dnscrypt-proxy\/public-resolvers.md'/
+s/cache_file = 'relays.md'/cache_file = '\/var\/lib\/dnscrypt-proxy\/relays.md'/
+s/#   cache_file = 'odoh-servers.md'/#   cache_file = '\/var\/lib\/dnscrypt-proxy\/odoh-servers.md'/
+s/#   cache_file = 'odoh-relays.md'/#   cache_file = '\/var\/lib\/dnscrypt-proxy\/odoh-relays.md'/
+s/#   cache_file = 'quad9-resolvers.md'/#   cache_file = '\/var\/lib\/dnscrypt-proxy\/quad9-resolvers.md'/
+s/#   cache_file = 'parental-control.md'/#   cache_file = '\/var\/lib\/dnscrypt-proxy\/parental-control.md'/
+s/#    cache_file = "dnscry.pt-resolvers.md"/#    cache_file = '\/var\/lib\/dnscrypt-proxy\/dnscry.pt-resolvers.md'/
 
 # package directory instead of source code directory
 s/## `utils\/generate-domains-blocklists` directory of the dnscrypt-proxy source code./## '\/usr\/share\/dnscrypt-proxy\/generate-domains-blocklists' directory./

quic-go.patch

@@ -1,117 +0,0 @@
-From: cunix@mail.de
-Date: 2024-04-21 12:00:00
-Subject: Memory Exhaustion Attack against QUIC's Connection ID Mechanism
-References: https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a
-  https://github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c478
-  https://bugzilla.suse.com/show_bug.cgi?id=1222473
-
-This tries to backport commit
-https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a.patch
-from Marten Seemann <martenseemann@gmail.com>
-to the vendored older version of quic-go.
-
-dnscrypt-proxy upstream already vendors version 0.42 of quic-go with hack
-included, but is not released.
-
-Patch should be dropped with next release of dnscrypt-proxy.
-
----
-
-diff -r -U 5 a/vendor/github.com/quic-go/quic-go/connection.go b/vendor/github.com/quic-go/quic-go/connection.go
---- a/vendor/github.com/quic-go/quic-go/connection.go
-+++ b/vendor/github.com/quic-go/quic-go/connection.go
-@@ -516,11 +516,14 @@
- 
- 	var sendQueueAvailable <-chan struct{}
- 
- runLoop:
- 	for {
--		// Close immediately if requested
-+		if s.framer.QueuedTooManyControlFrames() {
-+			s.closeLocal(&qerr.TransportError{ErrorCode: InternalError})
-+		}
-+  // Close immediately if requested
- 		select {
- 		case closeErr = <-s.closeChan:
- 			break runLoop
- 		default:
- 		}
-diff -r -U 5 a/vendor/github.com/quic-go/quic-go/framer.go b/vendor/github.com/quic-go/quic-go/framer.go
---- a/vendor/github.com/quic-go/quic-go/framer.go
-+++ b/vendor/github.com/quic-go/quic-go/framer.go
-@@ -19,22 +19,32 @@
- 
- 	AddActiveStream(protocol.StreamID)
- 	AppendStreamFrames([]ackhandler.StreamFrame, protocol.ByteCount, protocol.VersionNumber) ([]ackhandler.StreamFrame, protocol.ByteCount)
- 
- 	Handle0RTTRejection() error
-+	
-+	// QueuedTooManyControlFrames says if the control frame queue exceeded its maximum queue length.
-+	// This is a hack.
-+	// It is easier to implement than propagating an error return value in QueueControlFrame.
-+	// The correct solution would be to queue frames with their respective structs.
-+	// See https://github.com/quic-go/quic-go/issues/4271 for the queueing of stream-related control frames.
-+	QueuedTooManyControlFrames() bool
- }
- 
-+const maxControlFrames = 16 << 10
-+
- type framerI struct {
- 	mutex sync.Mutex
- 
- 	streamGetter streamGetter
- 
- 	activeStreams map[protocol.StreamID]struct{}
- 	streamQueue   ringbuffer.RingBuffer[protocol.StreamID]
- 
- 	controlFrameMutex sync.Mutex
- 	controlFrames     []wire.Frame
-+	queuedTooManyControlFrames bool
- }
- 
- var _ framer = &framerI{}
- 
- func newFramer(streamGetter streamGetter) framer {
-@@ -56,11 +66,24 @@
- 	f.controlFrameMutex.Unlock()
- 	return hasData
- }
- 
- func (f *framerI) QueueControlFrame(frame wire.Frame) {
-+	var returnearly bool
- 	f.controlFrameMutex.Lock()
-+ // This is a hack.
-+	if len(f.controlFrames) >= maxControlFrames {
-+		returnearly = true
-+	}
-+	f.controlFrameMutex.Unlock()
-+ if returnearly {
-+   f.mutex.Lock()
-+   f.queuedTooManyControlFrames = true
-+   f.mutex.Unlock()
-+   return
-+ }
-+ f.controlFrameMutex.Lock()
- 	f.controlFrames = append(f.controlFrames, frame)
- 	f.controlFrameMutex.Unlock()
- }
- 
- func (f *framerI) AppendControlFrames(frames []ackhandler.Frame, maxLen protocol.ByteCount, v protocol.VersionNumber) ([]ackhandler.Frame, protocol.ByteCount) {
-@@ -78,10 +101,17 @@
- 	}
- 	f.controlFrameMutex.Unlock()
- 	return frames, length
- }
- 
-+func (f *framerI) QueuedTooManyControlFrames() bool {
-+	f.mutex.Lock()
-+ toomany := f.queuedTooManyControlFrames
-+	f.mutex.Unlock()
-+ return toomany
-+}
-+
- func (f *framerI) AddActiveStream(id protocol.StreamID) {
- 	f.mutex.Lock()
- 	if _, ok := f.activeStreams[id]; !ok {
- 		f.streamQueue.PushBack(id)
- 		f.activeStreams[id] = struct{}{}