From 029f71cf1d78b54c014e07fc45abb293af6c9dd0eea1d7a79afcf87836863189 Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Thu, 23 Sep 2021 12:02:11 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=140 --- dnsmasq.changes | 4 +++- dnsmasq.spec | 14 +++++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/dnsmasq.changes b/dnsmasq.changes index 338523e..836a8b5 100644 --- a/dnsmasq.changes +++ b/dnsmasq.changes @@ -7,7 +7,9 @@ Thu Sep 23 08:48:12 UTC 2021 - Reinhard Max * bsc#1176076: dnsmasq-servfail.patch * bsc#1156543: dnsmasq-siocgstamp.patch * bsc#1138743: dnsmasq-cache-size.patch - * bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch + * bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch + * bsc#1180914: Open inotify socket only when used. +- bsc#1173646: Set --local-service by default. ------------------------------------------------------------------- Fri Sep 17 11:10:17 UTC 2021 - Reinhard Max diff --git a/dnsmasq.spec b/dnsmasq.spec index 55e9b46..f7eee5f 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -101,9 +101,21 @@ sed -i -e 's|CACHESIZ 150|CACHESIZ 2000|; s|CHGRP "dip"|CHGRP "nogroup"|' \ src/config.h -# Fix trust-anchor.conf location and include /etc/dnsmasq.d/*.conf by default +# Tweaks to the default configuration: +# - Fix trust-anchor.conf location +# - Include /etc/dnsmasq.d/*.conf by default +# - Only answer queries coming from the local network sed -i -e '/trust-anchors.conf/c\#conf-file=%{_sysconfdir}/dnsmasq.d/trust-anchors.conf' \ -e '/conf-dir=.*conf/s/^\#//' \ + -e '0,/^$/{/^$/a \ +# Accept DNS queries only from hosts whose address is on a local\ +# subnet, ie a subnet for which an interface exists on the server.\ +# It is intended to be set as a default on installation, to allow\ +# unconfigured installations to be useful but also safe from being\ +# used for DNS amplification attacks.\ +local-service\ + +}' \ dnsmasq.conf.example %build