- Security update to version 2.78:
* bsc#1060354, CVE-2017-14491: 2 byte heap based overflow. * bsc#1060355, CVE-2017-14492: heap based overflow. * bsc#1060360, CVE-2017-14493: stack based overflow. * bsc#1060361, CVE-2017-14494: DHCP - info leak. * bsc#1060362, CVE-2017-14495: DNS - OOM DoS. * bsc#1060364, CVE-2017-14496: DNS - DoS Integer underflow. * Fix DHCP relaying, broken in 2.76 and 2.77. * For other changes, see http://www.thekelleys.org.uk/dnsmasq/CHANGELOG - Obsoleted patches: * Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch * Handle-binding-upstream-servers-to-an-interface.patch OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=90
This commit is contained in:
parent
1c4b4aee27
commit
09eac739de
@ -1,29 +0,0 @@
|
|||||||
From 16800ea072dd0cdf14d951c4bb8d2808b3dfe53d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simon Kelley <simon@thekelleys.org.uk>
|
|
||||||
Date: Tue, 30 Aug 2016 23:07:06 +0100
|
|
||||||
Subject: [PATCH 4/4] Fix crash introduced in
|
|
||||||
2675f2061525bc954be14988d64384b74aa7bf8b
|
|
||||||
|
|
||||||
---
|
|
||||||
src/network.c | 5 +++--
|
|
||||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/network.c b/src/network.c
|
|
||||||
index ddf8d31..d87d08f 100644
|
|
||||||
--- a/src/network.c
|
|
||||||
+++ b/src/network.c
|
|
||||||
@@ -1516,8 +1516,9 @@ void check_servers(void)
|
|
||||||
serv->flags |= SERV_MARK;
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- serv->sfd->used = 1;
|
|
||||||
+
|
|
||||||
+ if (serv->sfd)
|
|
||||||
+ serv->sfd->used = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!(serv->flags & SERV_NO_REBIND) && !(serv->flags & SERV_LITERAL_ADDRESS))
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
@ -1,119 +0,0 @@
|
|||||||
From 2675f2061525bc954be14988d64384b74aa7bf8b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Beniamino Galvani <bgalvani@redhat.com>
|
|
||||||
Date: Sun, 28 Aug 2016 20:44:05 +0100
|
|
||||||
Subject: [PATCH 1/4] Handle binding upstream servers to an interface
|
|
||||||
(--server=1.2.3.4@eth0) when the named interface is destroyed and recreated
|
|
||||||
in the kernel.
|
|
||||||
|
|
||||||
---
|
|
||||||
CHANGELOG | 5 +++++
|
|
||||||
src/dnsmasq.h | 1 +
|
|
||||||
src/network.c | 31 +++++++++++++++++++++++++++++--
|
|
||||||
3 files changed, 35 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
|
|
||||||
index 27385a9..f239ce5 100644
|
|
||||||
--- a/src/dnsmasq.h
|
|
||||||
+++ b/src/dnsmasq.h
|
|
||||||
@@ -488,6 +488,7 @@ struct serverfd {
|
|
||||||
int fd;
|
|
||||||
union mysockaddr source_addr;
|
|
||||||
char interface[IF_NAMESIZE+1];
|
|
||||||
+ unsigned int ifindex, used;
|
|
||||||
struct serverfd *next;
|
|
||||||
};
|
|
||||||
|
|
||||||
diff --git a/src/network.c b/src/network.c
|
|
||||||
index e7722fd..ddf8d31 100644
|
|
||||||
--- a/src/network.c
|
|
||||||
+++ b/src/network.c
|
|
||||||
@@ -1204,6 +1204,7 @@ int local_bind(int fd, union mysockaddr *addr, char *intname, int is_tcp)
|
|
||||||
static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname)
|
|
||||||
{
|
|
||||||
struct serverfd *sfd;
|
|
||||||
+ unsigned int ifindex = 0;
|
|
||||||
int errsave;
|
|
||||||
|
|
||||||
/* when using random ports, servers which would otherwise use
|
|
||||||
@@ -1224,11 +1225,15 @@ static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname)
|
|
||||||
return NULL;
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ if (intname && strlen(intname) != 0)
|
|
||||||
+ ifindex = if_nametoindex(intname); /* index == 0 when not binding to an interface */
|
|
||||||
|
|
||||||
/* may have a suitable one already */
|
|
||||||
for (sfd = daemon->sfds; sfd; sfd = sfd->next )
|
|
||||||
if (sockaddr_isequal(&sfd->source_addr, addr) &&
|
|
||||||
- strcmp(intname, sfd->interface) == 0)
|
|
||||||
+ strcmp(intname, sfd->interface) == 0 &&
|
|
||||||
+ ifindex == sfd->ifindex)
|
|
||||||
return sfd;
|
|
||||||
|
|
||||||
/* need to make a new one. */
|
|
||||||
@@ -1250,11 +1255,13 @@ static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname)
|
|
||||||
errno = errsave;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
+
|
|
||||||
strcpy(sfd->interface, intname);
|
|
||||||
sfd->source_addr = *addr;
|
|
||||||
sfd->next = daemon->sfds;
|
|
||||||
+ sfd->ifindex = ifindex;
|
|
||||||
daemon->sfds = sfd;
|
|
||||||
+
|
|
||||||
return sfd;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1429,12 +1436,16 @@ void check_servers(void)
|
|
||||||
{
|
|
||||||
struct irec *iface;
|
|
||||||
struct server *serv;
|
|
||||||
+ struct serverfd *sfd, *tmp, **up;
|
|
||||||
int port = 0, count;
|
|
||||||
|
|
||||||
/* interface may be new since startup */
|
|
||||||
if (!option_bool(OPT_NOWILD))
|
|
||||||
enumerate_interfaces(0);
|
|
||||||
|
|
||||||
+ for (sfd = daemon->sfds; sfd; sfd = sfd->next)
|
|
||||||
+ sfd->used = 0;
|
|
||||||
+
|
|
||||||
#ifdef HAVE_DNSSEC
|
|
||||||
/* Disable DNSSEC validation when using server=/domain/.... servers
|
|
||||||
unless there's a configured trust anchor. */
|
|
||||||
@@ -1505,6 +1516,8 @@ void check_servers(void)
|
|
||||||
serv->flags |= SERV_MARK;
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ serv->sfd->used = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!(serv->flags & SERV_NO_REBIND) && !(serv->flags & SERV_LITERAL_ADDRESS))
|
|
||||||
@@ -1547,6 +1560,20 @@ void check_servers(void)
|
|
||||||
if (count - 1 > SERVERS_LOGGED)
|
|
||||||
my_syslog(LOG_INFO, _("using %d more nameservers"), count - SERVERS_LOGGED - 1);
|
|
||||||
|
|
||||||
+ /* Remove unused sfds */
|
|
||||||
+ for (sfd = daemon->sfds, up = &daemon->sfds; sfd; sfd = tmp)
|
|
||||||
+ {
|
|
||||||
+ tmp = sfd->next;
|
|
||||||
+ if (!sfd->used)
|
|
||||||
+ {
|
|
||||||
+ *up = sfd->next;
|
|
||||||
+ close(sfd->fd);
|
|
||||||
+ free(sfd);
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ up = &sfd->next;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
cleanup_servers();
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:4b92698dee19ca0cb2a8f2e48f1d2dffd01a21eb15d1fbed4cf085630c8c9f96
|
|
||||||
size 480796
|
|
@ -1,7 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
Version: GnuPG v1
|
|
||||||
|
|
||||||
iEYEABECAAYFAlc8gxEACgkQKPyGmiibgrcEZQCghIcBK2ici5/4klzL7gMQmrar
|
|
||||||
ZtkAn0evIF/mFDAJsQlWnGTbew3lsxAs
|
|
||||||
=SVPw
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
dnsmasq-2.78.tar.xz
Normal file
3
dnsmasq-2.78.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:89949f438c74b0c7543f06689c319484bd126cc4b1f8c745c742ab397681252b
|
||||||
|
size 489172
|
17
dnsmasq-2.78.tar.xz.asc
Normal file
17
dnsmasq-2.78.tar.xz.asc
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v2
|
||||||
|
|
||||||
|
iQIcBAABCAAGBQJZ0kGzAAoJEBXN2mrhkTWiYaYQAIadoc1Cr6Qg0cDxhUNMDL0G
|
||||||
|
Qp4VWhD/KkxUerTCWdWiSlWBt94hnDNlOBJ8QnqHHzYH/dopvOdLU3/HpVUMYfZf
|
||||||
|
XA2wCz38xQREj961jZ8r3kK1LR42NqqlV/E4qn4lsZedxgq62lP2xiZiVWaRqe9g
|
||||||
|
klXlzUORfu/JxyOKTtyy4rR0YNOWx2GYex5T3av+sieKgcR7ZryQgZF+SGoonqil
|
||||||
|
srbKriSXLSpVjyDp+3fLECAguL/dzw53pWdoAm9ZizWu8miNqGj/PbQJx44tpwOO
|
||||||
|
N2+4y07yD0e6eNlQOb3JStmyrTSO+qwqQG4kFKFPDM0/ZBGTUcmA2WZjDXrGySfD
|
||||||
|
015T9JW+6CkJ3ikCW0ik9PiO5ryKJgIhejyT2POL0/APaKTj4wmDbK6ekYivanpD
|
||||||
|
2hCkyCcvNrxx5oADGPhlHC5okYXdJ9Hrr+AcdMMdhFZCo5U2JP0TMqZaotQQdy54
|
||||||
|
GoOEKJ+ij116Tw8hqA0k34zcwklaXluZX4ghm7ZxoOiJwwO6fUeKKBnxXvwzpgm6
|
||||||
|
3jCq8OJkCpXym3S5nD0y/QWGLJtaNFYVRYO4J4YnfjICGd88NtQnCXzND1R+dvdi
|
||||||
|
Z06MgDOuUFu2ZSode13u1uU6w3h415m6M45jAeBRwZhGX26+NM9a9P+tO6gmR0Hy
|
||||||
|
zyOEsbgfqBof6BBlPdlw
|
||||||
|
=ecMB
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,13 +1,13 @@
|
|||||||
--- src/dnsmasq.c.orig
|
--- src/dnsmasq.c.orig
|
||||||
+++ src/dnsmasq.c
|
+++ src/dnsmasq.c
|
||||||
@@ -557,11 +557,10 @@ int main (int argc, char **argv)
|
@@ -581,11 +581,10 @@ int main (int argc, char **argv)
|
||||||
if (!option_bool(OPT_DEBUG) && getuid() == 0)
|
if (!option_bool(OPT_DEBUG) && getuid() == 0)
|
||||||
{
|
{
|
||||||
int bad_capabilities = 0;
|
int bad_capabilities = 0;
|
||||||
- gid_t dummy;
|
- gid_t dummy;
|
||||||
|
|
||||||
- /* remove all supplimentary groups */
|
- /* remove all supplementary groups */
|
||||||
+ /* set the supplimentary groups of the daemon user */
|
+ /* set the supplementary groups of the daemon user */
|
||||||
if (gp &&
|
if (gp &&
|
||||||
- (setgroups(0, &dummy) == -1 ||
|
- (setgroups(0, &dummy) == -1 ||
|
||||||
+ (initgroups(daemon->username, gp->gr_gid) == -1 ||
|
+ (initgroups(daemon->username, gp->gr_gid) == -1 ||
|
||||||
|
@ -1,3 +1,20 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Oct 2 14:09:59 UTC 2017 - max@suse.com
|
||||||
|
|
||||||
|
- Security update to version 2.78:
|
||||||
|
* bsc#1060354, CVE-2017-14491: 2 byte heap based overflow.
|
||||||
|
* bsc#1060355, CVE-2017-14492: heap based overflow.
|
||||||
|
* bsc#1060360, CVE-2017-14493: stack based overflow.
|
||||||
|
* bsc#1060361, CVE-2017-14494: DHCP - info leak.
|
||||||
|
* bsc#1060362, CVE-2017-14495: DNS - OOM DoS.
|
||||||
|
* bsc#1060364, CVE-2017-14496: DNS - DoS Integer underflow.
|
||||||
|
* Fix DHCP relaying, broken in 2.76 and 2.77.
|
||||||
|
* For other changes, see
|
||||||
|
http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
|
||||||
|
- Obsoleted patches:
|
||||||
|
* Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch
|
||||||
|
* Handle-binding-upstream-servers-to-an-interface.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Sep 12 08:29:59 UTC 2017 - tchvatal@suse.com
|
Tue Sep 12 08:29:59 UTC 2017 - tchvatal@suse.com
|
||||||
|
|
||||||
|
@ -20,7 +20,7 @@ Name: dnsmasq
|
|||||||
Summary: Lightweight, Easy-to-Configure DNS Forwarder and DHCP Server
|
Summary: Lightweight, Easy-to-Configure DNS Forwarder and DHCP Server
|
||||||
License: GPL-2.0 or GPL-3.0
|
License: GPL-2.0 or GPL-3.0
|
||||||
Group: Productivity/Networking/DNS/Servers
|
Group: Productivity/Networking/DNS/Servers
|
||||||
Version: 2.76
|
Version: 2.78
|
||||||
Release: 0
|
Release: 0
|
||||||
Provides: dns_daemon
|
Provides: dns_daemon
|
||||||
PreReq: /usr/sbin/useradd /bin/mkdir
|
PreReq: /usr/sbin/useradd /bin/mkdir
|
||||||
@ -35,8 +35,6 @@ Source6: SuSEFirewall.dnsmasq-dhcp
|
|||||||
Source7: SuSEFirewall.dnsmasq-dns
|
Source7: SuSEFirewall.dnsmasq-dns
|
||||||
Source8: %{name}-rpmlintrc
|
Source8: %{name}-rpmlintrc
|
||||||
Patch0: dnsmasq-groups.patch
|
Patch0: dnsmasq-groups.patch
|
||||||
Patch10: Handle-binding-upstream-servers-to-an-interface.patch
|
|
||||||
Patch11: Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
BuildRequires: dbus-1-devel
|
BuildRequires: dbus-1-devel
|
||||||
BuildRequires: dos2unix
|
BuildRequires: dos2unix
|
||||||
@ -70,8 +68,6 @@ server's leases.
|
|||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch0
|
%patch0
|
||||||
%patch10 -p1
|
|
||||||
%patch11 -p1
|
|
||||||
|
|
||||||
# Some docs have the DOS line ends
|
# Some docs have the DOS line ends
|
||||||
dos2unix contrib/systemd/dbus_activation
|
dos2unix contrib/systemd/dbus_activation
|
||||||
|
Loading…
Reference in New Issue
Block a user