Accepting request 921143 from network

- jsc#SLE-17936: Sync this state from Factory to SLE-15-SP1.
- SLE bugs that got fixed upstream between 2.79 and 2.86, but for
  which we need to keep references when syncing:
  * bsc#1176076: dnsmasq-servfail.patch
  * bsc#1156543: dnsmasq-siocgstamp.patch
  * bsc#1138743: dnsmasq-cache-size.patch
  * bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch 
  * bsc#1180914: Open inotify socket only when used.
  * removed dnsmasq-dnspooq.patch
- bsc#1173646: Set --local-service by default.

- Update to 2.86:
  * Handle DHCPREBIND requests in the DHCPv6 server code.
  * Fix bug which caused dnsmasq to lose track of processes forked
    to handle TCP DNS connections under heavy load.
  * Major rewrite of the DNS server and domain handling code. This
    should be largely transparent, but it drastically improves
    performance and reduces memory foot-print when configuring
    large numbers of domains.
  * Revise resource handling for number of concurrent DNS queries.
  * Improve efficiency of DNSSEC.
  * Connection track mark based DNS query filtering.
  * Allow smaller than 64 prefix lengths in synth-domain, with
    caveats.
    --synth-domain=1234:4567::/56,example.com is now valid.
  * Make domains generated by --synth-domain appear in replies
    when in authoritative mode.
  * Ensure CAP_NET_ADMIN capability is available when conntrack
    is configured.
  * When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are

OBS-URL: https://build.opensuse.org/request/show/921143
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dnsmasq?expand=0&rev=83

dnsmasq-2.85.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ad98d3803df687e5b938080f3d25c628fe41c878752d03fbc6199787fee312fa
-size 518316

dnsmasq-2.85.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmBuGPsACgkQFc3aauGR
-NaIg6A//Xfcu62aItiHf/jTeFHUSqHrdqanDqLRWSpgdeKO2adk+s66p5CqVHC8K
-JfxPo6eTUj8uX53Idy5oiwUz4d40iiOjfxHs4Nme0ozyIAHGw/Tfwx7/+NV882vi
-+rtqhjF83dRsnqIR95FD17tVI+cR0sq6XKzwBtPicjmPt79sQ2UtkBo7I+IS9B5g
-o+i21gGYm34EgY6EavveWfGkKgJLz+cF59h4i16lc1eRGNsy5clURDxiJ65Zz0zb
-ZARLudEclbFNdoUu/4idmOUhZCGWrqf9o+rQDYW3vN85saxCPbTChqqy1VC6OBnX
-VLN3cAJlk1hS5X0HzewhXkOqulzjg81KWRQ8EYATdOQP7u6apv4q87hnmr+uL9E8
-0VZ3ECyhH7n6qNXfqNS2Fp3Yp0sm1hgRy+6bu/IgVTPs/Ro22HqTiw5YXZQkPMbe
-A4acAep59nIV9dEB5DYF1N0S0P6OcVtUsZAFlGS1cD0owFuI44W/lg8w9xA9gyJv
-uqZvZqkQDM8bi9zJ2d7fjf65pjS+7S9ISxDoPHp34lLMB7D/rAuW8GVBkL1KxMWb
-sRHIBDKM01CXZeRBlbxAYHlH7s2QehRk/t57ksTmPtT3IAVMSajEG0+1YElUGg8s
-2gqLtCLdmB6Lwl4RFripSERvPzYOAsd8DiqDL9wYOECBStUGuEw=
-=W3WM
------END PGP SIGNATURE-----

dnsmasq-2.86.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:28d52cfc9e2004ac4f85274f52b32e1647b4dbc9761b82e7de1e41c49907eb08
+size 531404

dnsmasq-2.86.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmE5MDYACgkQFc3aauGR
+NaKtqA//W2QQv/K6l009r6LBQdUxrYwygJ/TXKsZLb6JlpVSCgLJ0FvK95wJnt9S
+YxeTbMogr/Pd2jbZJAnPz2mTxfqZAv1Xob+qaXfn/K772tMyjzgUCIfdsBSRKmUS
+RYxln8NiMwahI8uYLBWLtSPBpaYLiHEp5W+wV6OHu4OGfCG1qyhlem4Hs1UJy2KN
+I6UjLXYJYJBp1UBqsakEuNe4dzUp0v0OI4VYYRUriyTsmptcLFZMUAtdq6EJ9eUX
+0p8zhxWotJCzkZrF/t6Myb8ydudwLkUqICA6a9PTw5o34KxZ2VKWtu6NQoWaT8WK
+5c7gbk/UprlPhKEDMOuGNC5JHSpm+2Fhq8c8PkIn6zPYv0Wvb/M+2DYLjptfbodl
+VHhuzngnneFOdNK+XzPCG37cG1qpzey1mLWtsl5Ji0d1hBLnlk9vl8Hqb5ozLAJC
+rMlhIB85hyt6VAj29Ye3DnObNLRSmfDiN4frptmQssqMqO1+eI2b/8zvrxIByYG+
+HboOt5/gotVavAmZwPfesbpje50PaPVTgFjQjc8BAwXEhFsn98MVRdz7Iwc5xQmG
+upOd+44HC3at+So9+X9ocVofvItuDn7wYVnoZU7LcF5Isnoz3FhRMAusm8EsfJkI
+lQr7vsg5/oUBU2Dr/NCBjbe/cYX4/+BEdnnQkLvG33pF8xTiyAQ=
+=XpGA
+-----END PGP SIGNATURE-----

dnsmasq.changes

@@ -1,3 +1,47 @@
+-------------------------------------------------------------------
+Thu Sep 23 08:48:12 UTC 2021 - Reinhard Max <max@suse.com>
+
+- jsc#SLE-17936: Sync this state from Factory to SLE-15-SP1.
+- SLE bugs that got fixed upstream between 2.79 and 2.86, but for
+  which we need to keep references when syncing:
+  * bsc#1176076: dnsmasq-servfail.patch
+  * bsc#1156543: dnsmasq-siocgstamp.patch
+  * bsc#1138743: dnsmasq-cache-size.patch
+  * bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch 
+  * bsc#1180914: Open inotify socket only when used.
+  * removed dnsmasq-dnspooq.patch
+- bsc#1173646: Set --local-service by default.
+
+-------------------------------------------------------------------
+Fri Sep 17 11:10:17 UTC 2021 - Reinhard Max <max@suse.com>
+
+- Update to 2.86:
+  * Handle DHCPREBIND requests in the DHCPv6 server code.
+  * Fix bug which caused dnsmasq to lose track of processes forked
+    to handle TCP DNS connections under heavy load.
+  * Major rewrite of the DNS server and domain handling code. This
+    should be largely transparent, but it drastically improves
+    performance and reduces memory foot-print when configuring
+    large numbers of domains.
+  * Revise resource handling for number of concurrent DNS queries.
+  * Improve efficiency of DNSSEC.
+  * Connection track mark based DNS query filtering.
+  * Allow smaller than 64 prefix lengths in synth-domain, with
+    caveats.
+    --synth-domain=1234:4567::/56,example.com is now valid.
+  * Make domains generated by --synth-domain appear in replies
+    when in authoritative mode.
+  * Ensure CAP_NET_ADMIN capability is available when conntrack
+    is configured.
+  * When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
+    given a directory as argument, define the order in which files
+    within that directory are read (alphabetical order of filename).
+
+-------------------------------------------------------------------
+Tue Sep 14 06:19:17 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400).
+
 -------------------------------------------------------------------
 Sun Jun 13 13:28:49 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
 

dnsmasq.service

@@ -5,6 +5,18 @@ Wants=nss-lookup.target
 Before=nss-lookup.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=dbus
 BusName=uk.org.thekelleys.dnsmasq
 ExecStartPre=/usr/sbin/dnsmasq --test

dnsmasq.spec

@@ -22,7 +22,7 @@
 %bcond_without tftp_user_package
 %endif
 Name:           dnsmasq
-Version:        2.85
+Version:        2.86
 Release:        0
 Summary:        DNS Forwarder and DHCP Server
 License:        GPL-2.0-only OR GPL-3.0-only
@@ -101,9 +101,21 @@ sed -i -e 's|CACHESIZ 150|CACHESIZ 2000|;
 	   s|CHGRP "dip"|CHGRP "nogroup"|' \
 	src/config.h
 
-# Fix trust-anchor.conf location and include /etc/dnsmasq.d/*.conf by default
+# Tweaks to the default configuration:
+# - Fix trust-anchor.conf location
+# - Include /etc/dnsmasq.d/*.conf by default
+# - Only answer queries coming from the local network
 sed -i -e '/trust-anchors.conf/c\#conf-file=%{_sysconfdir}/dnsmasq.d/trust-anchors.conf' \
        -e '/conf-dir=.*conf/s/^\#//' \
+       -e '0,/^$/{/^$/a \
+# Accept DNS queries only from hosts whose address is on a local\
+# subnet, ie a subnet for which an interface exists on the server.\
+# It is intended to be set as a default on installation, to allow\
+# unconfigured installations to be useful but also safe from being\
+# used for DNS amplification attacks.\
+local-service\
+
+}' \
 	dnsmasq.conf.example
 
 %build