Accepting request 921143 from network
- jsc#SLE-17936: Sync this state from Factory to SLE-15-SP1. - SLE bugs that got fixed upstream between 2.79 and 2.86, but for which we need to keep references when syncing: * bsc#1176076: dnsmasq-servfail.patch * bsc#1156543: dnsmasq-siocgstamp.patch * bsc#1138743: dnsmasq-cache-size.patch * bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch * bsc#1180914: Open inotify socket only when used. * removed dnsmasq-dnspooq.patch - bsc#1173646: Set --local-service by default. - Update to 2.86: * Handle DHCPREBIND requests in the DHCPv6 server code. * Fix bug which caused dnsmasq to lose track of processes forked to handle TCP DNS connections under heavy load. * Major rewrite of the DNS server and domain handling code. This should be largely transparent, but it drastically improves performance and reduces memory foot-print when configuring large numbers of domains. * Revise resource handling for number of concurrent DNS queries. * Improve efficiency of DNSSEC. * Connection track mark based DNS query filtering. * Allow smaller than 64 prefix lengths in synth-domain, with caveats. --synth-domain=1234:4567::/56,example.com is now valid. * Make domains generated by --synth-domain appear in replies when in authoritative mode. * Ensure CAP_NET_ADMIN capability is available when conntrack is configured. * When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are OBS-URL: https://build.opensuse.org/request/show/921143 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dnsmasq?expand=0&rev=83
This commit is contained in:
commit
25af15f8e3
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:ad98d3803df687e5b938080f3d25c628fe41c878752d03fbc6199787fee312fa
|
|
||||||
size 518316
|
|
@ -1,16 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmBuGPsACgkQFc3aauGR
|
|
||||||
NaIg6A//Xfcu62aItiHf/jTeFHUSqHrdqanDqLRWSpgdeKO2adk+s66p5CqVHC8K
|
|
||||||
JfxPo6eTUj8uX53Idy5oiwUz4d40iiOjfxHs4Nme0ozyIAHGw/Tfwx7/+NV882vi
|
|
||||||
+rtqhjF83dRsnqIR95FD17tVI+cR0sq6XKzwBtPicjmPt79sQ2UtkBo7I+IS9B5g
|
|
||||||
o+i21gGYm34EgY6EavveWfGkKgJLz+cF59h4i16lc1eRGNsy5clURDxiJ65Zz0zb
|
|
||||||
ZARLudEclbFNdoUu/4idmOUhZCGWrqf9o+rQDYW3vN85saxCPbTChqqy1VC6OBnX
|
|
||||||
VLN3cAJlk1hS5X0HzewhXkOqulzjg81KWRQ8EYATdOQP7u6apv4q87hnmr+uL9E8
|
|
||||||
0VZ3ECyhH7n6qNXfqNS2Fp3Yp0sm1hgRy+6bu/IgVTPs/Ro22HqTiw5YXZQkPMbe
|
|
||||||
A4acAep59nIV9dEB5DYF1N0S0P6OcVtUsZAFlGS1cD0owFuI44W/lg8w9xA9gyJv
|
|
||||||
uqZvZqkQDM8bi9zJ2d7fjf65pjS+7S9ISxDoPHp34lLMB7D/rAuW8GVBkL1KxMWb
|
|
||||||
sRHIBDKM01CXZeRBlbxAYHlH7s2QehRk/t57ksTmPtT3IAVMSajEG0+1YElUGg8s
|
|
||||||
2gqLtCLdmB6Lwl4RFripSERvPzYOAsd8DiqDL9wYOECBStUGuEw=
|
|
||||||
=W3WM
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
dnsmasq-2.86.tar.xz
Normal file
3
dnsmasq-2.86.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:28d52cfc9e2004ac4f85274f52b32e1647b4dbc9761b82e7de1e41c49907eb08
|
||||||
|
size 531404
|
16
dnsmasq-2.86.tar.xz.asc
Normal file
16
dnsmasq-2.86.tar.xz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmE5MDYACgkQFc3aauGR
|
||||||
|
NaKtqA//W2QQv/K6l009r6LBQdUxrYwygJ/TXKsZLb6JlpVSCgLJ0FvK95wJnt9S
|
||||||
|
YxeTbMogr/Pd2jbZJAnPz2mTxfqZAv1Xob+qaXfn/K772tMyjzgUCIfdsBSRKmUS
|
||||||
|
RYxln8NiMwahI8uYLBWLtSPBpaYLiHEp5W+wV6OHu4OGfCG1qyhlem4Hs1UJy2KN
|
||||||
|
I6UjLXYJYJBp1UBqsakEuNe4dzUp0v0OI4VYYRUriyTsmptcLFZMUAtdq6EJ9eUX
|
||||||
|
0p8zhxWotJCzkZrF/t6Myb8ydudwLkUqICA6a9PTw5o34KxZ2VKWtu6NQoWaT8WK
|
||||||
|
5c7gbk/UprlPhKEDMOuGNC5JHSpm+2Fhq8c8PkIn6zPYv0Wvb/M+2DYLjptfbodl
|
||||||
|
VHhuzngnneFOdNK+XzPCG37cG1qpzey1mLWtsl5Ji0d1hBLnlk9vl8Hqb5ozLAJC
|
||||||
|
rMlhIB85hyt6VAj29Ye3DnObNLRSmfDiN4frptmQssqMqO1+eI2b/8zvrxIByYG+
|
||||||
|
HboOt5/gotVavAmZwPfesbpje50PaPVTgFjQjc8BAwXEhFsn98MVRdz7Iwc5xQmG
|
||||||
|
upOd+44HC3at+So9+X9ocVofvItuDn7wYVnoZU7LcF5Isnoz3FhRMAusm8EsfJkI
|
||||||
|
lQr7vsg5/oUBU2Dr/NCBjbe/cYX4/+BEdnnQkLvG33pF8xTiyAQ=
|
||||||
|
=XpGA
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,3 +1,47 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Sep 23 08:48:12 UTC 2021 - Reinhard Max <max@suse.com>
|
||||||
|
|
||||||
|
- jsc#SLE-17936: Sync this state from Factory to SLE-15-SP1.
|
||||||
|
- SLE bugs that got fixed upstream between 2.79 and 2.86, but for
|
||||||
|
which we need to keep references when syncing:
|
||||||
|
* bsc#1176076: dnsmasq-servfail.patch
|
||||||
|
* bsc#1156543: dnsmasq-siocgstamp.patch
|
||||||
|
* bsc#1138743: dnsmasq-cache-size.patch
|
||||||
|
* bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch
|
||||||
|
* bsc#1180914: Open inotify socket only when used.
|
||||||
|
* removed dnsmasq-dnspooq.patch
|
||||||
|
- bsc#1173646: Set --local-service by default.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 17 11:10:17 UTC 2021 - Reinhard Max <max@suse.com>
|
||||||
|
|
||||||
|
- Update to 2.86:
|
||||||
|
* Handle DHCPREBIND requests in the DHCPv6 server code.
|
||||||
|
* Fix bug which caused dnsmasq to lose track of processes forked
|
||||||
|
to handle TCP DNS connections under heavy load.
|
||||||
|
* Major rewrite of the DNS server and domain handling code. This
|
||||||
|
should be largely transparent, but it drastically improves
|
||||||
|
performance and reduces memory foot-print when configuring
|
||||||
|
large numbers of domains.
|
||||||
|
* Revise resource handling for number of concurrent DNS queries.
|
||||||
|
* Improve efficiency of DNSSEC.
|
||||||
|
* Connection track mark based DNS query filtering.
|
||||||
|
* Allow smaller than 64 prefix lengths in synth-domain, with
|
||||||
|
caveats.
|
||||||
|
--synth-domain=1234:4567::/56,example.com is now valid.
|
||||||
|
* Make domains generated by --synth-domain appear in replies
|
||||||
|
when in authoritative mode.
|
||||||
|
* Ensure CAP_NET_ADMIN capability is available when conntrack
|
||||||
|
is configured.
|
||||||
|
* When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
|
||||||
|
given a directory as argument, define the order in which files
|
||||||
|
within that directory are read (alphabetical order of filename).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 14 06:19:17 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
||||||
|
|
||||||
|
- Added hardening to systemd service(s) (bsc#1181400).
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sun Jun 13 13:28:49 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
|
Sun Jun 13 13:28:49 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
|
||||||
|
|
||||||
|
@ -5,6 +5,18 @@ Wants=nss-lookup.target
|
|||||||
Before=nss-lookup.target
|
Before=nss-lookup.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
|
# added automatically, for details please see
|
||||||
|
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||||
|
ProtectSystem=full
|
||||||
|
ProtectHome=true
|
||||||
|
ProtectHostname=true
|
||||||
|
ProtectClock=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
ProtectControlGroups=true
|
||||||
|
RestrictRealtime=true
|
||||||
|
# end of automatic additions
|
||||||
Type=dbus
|
Type=dbus
|
||||||
BusName=uk.org.thekelleys.dnsmasq
|
BusName=uk.org.thekelleys.dnsmasq
|
||||||
ExecStartPre=/usr/sbin/dnsmasq --test
|
ExecStartPre=/usr/sbin/dnsmasq --test
|
||||||
|
16
dnsmasq.spec
16
dnsmasq.spec
@ -22,7 +22,7 @@
|
|||||||
%bcond_without tftp_user_package
|
%bcond_without tftp_user_package
|
||||||
%endif
|
%endif
|
||||||
Name: dnsmasq
|
Name: dnsmasq
|
||||||
Version: 2.85
|
Version: 2.86
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: DNS Forwarder and DHCP Server
|
Summary: DNS Forwarder and DHCP Server
|
||||||
License: GPL-2.0-only OR GPL-3.0-only
|
License: GPL-2.0-only OR GPL-3.0-only
|
||||||
@ -101,9 +101,21 @@ sed -i -e 's|CACHESIZ 150|CACHESIZ 2000|;
|
|||||||
s|CHGRP "dip"|CHGRP "nogroup"|' \
|
s|CHGRP "dip"|CHGRP "nogroup"|' \
|
||||||
src/config.h
|
src/config.h
|
||||||
|
|
||||||
# Fix trust-anchor.conf location and include /etc/dnsmasq.d/*.conf by default
|
# Tweaks to the default configuration:
|
||||||
|
# - Fix trust-anchor.conf location
|
||||||
|
# - Include /etc/dnsmasq.d/*.conf by default
|
||||||
|
# - Only answer queries coming from the local network
|
||||||
sed -i -e '/trust-anchors.conf/c\#conf-file=%{_sysconfdir}/dnsmasq.d/trust-anchors.conf' \
|
sed -i -e '/trust-anchors.conf/c\#conf-file=%{_sysconfdir}/dnsmasq.d/trust-anchors.conf' \
|
||||||
-e '/conf-dir=.*conf/s/^\#//' \
|
-e '/conf-dir=.*conf/s/^\#//' \
|
||||||
|
-e '0,/^$/{/^$/a \
|
||||||
|
# Accept DNS queries only from hosts whose address is on a local\
|
||||||
|
# subnet, ie a subnet for which an interface exists on the server.\
|
||||||
|
# It is intended to be set as a default on installation, to allow\
|
||||||
|
# unconfigured installations to be useful but also safe from being\
|
||||||
|
# used for DNS amplification attacks.\
|
||||||
|
local-service\
|
||||||
|
|
||||||
|
}' \
|
||||||
dnsmasq.conf.example
|
dnsmasq.conf.example
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
Loading…
Reference in New Issue
Block a user