diff --git a/dnsmasq-2.89.tar.xz b/dnsmasq-2.89.tar.xz deleted file mode 100644 index 0ce2ae2..0000000 --- a/dnsmasq-2.89.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:02bd230346cf0b9d5909f5e151df168b2707103785eb616b56685855adebb609 -size 562700 diff --git a/dnsmasq-2.89.tar.xz.asc b/dnsmasq-2.89.tar.xz.asc deleted file mode 100644 index 58ae11e..0000000 --- a/dnsmasq-2.89.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmPe36kACgkQFc3aauGR -NaLJZg/+K/gk5uLUH48BCNAVNtffC1jGLIxQ2usJbXvJ02n9WcidN3dX6MlVBYNq -s5ouNuDZdIgydJjFWgIIqxtsVdeYhJ6sd9fSDX+8iT4zDLw0N1puDE5YZvvqHxFD -0gYuIcu4ukr5tsBL5ClWoVtTDGEi8NZ+PaGCZrnPVuZWPAnNrf3MbiUqPaJxCgA6 -GNnfqm9LKEL5sPwQlErhf1GLFG7UOPXyjfIQilI6+ShCajDmDjvsPs8Y3JqC66rt -6OEFDKbNVoZQDVA53PswLa1mb5gryB6r7gU5ofwS6jr34BNFfkBGFk6wjhZfZenu -OGU3Adk36l5HykAH5fjDs95bVBLoq+N+gG1Yor4qgUmdgSlLvh8lwArXwweWW2Q5 -k/Nkk/MZaIEL+3nqdIMptfGG82rhCuS1jse2DyYcTmJiJdew2Mv+AQAVIm/Km7oa -3HrpxQJ88LLRtWwfKbW9yRipt+JkzrrZun5VftQ85Xn9nELgU5n5rdHUCzXrpu0r -/dFw5JoTfcIsPGQ8a2IIMW6SyWOEkv8EWAq+10mNokpnQMv5RFHmZoGQhx1PmHWy -+mqHh9T2B9KYGHKRjP4apQkX+JSuqmsdLt1sNfzcnwjQQ0nEq0FMub2hNJ8V0S/4 -h/QpdO6qLn9RYSx0Be31BTAZNq71ow6HPjV62i4l+xTpYq9q1Ik= -=yXEY ------END PGP SIGNATURE----- diff --git a/dnsmasq-2.90.tar.xz b/dnsmasq-2.90.tar.xz new file mode 100644 index 0000000..d5a7820 --- /dev/null +++ b/dnsmasq-2.90.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8e50309bd837bfec9649a812e066c09b6988b73d749b7d293c06c57d46a109e4 +size 570672 diff --git a/dnsmasq-2.90.tar.xz.asc b/dnsmasq-2.90.tar.xz.asc new file mode 100644 index 0000000..583aaa0 --- /dev/null +++ b/dnsmasq-2.90.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmXLc7MACgkQFc3aauGR +NaKwug/7BIZ9TOBB65sR/rBg0JU/4jBG1WQglmEckSkK7NWagXVbjlVVl0F1AUZo +JBaW6qIvFZ9q7OlOB50gpZNC0wvIYRa8bdvicWjktxW/KFC/NZo5iI6DHH0p6LK2 +pymMCGyRkAgVc8Yxv3BDTqw70ld4gA8WamNWQsfS14n0VF/abOv/A0x70XkHPdIc +U9ZZX+1/Zn6s08arzUSEAnuR3+SW6Amq6MJKwCT8eVDNvTG35o0+HWAmyo+EjRmo +PdiIa1fmOcY8V80E5Xs2V11kMZeAZymD/GzCUTwW4Q2T7WW3OsMc9KlH35bAhfvI +iiBDbmYqI6AgLi6rIB1X6CKZ5V3VR93nxbSieaocZ145BAukxFOLuBTqjR1jhZt7 +63HfbYv3aViwMX2Ggk0XIh/OvIr6dFAsqiD6n+pYKLOVs1nyhXK1UP+J/9BhvJfx +4Dzx38K1iFilyR35tUiRosiZHgEHiZtJJ2u4B+nVENHpcVPG1cZQ92x7b2UDBfL4 +wcZ2U4guxdN4iBE7zzCseJNFL7NZ0U476RWEG9NybAnGGlpDY8m5AuQ5nHT0AjV7 +d+Fq0EaKr0rfjDk1bjYf88VRW0Khx4Fz5IsmnGw/p+09xBEhQftK+M42FpIbbscx +uZQ5i7CNkMAsft/lUGYEdLcTi5HuDWBtbXjVMLvzFRPz7W9l0J0= +=iZdM +-----END PGP SIGNATURE----- diff --git a/dnsmasq-CVE-2023-28450.patch b/dnsmasq-CVE-2023-28450.patch deleted file mode 100644 index 66ad67e..0000000 --- a/dnsmasq-CVE-2023-28450.patch +++ /dev/null @@ -1,54 +0,0 @@ -From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Tue, 7 Mar 2023 22:07:46 +0000 -Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232. - -http://www.dnsflagday.net/2020/ refers. - -Thanks to Xiang Li for the prompt. ---- - CHANGELOG | 9 ++++++++- - man/dnsmasq.8 | 3 ++- - src/config.h | 2 +- - 3 files changed, 11 insertions(+), 3 deletions(-) - ---- CHANGELOG.orig -+++ CHANGELOG -@@ -11,7 +11,14 @@ version 2.89 - for reporting the bug and for his great efforts in chasing - it down. - -+ Set the default maximum DNS UDP packet sice to 1232. This -+ has been the recommended value since 2020 because it's the -+ largest value that avoid fragmentation, and fragmentation -+ is just not reliable on the modern internet, especially -+ for IPv6. It's still possible to override this with -+ --edns-packet-max for special circumstances. - -+ - version 2.88 - Fix bug in --dynamic-host when an interface has /16 IPv4 - address. Thanks to Mark Dietzer for spotting this. ---- man/dnsmasq.8.orig -+++ man/dnsmasq.8 -@@ -183,7 +183,8 @@ to zero completely disables DNS function - .TP - .B \-P, --edns-packet-max= - Specify the largest EDNS.0 UDP packet which is supported by the DNS --forwarder. Defaults to 4096, which is the RFC5625-recommended size. -+forwarder. Defaults to 1232, which is the recommended size following the -+DNS flag day in 2020. Only increase if you know what you are doing. - .TP - .B \-Q, --query-port= - Send outbound DNS queries from, and listen for their replies on, the ---- src/config.h.orig -+++ src/config.h -@@ -19,7 +19,7 @@ - #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */ - #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ - #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ --#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */ -+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ - #define SAFE_PKTSZ 1232 /* "go anywhere" UDP packet size, see https://dnsflagday.net/2020/ */ - #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ - #define DNSSEC_WORK 50 /* Max number of queries to validate one question */ diff --git a/dnsmasq-groups.patch b/dnsmasq-groups.patch index 803c50f..85fdc3b 100644 --- a/dnsmasq-groups.patch +++ b/dnsmasq-groups.patch @@ -1,6 +1,6 @@ --- src/dnsmasq.c.orig +++ src/dnsmasq.c -@@ -731,11 +731,10 @@ int main (int argc, char **argv) +@@ -728,11 +728,10 @@ int main (int argc, char **argv) if (!option_bool(OPT_DEBUG) && getuid() == 0) { int bad_capabilities = 0; diff --git a/dnsmasq.changes b/dnsmasq.changes index 50d6f0e..a14468b 100644 --- a/dnsmasq.changes +++ b/dnsmasq.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Wed Feb 14 17:39:46 UTC 2024 - Reinhard Max + +- update to 2.90: + * CVE-2023-50387, CVE-2023-50868, bsc#1219823, bsc#1219826: + Denial Of Service while trying to validate specially crafted + DNSSEC responses + * Fix reversion in --rev-server introduced in 2.88 which caused + breakage if the prefix length is not exactly divisible by 8 + (IPv4) or 4 (IPv6). + * Fix possible SEGV when there server(s) for a particular domain + are configured, but no server which is not qualified for a + particular domain. + * Set the default maximum DNS UDP packet sice to 1232. + Obsoletes: dnsmasq-CVE-2023-28450.patch + * Add --no-dhcpv4-interface and --no-dhcpv6-interface for better + control over which inetrfaces are providing DHCP service. + * Fix issue with stale caching + * Add configurable caching for arbitrary RR-types. + * Add --filter-rr option, to filter arbitrary RR-types. + ------------------------------------------------------------------- Fri Oct 13 08:48:49 UTC 2023 - Thorsten Kukuk diff --git a/dnsmasq.spec b/dnsmasq.spec index fc23acf..aa394d2 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -1,7 +1,7 @@ # # spec file for package dnsmasq # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,7 +22,7 @@ %bcond_with tftp_user_package %endif Name: dnsmasq -Version: 2.89 +Version: 2.90 Release: 0 Summary: DNS Forwarder and DHCP Server License: GPL-2.0-only OR GPL-3.0-only @@ -35,7 +35,6 @@ Source4: dnsmasq.service Source5: rc.dnsmasq-suse Source6: system-user-dnsmasq.conf Patch0: dnsmasq-groups.patch -Patch1: dnsmasq-CVE-2023-28450.patch BuildRequires: dbus-1-devel BuildRequires: dos2unix BuildRequires: libidn2-devel