diff --git a/dnsmasq-2.82.tar.xz b/dnsmasq-2.82.tar.xz deleted file mode 100644 index 43f5f3a..0000000 --- a/dnsmasq-2.82.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:84523646f3116bb5e1151efb66e645030f6e6a8256f29aab444777a343ebc132 -size 509904 diff --git a/dnsmasq-2.82.tar.xz.asc b/dnsmasq-2.82.tar.xz.asc deleted file mode 100644 index 59012e3..0000000 --- a/dnsmasq-2.82.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAl8UwTUACgkQFc3aauGR -NaLN9A/7BwXyk9I50Xgct/25lzXBU8E3apZXNfsHS3NBIRudNzVEKU6pqdqXIWmF -Neiq7zzgSF4n6azP8tIfoLrMtmblK+6qetd/zyLLqMCp/xwuriX9IGrYdXfYSn8F -mqBrCsppww+mBhbV+trbjBdpfqG+5Vf2o9Crx41bdNMeYVq8ZeZbD+SDRZCU8OtF -PvoKYEtJicycWrHdSObpl1ky/huB9zuawPRsMIQZ2pDaFkC1CzBGaBmd6i/B1kcP -oDN+c6pBCCi2FKingiUiNNxSGuvhfT6eiAQaVdL0hHpSzSR+POezn7UulJg2c1OM -sR+mL8dReIjUItLjJCknovoGBxGpchNfSSLuj1UxfeetZUf5uVs8ZRec1+n9+tVw -gweFpE3k7Xwy8IGMT1TAFpP2HhMahkUg1MO1VXOgu4yoIq6g7q1i6O/kFPXyRFz/ -N6V/laJz1oLFtrVW+zQtvLpXJIIc473+Xkpf4DoD2BRmnqr2Ufg2Dk19sdktBbw+ -Xz8YqIUDR781uMy3+N/EQRlQ3+NDjGgA/qJEzpSsUa5E0BHTyfRPLV9kOkJ+IdU5 -SVFgSRek7LBW9zp113xt4dWWoccaWGf5Cdt30Dycknc3PTLgBRRbrJKRz7N2/3by -c6HvcQYkEdEl9QgUQ7nxFlpK+y9zn8AGRb1lt91Qwj4BI2JGgBA= -=umZ9 ------END PGP SIGNATURE----- diff --git a/dnsmasq-2.83.tar.xz b/dnsmasq-2.83.tar.xz new file mode 100644 index 0000000..093b168 --- /dev/null +++ b/dnsmasq-2.83.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ffc1f7e8b05e22d910b9a71d09f1128197292766dc7c54cb7018a1b2c3af4aea +size 513880 diff --git a/dnsmasq-2.83.tar.xz.asc b/dnsmasq-2.83.tar.xz.asc new file mode 100644 index 0000000..84e25aa --- /dev/null +++ b/dnsmasq-2.83.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmAGqrMACgkQFc3aauGR +NaK0YBAAph9k8oDA8MnTrDXmGkWWtWks8cEn+DBrE0tSekdehQlPl9jyUwZUUKXI +3j6qhCVgd9VpwlS810lhU+YTiQoB13f7FR6Bnaps6nYMoi0hUgQrmSyvaQEJ3xmZ +Vaypvf7DiIQM4Rb95QbWNA684iTE77vwjTiyV+RWFxUyeAXJwH4Dh6AdB74byM+Y +0WMZqGm6FZQWGI7bCPtW6rLbSZ/5c8szrQxeo6oKo7mCtMaM/nIL5xrTBGwgHK84 +jCKs86ReFeC0dGJZOcEiYWCr6e33CXSD/wl1aw76FefmBVBt1ducAMthURHNiknh +C7+saiLsgL4UmEPj5xn9gUNx3siz+YSTHjq+9KQNaBACXLCb82UQaH7Os8+0A0Na +Hhzetyj1LxEbujr4CQrWLU0TwatmJ8jGsGJHdR+IXuBGy+s4NpWxu+SSzBUHe3Je +DLnIec4XVlj3Hq6zjV1YGWuBMzBCPPp09mmuv4kBLR81+6oGJFQC7T6fK4Vh2qCB +1vsual+TIHiVWVjRQ/gbGr3SN4XwWC7rlmjXHPEuz47dguf8/2EnU7ADFWI6fGZG +fmDUXC6Is9U0GH8rZIcoLOZ7CBJuRjzZRCuUjL4wAZ44TaGCHyDiUL4IZ94eNLg+ +kJQtPdgZmpo4EZaaZ8HaXB5zoqp6SK3F3lQB4+w1jUIOkZgQS2A= +=YQ56 +-----END PGP SIGNATURE----- diff --git a/dnsmasq.changes b/dnsmasq.changes index 05511d1..23339f1 100644 --- a/dnsmasq.changes +++ b/dnsmasq.changes @@ -1,3 +1,36 @@ +------------------------------------------------------------------- +Tue Jan 19 12:24:02 UTC 2021 - Reinhard Max + +- Update to 2.83: + * bsc#1177077: Fixed DNSpooq vulnerabilities + * Use the values of --min-port and --max-port in outgoing + TCP connections to upstream DNS servers. + * Fix a remote buffer overflow problem in the DNSSEC code. + Any dnsmasq with DNSSEC compiled in and enabled is vulnerable + to this, referenced by CVE-2020-25681, CVE-2020-25682, + CVE-2020-25683 CVE-2020-25687. + * Be sure to only accept UDP DNS query replies at the address + from which the query was originated. This keeps as much + entropy in the {query-ID, random-port} tuple as possible, to + help defeat cache poisoning attacks. Refer: CVE-2020-25684. + * Use the SHA-256 hash function to verify that DNS answers + received are for the questions originally asked. This replaces + the slightly insecure SHA-1 (when compiled with DNSSEC) or + the very insecure CRC32 (otherwise). Refer: CVE-2020-25685 + * Handle multiple identical near simultaneous DNS queries better. + Previously, such queries would all be forwarded independently. + This is, in theory, inefficent but in practise not a problem, + _except_ that is means that an answer for any of the forwarded + queries will be accepted and cached. + An attacker can send a query multiple times, and for each + repeat, another {port, ID} becomes capable of accepting the + answer he is sending in the blind, to random IDs and ports. + The chance of a succesful attack is therefore multiplied by the + number of repeats of the query. The new behaviour detects + repeated queries and merely stores the clients sending repeats + so that when the first query completes, the answer can be sent + to all the clients who asked. Refer: CVE-2020-25686. + ------------------------------------------------------------------- Tue Jul 28 08:00:51 UTC 2020 - Martin Rey diff --git a/dnsmasq.spec b/dnsmasq.spec index a902915..932a999 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -1,7 +1,7 @@ # # spec file for package dnsmasq # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,7 +22,7 @@ %bcond_without tftp_user_package %endif Name: dnsmasq -Version: 2.82 +Version: 2.83 Release: 0 Summary: DNS Forwarder and DHCP Server License: GPL-2.0-only OR GPL-3.0-only