From f38fa3d41b666c654b132560afb01b4050a9f461dbcf2463db92b666ae0eec4d Mon Sep 17 00:00:00 2001
From: Reinhard Max <max@suse.com>
Date: Tue, 19 Jan 2021 12:32:14 +0000
Subject: [PATCH] - Update to 2.83:   * bsc#1177077: Fixed DNSpooq
 vulnerabilities   * Use the values of --min-port and --max-port in outgoing  
   TCP connections to upstream DNS servers.   * Fix a remote buffer overflow
 problem in the DNSSEC code.     Any dnsmasq with DNSSEC compiled in and
 enabled is vulnerable     to this, referenced by CVE-2020-25681,
 CVE-2020-25682,     CVE-2020-25683 CVE-2020-25687.   * Be sure to only accept
 UDP DNS query replies at the address     from which the query was originated.
 This keeps as much     entropy in the {query-ID, random-port} tuple as
 possible, to     help defeat cache poisoning attacks. Refer: CVE-2020-25684. 
  * Use the SHA-256 hash function to verify that DNS answers     received are
 for the questions originally asked. This replaces     the slightly insecure
 SHA-1 (when compiled with DNSSEC) or     the very insecure CRC32 (otherwise).
 Refer: CVE-2020-25685   * Handle multiple identical near simultaneous DNS
 queries better.     Previously, such queries would all be forwarded
 independently.     This is, in theory, inefficent but in practise not a
 problem,     _except_ that is means that an answer for any of the forwarded  
   queries will be accepted and cached.     An attacker can send a query
 multiple times, and for each     repeat, another {port, ID} becomes capable
 of accepting the     answer he is sending in the blind, to random IDs and
 ports.     The chance of a succesful attack is therefore multiplied by the   
  number of repeats of the query. The new behaviour detects     repeated
 queries and merely stores the clients sending repeats     so that when the
 first query completes, the answer can be sent     to all the clients who
 asked. Refer: CVE-2020-25686.

OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=126
---
 dnsmasq-2.82.tar.xz     |  3 ---
 dnsmasq-2.82.tar.xz.asc | 16 ----------------
 dnsmasq-2.83.tar.xz     |  3 +++
 dnsmasq-2.83.tar.xz.asc | 16 ++++++++++++++++
 dnsmasq.changes         | 33 +++++++++++++++++++++++++++++++++
 dnsmasq.spec            |  4 ++--
 6 files changed, 54 insertions(+), 21 deletions(-)
 delete mode 100644 dnsmasq-2.82.tar.xz
 delete mode 100644 dnsmasq-2.82.tar.xz.asc
 create mode 100644 dnsmasq-2.83.tar.xz
 create mode 100644 dnsmasq-2.83.tar.xz.asc

diff --git a/dnsmasq-2.82.tar.xz b/dnsmasq-2.82.tar.xz
deleted file mode 100644
index 43f5f3a..0000000
--- a/dnsmasq-2.82.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:84523646f3116bb5e1151efb66e645030f6e6a8256f29aab444777a343ebc132
-size 509904
diff --git a/dnsmasq-2.82.tar.xz.asc b/dnsmasq-2.82.tar.xz.asc
deleted file mode 100644
index 59012e3..0000000
--- a/dnsmasq-2.82.tar.xz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAl8UwTUACgkQFc3aauGR
-NaLN9A/7BwXyk9I50Xgct/25lzXBU8E3apZXNfsHS3NBIRudNzVEKU6pqdqXIWmF
-Neiq7zzgSF4n6azP8tIfoLrMtmblK+6qetd/zyLLqMCp/xwuriX9IGrYdXfYSn8F
-mqBrCsppww+mBhbV+trbjBdpfqG+5Vf2o9Crx41bdNMeYVq8ZeZbD+SDRZCU8OtF
-PvoKYEtJicycWrHdSObpl1ky/huB9zuawPRsMIQZ2pDaFkC1CzBGaBmd6i/B1kcP
-oDN+c6pBCCi2FKingiUiNNxSGuvhfT6eiAQaVdL0hHpSzSR+POezn7UulJg2c1OM
-sR+mL8dReIjUItLjJCknovoGBxGpchNfSSLuj1UxfeetZUf5uVs8ZRec1+n9+tVw
-gweFpE3k7Xwy8IGMT1TAFpP2HhMahkUg1MO1VXOgu4yoIq6g7q1i6O/kFPXyRFz/
-N6V/laJz1oLFtrVW+zQtvLpXJIIc473+Xkpf4DoD2BRmnqr2Ufg2Dk19sdktBbw+
-Xz8YqIUDR781uMy3+N/EQRlQ3+NDjGgA/qJEzpSsUa5E0BHTyfRPLV9kOkJ+IdU5
-SVFgSRek7LBW9zp113xt4dWWoccaWGf5Cdt30Dycknc3PTLgBRRbrJKRz7N2/3by
-c6HvcQYkEdEl9QgUQ7nxFlpK+y9zn8AGRb1lt91Qwj4BI2JGgBA=
-=umZ9
------END PGP SIGNATURE-----
diff --git a/dnsmasq-2.83.tar.xz b/dnsmasq-2.83.tar.xz
new file mode 100644
index 0000000..093b168
--- /dev/null
+++ b/dnsmasq-2.83.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ffc1f7e8b05e22d910b9a71d09f1128197292766dc7c54cb7018a1b2c3af4aea
+size 513880
diff --git a/dnsmasq-2.83.tar.xz.asc b/dnsmasq-2.83.tar.xz.asc
new file mode 100644
index 0000000..84e25aa
--- /dev/null
+++ b/dnsmasq-2.83.tar.xz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmAGqrMACgkQFc3aauGR
+NaK0YBAAph9k8oDA8MnTrDXmGkWWtWks8cEn+DBrE0tSekdehQlPl9jyUwZUUKXI
+3j6qhCVgd9VpwlS810lhU+YTiQoB13f7FR6Bnaps6nYMoi0hUgQrmSyvaQEJ3xmZ
+Vaypvf7DiIQM4Rb95QbWNA684iTE77vwjTiyV+RWFxUyeAXJwH4Dh6AdB74byM+Y
+0WMZqGm6FZQWGI7bCPtW6rLbSZ/5c8szrQxeo6oKo7mCtMaM/nIL5xrTBGwgHK84
+jCKs86ReFeC0dGJZOcEiYWCr6e33CXSD/wl1aw76FefmBVBt1ducAMthURHNiknh
+C7+saiLsgL4UmEPj5xn9gUNx3siz+YSTHjq+9KQNaBACXLCb82UQaH7Os8+0A0Na
+Hhzetyj1LxEbujr4CQrWLU0TwatmJ8jGsGJHdR+IXuBGy+s4NpWxu+SSzBUHe3Je
+DLnIec4XVlj3Hq6zjV1YGWuBMzBCPPp09mmuv4kBLR81+6oGJFQC7T6fK4Vh2qCB
+1vsual+TIHiVWVjRQ/gbGr3SN4XwWC7rlmjXHPEuz47dguf8/2EnU7ADFWI6fGZG
+fmDUXC6Is9U0GH8rZIcoLOZ7CBJuRjzZRCuUjL4wAZ44TaGCHyDiUL4IZ94eNLg+
+kJQtPdgZmpo4EZaaZ8HaXB5zoqp6SK3F3lQB4+w1jUIOkZgQS2A=
+=YQ56
+-----END PGP SIGNATURE-----
diff --git a/dnsmasq.changes b/dnsmasq.changes
index 05511d1..23339f1 100644
--- a/dnsmasq.changes
+++ b/dnsmasq.changes
@@ -1,3 +1,36 @@
+-------------------------------------------------------------------
+Tue Jan 19 12:24:02 UTC 2021 - Reinhard Max <max@suse.com>
+
+- Update to 2.83:
+  * bsc#1177077: Fixed DNSpooq vulnerabilities
+  * Use the values of --min-port and --max-port in outgoing
+    TCP connections to upstream DNS servers.
+  * Fix a remote buffer overflow problem in the DNSSEC code.
+    Any dnsmasq with DNSSEC compiled in and enabled is vulnerable
+    to this, referenced by CVE-2020-25681, CVE-2020-25682,
+    CVE-2020-25683 CVE-2020-25687.
+  * Be sure to only accept UDP DNS query replies at the address
+    from which the query was originated. This keeps as much
+    entropy in the {query-ID, random-port} tuple as possible, to
+    help defeat cache poisoning attacks. Refer: CVE-2020-25684.
+  * Use the SHA-256 hash function to verify that DNS answers
+    received are for the questions originally asked. This replaces
+    the slightly insecure SHA-1 (when compiled with DNSSEC) or
+    the very insecure CRC32 (otherwise). Refer: CVE-2020-25685
+  * Handle multiple identical near simultaneous DNS queries better.
+    Previously, such queries would all be forwarded independently.
+    This is, in theory, inefficent but in practise not a problem,
+    _except_ that is means that an answer for any of the forwarded
+    queries will be accepted and cached.
+    An attacker can send a query multiple times, and for each
+    repeat, another {port, ID} becomes capable of accepting the
+    answer he is sending in the blind, to random IDs and ports.
+    The chance of a succesful attack is therefore multiplied by the
+    number of repeats of the query. The new behaviour detects
+    repeated queries and merely stores the clients sending repeats
+    so that when the first query completes, the answer can be sent
+    to all the clients who asked. Refer: CVE-2020-25686.
+
 -------------------------------------------------------------------
 Tue Jul 28 08:00:51 UTC 2020 - Martin Rey <mrey@suse.com>
 
diff --git a/dnsmasq.spec b/dnsmasq.spec
index a902915..932a999 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package dnsmasq
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
 %bcond_without tftp_user_package
 %endif
 Name:           dnsmasq
-Version:        2.82
+Version:        2.83
 Release:        0
 Summary:        DNS Forwarder and DHCP Server
 License:        GPL-2.0-only OR GPL-3.0-only