- Update to 2.83:

* bsc#1177077: Fixed DNSpooq vulnerabilities
  * Use the values of --min-port and --max-port in outgoing
    TCP connections to upstream DNS servers.
  * Fix a remote buffer overflow problem in the DNSSEC code.
    Any dnsmasq with DNSSEC compiled in and enabled is vulnerable
    to this, referenced by CVE-2020-25681, CVE-2020-25682,
    CVE-2020-25683 CVE-2020-25687.
  * Be sure to only accept UDP DNS query replies at the address
    from which the query was originated. This keeps as much
    entropy in the {query-ID, random-port} tuple as possible, to
    help defeat cache poisoning attacks. Refer: CVE-2020-25684.
  * Use the SHA-256 hash function to verify that DNS answers
    received are for the questions originally asked. This replaces
    the slightly insecure SHA-1 (when compiled with DNSSEC) or
    the very insecure CRC32 (otherwise). Refer: CVE-2020-25685
  * Handle multiple identical near simultaneous DNS queries better.
    Previously, such queries would all be forwarded independently.
    This is, in theory, inefficent but in practise not a problem,
    _except_ that is means that an answer for any of the forwarded
    queries will be accepted and cached.
    An attacker can send a query multiple times, and for each
    repeat, another {port, ID} becomes capable of accepting the
    answer he is sending in the blind, to random IDs and ports.
    The chance of a succesful attack is therefore multiplied by the
    number of repeats of the query. The new behaviour detects
    repeated queries and merely stores the clients sending repeats
    so that when the first query completes, the answer can be sent
    to all the clients who asked. Refer: CVE-2020-25686.

OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=126

dnsmasq-2.82.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:84523646f3116bb5e1151efb66e645030f6e6a8256f29aab444777a343ebc132
-size 509904

dnsmasq-2.82.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAl8UwTUACgkQFc3aauGR
-NaLN9A/7BwXyk9I50Xgct/25lzXBU8E3apZXNfsHS3NBIRudNzVEKU6pqdqXIWmF
-Neiq7zzgSF4n6azP8tIfoLrMtmblK+6qetd/zyLLqMCp/xwuriX9IGrYdXfYSn8F
-mqBrCsppww+mBhbV+trbjBdpfqG+5Vf2o9Crx41bdNMeYVq8ZeZbD+SDRZCU8OtF
-PvoKYEtJicycWrHdSObpl1ky/huB9zuawPRsMIQZ2pDaFkC1CzBGaBmd6i/B1kcP
-oDN+c6pBCCi2FKingiUiNNxSGuvhfT6eiAQaVdL0hHpSzSR+POezn7UulJg2c1OM
-sR+mL8dReIjUItLjJCknovoGBxGpchNfSSLuj1UxfeetZUf5uVs8ZRec1+n9+tVw
-gweFpE3k7Xwy8IGMT1TAFpP2HhMahkUg1MO1VXOgu4yoIq6g7q1i6O/kFPXyRFz/
-N6V/laJz1oLFtrVW+zQtvLpXJIIc473+Xkpf4DoD2BRmnqr2Ufg2Dk19sdktBbw+
-Xz8YqIUDR781uMy3+N/EQRlQ3+NDjGgA/qJEzpSsUa5E0BHTyfRPLV9kOkJ+IdU5
-SVFgSRek7LBW9zp113xt4dWWoccaWGf5Cdt30Dycknc3PTLgBRRbrJKRz7N2/3by
-c6HvcQYkEdEl9QgUQ7nxFlpK+y9zn8AGRb1lt91Qwj4BI2JGgBA=
-=umZ9
------END PGP SIGNATURE-----

dnsmasq-2.83.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ffc1f7e8b05e22d910b9a71d09f1128197292766dc7c54cb7018a1b2c3af4aea
+size 513880

dnsmasq-2.83.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmAGqrMACgkQFc3aauGR
+NaK0YBAAph9k8oDA8MnTrDXmGkWWtWks8cEn+DBrE0tSekdehQlPl9jyUwZUUKXI
+3j6qhCVgd9VpwlS810lhU+YTiQoB13f7FR6Bnaps6nYMoi0hUgQrmSyvaQEJ3xmZ
+Vaypvf7DiIQM4Rb95QbWNA684iTE77vwjTiyV+RWFxUyeAXJwH4Dh6AdB74byM+Y
+0WMZqGm6FZQWGI7bCPtW6rLbSZ/5c8szrQxeo6oKo7mCtMaM/nIL5xrTBGwgHK84
+jCKs86ReFeC0dGJZOcEiYWCr6e33CXSD/wl1aw76FefmBVBt1ducAMthURHNiknh
+C7+saiLsgL4UmEPj5xn9gUNx3siz+YSTHjq+9KQNaBACXLCb82UQaH7Os8+0A0Na
+Hhzetyj1LxEbujr4CQrWLU0TwatmJ8jGsGJHdR+IXuBGy+s4NpWxu+SSzBUHe3Je
+DLnIec4XVlj3Hq6zjV1YGWuBMzBCPPp09mmuv4kBLR81+6oGJFQC7T6fK4Vh2qCB
+1vsual+TIHiVWVjRQ/gbGr3SN4XwWC7rlmjXHPEuz47dguf8/2EnU7ADFWI6fGZG
+fmDUXC6Is9U0GH8rZIcoLOZ7CBJuRjzZRCuUjL4wAZ44TaGCHyDiUL4IZ94eNLg+
+kJQtPdgZmpo4EZaaZ8HaXB5zoqp6SK3F3lQB4+w1jUIOkZgQS2A=
+=YQ56
+-----END PGP SIGNATURE-----

dnsmasq.changes

@@ -1,3 +1,36 @@
+-------------------------------------------------------------------
+Tue Jan 19 12:24:02 UTC 2021 - Reinhard Max <max@suse.com>
+
+- Update to 2.83:
+  * bsc#1177077: Fixed DNSpooq vulnerabilities
+  * Use the values of --min-port and --max-port in outgoing
+    TCP connections to upstream DNS servers.
+  * Fix a remote buffer overflow problem in the DNSSEC code.
+    Any dnsmasq with DNSSEC compiled in and enabled is vulnerable
+    to this, referenced by CVE-2020-25681, CVE-2020-25682,
+    CVE-2020-25683 CVE-2020-25687.
+  * Be sure to only accept UDP DNS query replies at the address
+    from which the query was originated. This keeps as much
+    entropy in the {query-ID, random-port} tuple as possible, to
+    help defeat cache poisoning attacks. Refer: CVE-2020-25684.
+  * Use the SHA-256 hash function to verify that DNS answers
+    received are for the questions originally asked. This replaces
+    the slightly insecure SHA-1 (when compiled with DNSSEC) or
+    the very insecure CRC32 (otherwise). Refer: CVE-2020-25685
+  * Handle multiple identical near simultaneous DNS queries better.
+    Previously, such queries would all be forwarded independently.
+    This is, in theory, inefficent but in practise not a problem,
+    _except_ that is means that an answer for any of the forwarded
+    queries will be accepted and cached.
+    An attacker can send a query multiple times, and for each
+    repeat, another {port, ID} becomes capable of accepting the
+    answer he is sending in the blind, to random IDs and ports.
+    The chance of a succesful attack is therefore multiplied by the
+    number of repeats of the query. The new behaviour detects
+    repeated queries and merely stores the clients sending repeats
+    so that when the first query completes, the answer can be sent
+    to all the clients who asked. Refer: CVE-2020-25686.
+
 -------------------------------------------------------------------
 Tue Jul 28 08:00:51 UTC 2020 - Martin Rey <mrey@suse.com>
 

dnsmasq.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package dnsmasq
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
 %bcond_without tftp_user_package
 %endif
 Name:           dnsmasq
-Version:        2.82
+Version:        2.83
 Release:        0
 Summary:        DNS Forwarder and DHCP Server
 License:        GPL-2.0-only OR GPL-3.0-only