* CVE-2023-50387, CVE-2023-50868, bsc#1219823, bsc#1219826:
Denial Of Service while trying to validate specially crafted
DNSSEC responses
* Fix reversion in --rev-server introduced in 2.88 which caused
breakage if the prefix length is not exactly divisible by 8
(IPv4) or 4 (IPv6).
* Fix possible SEGV when there server(s) for a particular domain
are configured, but no server which is not qualified for a
particular domain.
* Set the default maximum DNS UDP packet sice to 1232.
Obsoletes: dnsmasq-CVE-2023-28450.patch
* Add --no-dhcpv4-interface and --no-dhcpv6-interface for better
control over which inetrfaces are providing DHCP service.
* Fix issue with stale caching
* Add configurable caching for arbitrary RR-types.
* Add --filter-rr option, to filter arbitrary RR-types.
OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=165
- update to 2.89:
* Fix bug introduced in 2.88 (commit fe91134b) which can result
in corruption of the DNS cache internal data structures and
logging of "cache internal error". This has only been seen
in one place in the wild, and it took considerable effort
to even generate a test case to reproduce it, but there's
no way to be sure it won't strike, and the effect is to break
the cache badly. Installations with DNSSEC enabled are more
likely to see the problem, but not running DNSSEC does not
guarantee that it won't happen. Thanks to Timo van Roermund
for reporting the bug and for his great efforts in chasing
it down.
- remove no longer needed rpmlintrc filters
OBS-URL: https://build.opensuse.org/request/show/1063373
OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=155
- update to 2.88:
* Fix bug in --dynamic-host when an interface has /16 IPv4
* address.
* Add --fast-dns-retry option. This gives dnsmasq the ability
to originate retries for upstream DNS queries itself, rather
than relying on the downstream client. This is most useful
when doing DNSSEC over unreliable upstream networks. It comes
with some cost in memory usage and network bandwidth.
* Add --use-stale-cache option. When set, if a DNS name exists
in the cache, but its time-to-live has expired, dnsmasq will
return the data anyway.
* handle removal of whole files or entries within files.
OBS-URL: https://build.opensuse.org/request/show/1044373
OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=153
- update to 2.87 (bsc#1197872, CVE-2022-0934):
* Allow arbitrary prefix lengths in --rev-server and
--domain=....,local
* Replace --address=/#/..... functionality which got
missed in the 2.86 domain search rewrite.
* Add --nftset option, like --ipset but for the newer nftables.
* Add --filter-A and --filter-AAAA options, to remove IPv4 or IPv6
addresses from DNS answers.
* Fix crash doing netbooting when --port is set to zero
to disable the DNS server. Thanks to Drexl Johannes
for the bug report.
* Generalise --dhcp-relay. Sending via broadcast/multicast is
now supported for both IPv4 and IPv6 and the configuration
syntax made easier (but backwards compatible).
* Add snooping of IPv6 prefix-delegations to the DHCP-relay system.
* Finesse parsing of --dhcp-remoteid and --dhcp-subscrid. To be treated
as hex, the pattern must consist of only hex digits AND contain
at least one ':'. Thanks to Bengt-Erik Sandstrom who tripped
over a pattern consisting of a decimal number which was interpreted
surprisingly.
* Include client address in TFTP file-not-found error reports.
Thanks to Stefan Rink for the initial patch, which has been
re-worked by me (srk). All bugs mine.
* Note in manpage the change in behaviour of -address. This behaviour
actually changed in v2.86, but was undocumented there. From 2.86 on,
(eg) --address=/example.com/1.2.3.4 ONLY applies to A queries. All other
types of query will be sent upstream. Pre 2.86, that would catch the
whole example.com domain and queries for other types would get
a local NODATA answer. The pre-2.86 behaviour is still available,
by configuring --address=/example.com/1.2.3.4 --local=/example.com/
OBS-URL: https://build.opensuse.org/request/show/1031298
OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=151
- jsc#SLE-17936: Sync this state from Factory to SLE-15-SP1.
- SLE bugs that got fixed upstream between 2.79 and 2.86, but for
which we need to keep references when syncing:
* bsc#1176076: dnsmasq-servfail.patch
* bsc#1156543: dnsmasq-siocgstamp.patch
* bsc#1138743: dnsmasq-cache-size.patch
* bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch
* bsc#1180914: Open inotify socket only when used.
* removed dnsmasq-dnspooq.patch
- bsc#1173646: Set --local-service by default.
- Update to 2.86:
* Handle DHCPREBIND requests in the DHCPv6 server code.
* Fix bug which caused dnsmasq to lose track of processes forked
to handle TCP DNS connections under heavy load.
* Major rewrite of the DNS server and domain handling code. This
should be largely transparent, but it drastically improves
performance and reduces memory foot-print when configuring
large numbers of domains.
* Revise resource handling for number of concurrent DNS queries.
* Improve efficiency of DNSSEC.
* Connection track mark based DNS query filtering.
* Allow smaller than 64 prefix lengths in synth-domain, with
caveats.
--synth-domain=1234:4567::/56,example.com is now valid.
* Make domains generated by --synth-domain appear in replies
when in authoritative mode.
* Ensure CAP_NET_ADMIN capability is available when conntrack
is configured.
* When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
OBS-URL: https://build.opensuse.org/request/show/921143
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dnsmasq?expand=0&rev=83
which we need to keep references when syncing Factory to SLE:
* bsc#1176076: dnsmasq-servfail.patch
* bsc#1156543: dnsmasq-siocgstamp.patch
* bsc#1138743: dnsmasq-cache-size.patch
* bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch
OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=138
* Handle DHCPREBIND requests in the DHCPv6 server code.
* Fix bug which caused dnsmasq to lose track of processes forked
to handle TCP DNS connections under heavy load.
* Major rewrite of the DNS server and domain handling code. This
should be largely transparent, but it drastically improves
performance and reduces memory foot-print when configuring
large numbers of domains.
* Revise resource handling for number of concurrent DNS queries.
* Improve efficiency of DNSSEC.
* Connection track mark based DNS query filtering.
* Allow smaller than 64 prefix lengths in synth-domain, with
caveats.
--synth-domain=1234:4567::/56,example.com is now valid.
* Make domains generated by --synth-domain appear in replies
when in authoritative mode.
* Ensure CAP_NET_ADMIN capability is available when conntrack
is configured.
* When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
given a directory as argument, define the order in which files
within that directory are read (alphabetical order of filename).
- Added hardening to systemd service(s) (bsc#1181400).
OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=137
* Fix problem with DNS retries in 2.83/2.84.
* Tweak sort order of tags in get-version.
* Avoid treating a --dhcp-host which has an IPv6 address as
eligible for use with DHCPv4 on the grounds that it has
no address, and vice-versa.
* Add --dynamic-host option: A and AAAA records which take their
network part from the network of a local interface. Useful
for routers with dynamically prefixes.
* Teach --bogus-nxdomain and --ignore-address to take an IPv4
subnet.
* CVE-2021-3448, bsc#1183709: Use random source ports where
possible if source addresses/interfaces in use.
* Change the method of allocation of random source ports for DNS.
* Scale the size of the DNS random-port pool based on the
value of the --dns-forward-max configuration.
* Tweak TFTP code to check sender of all received packets, as
specified in RFC 1350 para 4.
OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=132
- Update to 2.83:
* bsc#1177077: Fixed DNSpooq vulnerabilities
* Use the values of --min-port and --max-port in outgoing
TCP connections to upstream DNS servers.
* Fix a remote buffer overflow problem in the DNSSEC code.
Any dnsmasq with DNSSEC compiled in and enabled is vulnerable
to this, referenced by CVE-2020-25681, CVE-2020-25682,
CVE-2020-25683 CVE-2020-25687.
* Be sure to only accept UDP DNS query replies at the address
from which the query was originated. This keeps as much
entropy in the {query-ID, random-port} tuple as possible, to
help defeat cache poisoning attacks. Refer: CVE-2020-25684.
* Use the SHA-256 hash function to verify that DNS answers
received are for the questions originally asked. This replaces
the slightly insecure SHA-1 (when compiled with DNSSEC) or
the very insecure CRC32 (otherwise). Refer: CVE-2020-25685
* Handle multiple identical near simultaneous DNS queries better.
Previously, such queries would all be forwarded independently.
This is, in theory, inefficent but in practise not a problem,
_except_ that is means that an answer for any of the forwarded
queries will be accepted and cached.
An attacker can send a query multiple times, and for each
repeat, another {port, ID} becomes capable of accepting the
answer he is sending in the blind, to random IDs and ports.
The chance of a succesful attack is therefore multiplied by the
number of repeats of the query. The new behaviour detects
repeated queries and merely stores the clients sending repeats
so that when the first query completes, the answer can be sent
to all the clients who asked. Refer: CVE-2020-25686.
OBS-URL: https://build.opensuse.org/request/show/864301
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dnsmasq?expand=0&rev=79
* bsc#1177077: Fixed DNSpooq vulnerabilities
* Use the values of --min-port and --max-port in outgoing
TCP connections to upstream DNS servers.
* Fix a remote buffer overflow problem in the DNSSEC code.
Any dnsmasq with DNSSEC compiled in and enabled is vulnerable
to this, referenced by CVE-2020-25681, CVE-2020-25682,
CVE-2020-25683 CVE-2020-25687.
* Be sure to only accept UDP DNS query replies at the address
from which the query was originated. This keeps as much
entropy in the {query-ID, random-port} tuple as possible, to
help defeat cache poisoning attacks. Refer: CVE-2020-25684.
* Use the SHA-256 hash function to verify that DNS answers
received are for the questions originally asked. This replaces
the slightly insecure SHA-1 (when compiled with DNSSEC) or
the very insecure CRC32 (otherwise). Refer: CVE-2020-25685
* Handle multiple identical near simultaneous DNS queries better.
Previously, such queries would all be forwarded independently.
This is, in theory, inefficent but in practise not a problem,
_except_ that is means that an answer for any of the forwarded
queries will be accepted and cached.
An attacker can send a query multiple times, and for each
repeat, another {port, ID} becomes capable of accepting the
answer he is sending in the blind, to random IDs and ports.
The chance of a succesful attack is therefore multiplied by the
number of repeats of the query. The new behaviour detects
repeated queries and merely stores the clients sending repeats
so that when the first query completes, the answer can be sent
to all the clients who asked. Refer: CVE-2020-25686.
OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=126
- Update to 2.82:
* Improve behaviour in the face of network interfaces which come
and go and change index.
* Convert hard startup failure on NETLINK_NO_ENOBUFS under
qemu-user to a warning.
* Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in
--dhcp-option.
* Fix crash under heavy TCP connection load introduced in 2.81.
* Change default lease time for DHCPv6 to one day.
* Alter calculation of preferred and valid times in router
advertisements, so that these do not have a floor applied of
the lease time in the dhcp-range if this is not explicitly
specified and is merely the default.
- Reformat spec file with spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/823079
OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=124
