* Fix problem with DNS retries in 2.83/2.84.
* Tweak sort order of tags in get-version.
* Avoid treating a --dhcp-host which has an IPv6 address as
eligible for use with DHCPv4 on the grounds that it has
no address, and vice-versa.
* Add --dynamic-host option: A and AAAA records which take their
network part from the network of a local interface. Useful
for routers with dynamically prefixes.
* Teach --bogus-nxdomain and --ignore-address to take an IPv4
subnet.
* CVE-2021-3448, bsc#1183709: Use random source ports where
possible if source addresses/interfaces in use.
* Change the method of allocation of random source ports for DNS.
* Scale the size of the DNS random-port pool based on the
value of the --dns-forward-max configuration.
* Tweak TFTP code to check sender of all received packets, as
specified in RFC 1350 para 4.
OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=132
* bsc#1177077: Fixed DNSpooq vulnerabilities
* Use the values of --min-port and --max-port in outgoing
TCP connections to upstream DNS servers.
* Fix a remote buffer overflow problem in the DNSSEC code.
Any dnsmasq with DNSSEC compiled in and enabled is vulnerable
to this, referenced by CVE-2020-25681, CVE-2020-25682,
CVE-2020-25683 CVE-2020-25687.
* Be sure to only accept UDP DNS query replies at the address
from which the query was originated. This keeps as much
entropy in the {query-ID, random-port} tuple as possible, to
help defeat cache poisoning attacks. Refer: CVE-2020-25684.
* Use the SHA-256 hash function to verify that DNS answers
received are for the questions originally asked. This replaces
the slightly insecure SHA-1 (when compiled with DNSSEC) or
the very insecure CRC32 (otherwise). Refer: CVE-2020-25685
* Handle multiple identical near simultaneous DNS queries better.
Previously, such queries would all be forwarded independently.
This is, in theory, inefficent but in practise not a problem,
_except_ that is means that an answer for any of the forwarded
queries will be accepted and cached.
An attacker can send a query multiple times, and for each
repeat, another {port, ID} becomes capable of accepting the
answer he is sending in the blind, to random IDs and ports.
The chance of a succesful attack is therefore multiplied by the
number of repeats of the query. The new behaviour detects
repeated queries and merely stores the clients sending repeats
so that when the first query completes, the answer can be sent
to all the clients who asked. Refer: CVE-2020-25686.
OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=126
- Update to 2.82:
* Improve behaviour in the face of network interfaces which come
and go and change index.
* Convert hard startup failure on NETLINK_NO_ENOBUFS under
qemu-user to a warning.
* Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in
--dhcp-option.
* Fix crash under heavy TCP connection load introduced in 2.81.
* Change default lease time for DHCPv6 to one day.
* Alter calculation of preferred and valid times in router
advertisements, so that these do not have a floor applied of
the lease time in the dhcp-range if this is not explicitly
specified and is merely the default.
- Reformat spec file with spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/823079
OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=124
- Update to 2.81:
* Improve cache behaviour for TCP connections
* Remove the NO_FORK compile-time option, and support for uclinux
* Fix line-counting when reading /etc/hosts and friends
* Fix bug in DNS non-terminal code, added in 2.80, which could
sometimes cause a NODATA rather than an NXDOMAIN reply.
* Support TCP-fastopen (RFC-7413) on both incoming and
outgoing TCP connections, if supported and enabled in the OS.
* Improve kernel-capability manipulation code under Linux
* Add --shared-network config. This enables allocation of addresses
by the DHCP server in subnets where the server (or relay) does not
have an interface on the network in that subnet. Many thanks to
kamp.de for sponsoring this feature.
* Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
validation check got borked in commit 2b38e382 and release 2.80.
Thanks to Tomasz Szajner for spotting this.
* Fix compilation against nettle version 3.5 and later.
* Fix spurious DNSSEC validation failures when the auth section
of a reply contains unsigned RRs from a signed zone,
with the exception that NSEC and NSEC3 RRs must always be signed.
Thanks to Tore Anderson for spotting and diagnosing the bug.
* Add --dhcp-ignore-clid. This disables reading of DHCP client
identifier option (option 61), so clients are only identified by
MAC addresses.
* Fix a bug which stopped --dhcp-name-match from working when a hostname
is supplied in --dhcp-host. Thanks to James Feeney for spotting this.
* Fix bug which caused very rarely caused zero-length DHCPv6 packets.
Thanks to Dereck Higgins for spotting this.
* Add --tftp-single-port option.
* Enhance --conf-dir to load files in a deterministic order
* Add filtering by tag of --dhcp-host directives
* Remove DSA signature verification from DNSSEC, as specified in
RFC 8624
* Add --script-on-renewal option.
- Remove Fix-build-with-libnettle-3.5.patch
- Remove 0001-fix-build-after-y2038-changes-in-glibc.patch
- Remove dnsmasq-CVE-2019-14834.patch
OBS-URL: https://build.opensuse.org/request/show/800348
OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=122
- Drop use of $FIRST_ARG in .spec
The use of $FIRST_ARG was probably required because of the
%service_* rpm macros were playing tricks with the shell positional
parameters. This is bad practice and error prones so let's assume
that no macros should do that anymore and hence it's safe to assume
that positional parameters remains unchanged after any rpm macro
call.
OBS-URL: https://build.opensuse.org/request/show/678164
OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=106
* Include 0.0.0.0/8 in DNS rebind checks.
* Enhance --add-subnet to allow arbitrary subnet addresses.
* Respect the --no-resolv flag in inotify code. Fixes bug
which caused dnsmasq to fail to start if a resolv-file
was a dangling symbolic link, even of --no-resolv set.
* Fix crash when an A or AAAA record is defined locally,
in a hosts file, and an upstream server sends a reply
that the same name is empty (CVE-2015-8899, bsc#983273).
* Fix failure to correctly calculate cache-size when reading a
hosts-file fails.
* Fix wrong answer to simple name query when --domain-needed
set, but no upstream servers configured.
* Return REFUSED when running out of forwarding table slots,
not SERVFAIL.
* Add --max-port configuration.
* Add --script-arp and two new functions for the dhcp-script.
* Extend --add-mac to allow a new encoding of the MAC address
as base64, by configurting --add-mac=base64
* Add --add-cpe-id option.
* Don't crash with divide-by-zero if an IPv6 dhcp-range is
declared as a whole /64.
(ie xx::0 to xx::ffff:ffff:ffff:ffff)
* Add support for a TTL parameter in --host-record and --cname.
* Add --dhcp-ttl option.
* Add --tftp-mtu option.
* Check return-code of inet_pton() when parsing dhcp-option.
* Fix wrong value for EDNS UDP packet size when using
--servers-file to define upstream DNS servers.
* Add dhcp_release6 to contrib/lease-tools.
OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=84
- Removed Suse and all other OS/Distribution related subdirs from
contrib, so only the rest gets packaged. The subdirs are not
necessary anymore (bnc#889028).
- Removed README.SUSE file, it was to confusing and not necessary (bnc#889972).
Information is already present in the upstream documentation.
- Split up vendor-files.tar.bz2 into single files
- Comply with systemd packaging guidlines
OBS-URL: https://build.opensuse.org/request/show/243762
OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=60
- license update: GPL-2.0 or GPL-3.0
correct license is dual GPL-2.0 or GPL-3.0; please add COPYING-v3-file to
RPM.
- update to 2.71:
Subtle change to error handling to help DNSSEC validation
when servers fail to provide NODATA answers for
non-existent DS records.
Tweak code which removes DNSSEC records from answers when
not required. Fixes broken answers when additional section
has real records in it. Thanks to Marco Davids for the bug
report.
Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
for spotting that too.
Fix total DNS failure and 100% CPU use if cachesize set to zero,
regression introduced in 2.69. Thanks to James Hunt and
the Ubuntu crowd for assistance in fixing this.
Fix crash, introduced in 2.69, on TCP request when dnsmasq
compiled with DNSSEC support, but running without DNSSEC
enabled. Thanks to Manish Sing for spotting that one.
Fix regression which broke ipset functionality. Thanks to
Wang Jian for the bug report.
Implement dynamic interface discovery on *BSD. This allows
the contructor: syntax to be used in dhcp-range for DHCPv6
on the BSD platform. Thanks to Matthias Andree for
valuable research on how to implement this.
Fix infinite loop associated with some --bogus-nxdomain
configs. Thanks fogobogo for the bug report.
Fix missing RA RDNS option with configuration like
--dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
OBS-URL: https://build.opensuse.org/request/show/236965
OBS-URL: https://build.opensuse.org/package/show/network/dnsmasq?expand=0&rev=58
