Revisions of dnsmasq

Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1179330 from Reinhard Max's avatar Reinhard Max (rmax) (revision 97)
Added another bug reference to the latest changes entry.

  * CVE-2023-49441, bsc#1226091: integer overflow via forward_query
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1148852 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 96)
Automatic submission by obs-autosubmit
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 1082695 from Reinhard Max's avatar Reinhard Max (rmax) (revision 93)
- bsc#1209358, CVE-2023-28450, dnsmasq-CVE-2023-28450.patch:
  default maximum EDNS.0 UDP packet size should be 1232
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 969348 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 86)
Automatic submission by obs-autosubmit
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 933804 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 85)
Automatic submission by obs-autosubmit
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 932271 from Reinhard Max's avatar Reinhard Max (rmax) (revision 84)
- bsc#1192529, dnsmasq-resolv-conf.patch:
  Fix a segfault when re-reading an empty resolv.conf
- Remove "nogroup" membership from the dnsmasq user.
- Use systemd-sysusers from 15.3 onwards
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 921143 from Reinhard Max's avatar Reinhard Max (rmax) (revision 83)
- jsc#SLE-17936: Sync this state from Factory to SLE-15-SP1.
- SLE bugs that got fixed upstream between 2.79 and 2.86, but for
  which we need to keep references when syncing:
  * bsc#1176076: dnsmasq-servfail.patch
  * bsc#1156543: dnsmasq-siocgstamp.patch
  * bsc#1138743: dnsmasq-cache-size.patch
  * bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch 
  * bsc#1180914: Open inotify socket only when used.
  * removed dnsmasq-dnspooq.patch
- bsc#1173646: Set --local-service by default.

- Update to 2.86:
  * Handle DHCPREBIND requests in the DHCPv6 server code.
  * Fix bug which caused dnsmasq to lose track of processes forked
    to handle TCP DNS connections under heavy load.
  * Major rewrite of the DNS server and domain handling code. This
    should be largely transparent, but it drastically improves
    performance and reduces memory foot-print when configuring
    large numbers of domains.
  * Revise resource handling for number of concurrent DNS queries.
  * Improve efficiency of DNSSEC.
  * Connection track mark based DNS query filtering.
  * Allow smaller than 64 prefix lengths in synth-domain, with
    caveats.
    --synth-domain=1234:4567::/56,example.com is now valid.
  * Make domains generated by --synth-domain appear in replies
    when in authoritative mode.
  * Ensure CAP_NET_ADMIN capability is available when conntrack
    is configured.
  * When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 888631 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 81)
Automatic submission by obs-autosubmit
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 864301 from Reinhard Max's avatar Reinhard Max (rmax) (revision 79)
- Update to 2.83:
  * bsc#1177077: Fixed DNSpooq vulnerabilities
  * Use the values of --min-port and --max-port in outgoing
    TCP connections to upstream DNS servers.
  * Fix a remote buffer overflow problem in the DNSSEC code.
    Any dnsmasq with DNSSEC compiled in and enabled is vulnerable
    to this, referenced by CVE-2020-25681, CVE-2020-25682,
    CVE-2020-25683 CVE-2020-25687.
  * Be sure to only accept UDP DNS query replies at the address
    from which the query was originated. This keeps as much
    entropy in the {query-ID, random-port} tuple as possible, to
    help defeat cache poisoning attacks. Refer: CVE-2020-25684.
  * Use the SHA-256 hash function to verify that DNS answers
    received are for the questions originally asked. This replaces
    the slightly insecure SHA-1 (when compiled with DNSSEC) or
    the very insecure CRC32 (otherwise). Refer: CVE-2020-25685
  * Handle multiple identical near simultaneous DNS queries better.
    Previously, such queries would all be forwarded independently.
    This is, in theory, inefficent but in practise not a problem,
    _except_ that is means that an answer for any of the forwarded
    queries will be accepted and cached.
    An attacker can send a query multiple times, and for each
    repeat, another {port, ID} becomes capable of accepting the
    answer he is sending in the blind, to random IDs and ports.
    The chance of a succesful attack is therefore multiplied by the
    number of repeats of the query. The new behaviour detects
    repeated queries and merely stores the clients sending repeats
    so that when the first query completes, the answer can be sent
    to all the clients who asked. Refer: CVE-2020-25686.
Displaying revisions 1 - 20 of 97
openSUSE Build Service is sponsored by