diff --git a/backport-CVE-2023-28450-Set-the-default-maximum-DNS-UDP-packet.patch b/backport-CVE-2023-28450-Set-the-default-maximum-DNS-UDP-packet.patch deleted file mode 100644 index ce562007ad921a4b09c483e75cdf956bc73775e0..0000000000000000000000000000000000000000 --- a/backport-CVE-2023-28450-Set-the-default-maximum-DNS-UDP-packet.patch +++ /dev/null @@ -1,45 +0,0 @@ -From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Tue, 7 Mar 2023 22:07:46 +0000 -Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232. - -http://www.dnsflagday.net/2020/ refers. - -Thanks to Xiang Li for the prompt. -Conflict:NA -Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f ---- - man/dnsmasq.8 | 3 ++- - src/config.h | 2 +- - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 -index 41e2e04..5acb935 100644 ---- a/man/dnsmasq.8 -+++ b/man/dnsmasq.8 -@@ -183,7 +183,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP. - .TP - .B \-P, --edns-packet-max= - Specify the largest EDNS.0 UDP packet which is supported by the DNS --forwarder. Defaults to 4096, which is the RFC5625-recommended size. -+forwarder. Defaults to 1232, which is the recommended size following the -+DNS flag day in 2020. Only increase if you know what you are doing. - .TP - .B \-Q, --query-port= - Send outbound DNS queries from, and listen for their replies on, the -diff --git a/src/config.h b/src/config.h -index 1e7b30f..37b374e 100644 ---- a/src/config.h -+++ b/src/config.h -@@ -19,7 +19,7 @@ - #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */ - #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ - #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ --#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */ -+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ - #define SAFE_PKTSZ 1232 /* "go anywhere" UDP packet size, see https://dnsflagday.net/2020/ */ - #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ - #define DNSSEC_WORK 50 /* Max number of queries to validate one question */ --- -2.23.0 - diff --git a/backport-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch b/backport-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch new file mode 100644 index 0000000000000000000000000000000000000000..8cd3a90e2dd53cc4bec4b0114cb07c84859604dc --- /dev/null +++ b/backport-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch @@ -0,0 +1,39 @@ +From ccff85ad72d2f858d9743d40525128e4f62d41a8 Mon Sep 17 00:00:00 2001 +From: renmingshuai +Date: Wed, 21 Feb 2024 00:24:25 +0000 +Subject: [PATCH] [PATCH] Fix error introduced in + 51471cafa5a4fa44d6fe490885d9910bd72a5907 + +Signed-off-by: renmingshuai + +Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=ccff85ad72d2f858d9743d40525128e4f62d41a8 +Conflict:NA +--- + src/dnssec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/dnssec.c b/src/dnssec.c +index ed2f53f..291b43f 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -1547,7 +1547,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + nsecs[i] = NULL; /* Speculative, will be restored if OK. */ + + if (!(p = skip_name(nsec3p, header, plen, 15))) +- return 0; /* bad packet */ ++ return DNSSEC_FAIL_BADPACKET; /* bad packet */ + + p += 10; /* type, class, TTL, rdlen */ + +@@ -1640,7 +1640,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns + if (!wildname) + { + if (!(wildcard = strchr(next_closest, '.')) || wildcard == next_closest) +- return 0; ++ return DNSSEC_FAIL_NONSEC; + + wildcard--; + *wildcard = '*'; +-- +2.33.0 + diff --git a/backport-Fix-memory-leak-when-using-dhcp-optsfile-with-DHCPv6.patch b/backport-Fix-memory-leak-when-using-dhcp-optsfile-with-DHCPv6.patch deleted file mode 100644 index a18c50a67e11be0c9647ad174115a79025944a6d..0000000000000000000000000000000000000000 --- a/backport-Fix-memory-leak-when-using-dhcp-optsfile-with-DHCPv6.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d16b995756dc079b1fdc2e63665793979f766a26 Mon Sep 17 00:00:00 2001 -From: renmingshuai -Date: Sat, 30 Sep 2023 23:31:08 +0100 -Subject: [PATCH] Fix memory leak when using --dhcp-optsfile with DHCPv6 - options. - -Conflict:NA -Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=d16b995756dc079b1fdc2e63665793979f766a26 ---- - src/option.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/src/option.c b/src/option.c -index 8322725..286f06b 100644 ---- a/src/option.c -+++ b/src/option.c -@@ -5734,11 +5734,11 @@ static void clear_dynamic_conf(void) - } - } - --static void clear_dynamic_opt(void) -+static void clear_dhcp_opt(struct dhcp_opt **dhcp_opts) - { - struct dhcp_opt *opts, *cp, **up; - -- for (up = &daemon->dhcp_opts, opts = daemon->dhcp_opts; opts; opts = cp) -+ for (up = dhcp_opts, opts = *dhcp_opts; opts; opts = cp) - { - cp = opts->next; - -@@ -5752,6 +5752,14 @@ static void clear_dynamic_opt(void) - } - } - -+static void clear_dynamic_opt(void) -+{ -+ clear_dhcp_opt(&daemon->dhcp_opts); -+#ifdef HAVE_DHCP6 -+ clear_dhcp_opt(&daemon->dhcp_opts6); -+#endif -+} -+ - void reread_dhcp(void) - { - struct hostsfile *hf; --- -2.23.0 - diff --git a/backport-Fix-spurious-resource-limit-exceeded-messages.patch b/backport-Fix-spurious-resource-limit-exceeded-messages.patch new file mode 100644 index 0000000000000000000000000000000000000000..76237363a03e4b81df37e423474af6696b1a978a --- /dev/null +++ b/backport-Fix-spurious-resource-limit-exceeded-messages.patch @@ -0,0 +1,53 @@ +From 1ed783b8d7343c42910a61f12a8fc6237eb80417 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Mon, 19 Feb 2024 12:22:43 +0000 +Subject: [PATCH] Fix spurious "resource limit exceeded" messages. + +Replies from upstream with a REFUSED rcode can result in +log messages stating that a resource limit has been exceeded, +which is not the case. + +Thanks to Dominik Derigs and the Pi-hole project for +spotting this. + +Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=1ed783b8d7343c42910a61f12a8fc6237eb80417 +Conflict:NA +--- + CHANGELOG | 5 +++++ + src/forward.c | 6 +++--- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 713b785..f318ac0 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -1,3 +1,8 @@ ++version 2.91 ++ Fix spurious "resource limit exceeded messages". Thanks to ++ Dominik Derigs for the bug report. ++ ++ + version 2.90 + Fix reversion in --rev-server introduced in 2.88 which + caused breakage if the prefix length is not exactly divisible +diff --git a/src/forward.c b/src/forward.c +index 32f37e4..10e7496 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -937,10 +937,10 @@ static void dnssec_validate(struct frec *forward, struct dns_header *header, + status = dnssec_validate_reply(now, header, plen, daemon->namebuff, daemon->keyname, &forward->class, + !option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC), + NULL, NULL, NULL, &orig->validate_counter); +- } + +- if (STAT_ISEQUAL(status, STAT_ABANDONED)) +- log_resource = 1; ++ if (STAT_ISEQUAL(status, STAT_ABANDONED)) ++ log_resource = 1; ++ } + + /* Can't validate, as we're missing key data. Put this + answer aside, whilst we get that. */ +-- +2.33.0 + diff --git a/backport-dnsmasq-2.77-underflow.patch b/backport-dnsmasq-2.77-underflow.patch index 155355becdf376aa3d8a7bd81f5e871acf083f64..eaf890720091d0293a1b999995bdb24d7788e78e 100644 --- a/backport-dnsmasq-2.77-underflow.patch +++ b/backport-dnsmasq-2.77-underflow.patch @@ -1,18 +1,20 @@ -From 0e581ae7b2d3b181f22f71d5a0b7ace0bf90089f Mon Sep 17 00:00:00 2001 +From 6fda9cd7cba519a8aa96b43ebc34cb6c46b3bfe7 Mon Sep 17 00:00:00 2001 From: Doran Moppert Date: Tue, 26 Sep 2017 14:48:20 +0930 Subject: [PATCH] google patch hand-applied +Reference: +https://src.fedoraproject.org/rpms/dnsmasq/blob/f40/dnsmasq-2.77-underflow.patch --- src/edns0.c | 10 +++++----- - src/rfc1035.c | 3 +++ - 2 files changed, 8 insertions(+), 5 deletions(-) + src/rfc1035.c | 5 ++++- + 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/src/edns0.c b/src/edns0.c -index c498eb1..0eb3873 100644 +index 598478f..72127e5 100644 --- a/src/edns0.c +++ b/src/edns0.c -@@ -212,11 +212,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l +@@ -209,11 +209,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l /* Copy back any options */ if (buff) { @@ -30,19 +32,21 @@ index c498eb1..0eb3873 100644 free(buff); p += rdlen; diff --git a/src/rfc1035.c b/src/rfc1035.c -index 5c0df56..7e01459 100644 +index 387d894..7fb1468 100644 --- a/src/rfc1035.c +++ b/src/rfc1035.c -@@ -1425,6 +1425,9 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, +@@ -1581,7 +1581,10 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, size_t len; int rd_bit = (header->hb3 & HB3_RD); - + int count = 255; /* catch loops */ +- ++ + // Make sure we do not underflow here too. + if (qlen > (limit - ((char *)header))) return 0; + if (stale) *stale = 0; - + -- -2.38.1 +2.43.0 diff --git a/backport-dnsmasq-2.78-fips.patch b/backport-dnsmasq-2.78-fips.patch index 6454b95b8b53c77e1963856585d06fe89ded5d0a..047c7c89afdaca900051d22f0cede6febb5edd40 100644 --- a/backport-dnsmasq-2.78-fips.patch +++ b/backport-dnsmasq-2.78-fips.patch @@ -1,26 +1,38 @@ -From 8c8ca24806d5ebfe5018279ec84538a17014a918 Mon Sep 17 00:00:00 2001 -From: xiaoweiwei -Date: Tue, 28 Jul 2020 10:57:56 +0800 -Subject: [PATCH] fips +From 7b1cce1d0bdb61c09946978d4bdeb05a3cd4202a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Fri, 2 Mar 2018 13:17:04 +0100 +Subject: [PATCH] Print warning on FIPS machine with dnssec enabled. Dnsmasq + has no proper FIPS 140-2 compliant implementation. +Reference:https://src.fedoraproject.org/rpms/dnsmasq/blob/f40/dnsmasq-2.78-fips.patch --- - src/dnsmasq.c | 3 +++ - 1 file changed, 3 insertions(+) + src/dnsmasq.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/dnsmasq.c b/src/dnsmasq.c -index 2306c48..bfad87f 100644 +index 480c5f9..5fd229e 100644 --- a/src/dnsmasq.c +++ b/src/dnsmasq.c -@@ -877,6 +877,9 @@ int main (int argc, char **argv) +@@ -187,6 +187,7 @@ int main (int argc, char **argv) + + if (daemon->cachesize < CACHESIZ) + die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF); ++ + #else + die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF); + #endif +@@ -786,7 +787,10 @@ int main (int argc, char **argv) my_syslog(LOG_INFO, _("DNSSEC validation enabled but all unsigned answers are trusted")); else my_syslog(LOG_INFO, _("DNSSEC validation enabled")); +- + + if (access("/etc/system-fips", F_OK) == 0) + my_syslog(LOG_WARNING, _("DNSSEC support is not FIPS 140-2 compliant")); - ++ daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME); if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future) + my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until receipt of SIGINT")); -- -1.8.3.1 +2.14.4 diff --git a/backport-dnsmasq-2.81-configuration.patch b/backport-dnsmasq-2.81-configuration.patch index f23aa2f799e4e74f450a95c6a5f1151c6ca154b7..1461e644e3cbe53177405db72613148134809621 100644 --- a/backport-dnsmasq-2.81-configuration.patch +++ b/backport-dnsmasq-2.81-configuration.patch @@ -1,4 +1,4 @@ -From 194e7521399048e37c5c2cff18b9c8d442b893ae Mon Sep 17 00:00:00 2001 +From cba77f08dbded8af45de2ee985200b12de7c8d13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 30 Jun 2020 18:06:29 +0200 Subject: [PATCH] Modify upstream configuration to safe defaults @@ -6,12 +6,14 @@ Subject: [PATCH] Modify upstream configuration to safe defaults Most important change would be to listen only on localhost. Default configuration should not listen to request from remote hosts. Match also user and paths to directories shipped in Fedora. + +Reference:https://src.fedoraproject.org/rpms/dnsmasq/blob/f40/dnsmasq-2.81-configuration.patch --- - dnsmasq.conf.example | 29 ++++++++++++++++++++++++----- - 1 file changed, 24 insertions(+), 5 deletions(-) + dnsmasq.conf.example | 28 ++++++++++++++++++++++++---- + 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example -index bf19424..8b85f44 100644 +index 0cbf572..6c47c3c 100644 --- a/dnsmasq.conf.example +++ b/dnsmasq.conf.example @@ -22,7 +22,7 @@ @@ -23,7 +25,7 @@ index bf19424..8b85f44 100644 #dnssec # Replies which are not DNSSEC signed may be legitimate, because the domain -@@ -96,14 +96,16 @@ +@@ -106,8 +106,8 @@ # If you want dnsmasq to change uid and gid to something other # than the default, edit the following lines. @@ -34,36 +36,30 @@ index bf19424..8b85f44 100644 # If you want dnsmasq to listen for DHCP and DNS requests only on # specified interfaces (and the loopback) give the name of the - # interface (eg eth0) here. - # Repeat the line for more than one interface. - #interface= -+# Listen only on localhost by default -+interface=lo - # Or you can specify which interface _not_ to listen on - #except-interface= - # Or which to listen on by address (remember to include 127.0.0.1 if -@@ -114,6 +116,10 @@ +@@ -124,6 +124,14 @@ # disable DHCP and TFTP on it. #no-dhcp-interface= +# Serve DNS and DHCP only to networks directly connected to this machine. +# Any interface= line will override it. +#local-service ++# Accept queries in default configuration only from localhost ++# Comment out following option or explicitly configure interfaces or ++# listen-address ++local-service=host + # On systems which support it, dnsmasq binds the wildcard address, # even when it is listening on only some interfaces. It then discards # requests that it shouldn't reply to. This has the advantage of -@@ -121,7 +127,16 @@ +@@ -131,7 +139,15 @@ # want dnsmasq to really bind only the interfaces it is listening on, # uncomment this option. About the only time you may need this is when # running another nameserver on the same machine. --#bind-interfaces +# +# To listen only on localhost and do not receive packets on other +# interfaces, bind only to lo device. Comment out to bind on single +# wildcard socket. -+bind-interfaces -+ + #bind-interfaces +# Comment out above line and uncoment following 2 lines. +# Update interface name, use ip link to get its name. +#bind-dynamic @@ -71,7 +67,7 @@ index bf19424..8b85f44 100644 # If you don't want dnsmasq to read /etc/hosts, uncomment the # following line. -@@ -535,7 +550,7 @@ +@@ -545,7 +561,7 @@ # The DHCP server needs somewhere on disk to keep its lease database. # This defaults to a sane location, but if you want to change it, use # the line below. @@ -80,7 +76,7 @@ index bf19424..8b85f44 100644 # Set the DHCP server to authoritative mode. In this mode it will barge in # and take over the lease for any client which broadcasts on the network, -@@ -673,7 +688,11 @@ +@@ -683,7 +699,11 @@ # Include all files in a directory which end in .conf #conf-dir=/etc/dnsmasq.d/,*.conf @@ -93,5 +89,5 @@ index bf19424..8b85f44 100644 #dhcp-ignore-names=tag:wpad-ignore + -- -2.31.1 +2.43.0 diff --git a/bugfix-allow-binding-mac-with-ipv6.patch b/bugfix-allow-binding-mac-with-ipv6.patch index c018050cccf987174ac990e51cc64419bd3f8430..b9486d7ccfdf8b821556ea684585ce9afca7560c 100644 --- a/bugfix-allow-binding-mac-with-ipv6.patch +++ b/bugfix-allow-binding-mac-with-ipv6.patch @@ -1,7 +1,6 @@ From 53e1a09a06e11317bbde0e236837e5daa8d40593 Mon Sep 17 00:00:00 2001 From: liaichun Date: Mon, 20 Apr 2020 16:06:51 +0800 - --- src/dnsmasq.c | 1 + src/dnsmasq.h | 4 +++- @@ -10,10 +9,10 @@ Date: Mon, 20 Apr 2020 16:06:51 +0800 4 files changed, 41 insertions(+), 2 deletions(-) diff --git a/src/dnsmasq.c b/src/dnsmasq.c -index 9f326ed..70ea6fa 100644 +index 5d64ceb..04c3be2 100644 --- a/src/dnsmasq.c +++ b/src/dnsmasq.c -@@ -292,6 +292,7 @@ int main (int argc, char **argv) +@@ -281,6 +281,7 @@ int main (int argc, char **argv) { daemon->doing_ra = option_bool(OPT_RA); @@ -22,20 +21,20 @@ index 9f326ed..70ea6fa 100644 { if (context->flags & CONTEXT_DHCP) diff --git a/src/dnsmasq.h b/src/dnsmasq.h -index fe9aa07..dbbeab1 100644 +index e455c3f..ef32f06 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -282,7 +282,8 @@ struct event_desc { - #define OPT_STRIP_MAC 70 - #define OPT_NORR 71 - #define OPT_NO_IDENT 72 + #define OPT_NO_IDENT 70 + #define OPT_CACHE_RR 71 + #define OPT_LOCALHOST_SERVICE 72 -#define OPT_LAST 73 +#define OPT_BIND_MAC_IP6 73 +#define OPT_LAST 74 #define OPTION_BITS (sizeof(unsigned int)*8) #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) ) -@@ -1180,6 +1181,7 @@ extern struct daemon { +@@ -1211,6 +1212,7 @@ extern struct daemon { int override; int enable_pxe; int doing_ra, doing_dhcp6; @@ -44,35 +43,35 @@ index fe9aa07..dbbeab1 100644 struct dhcp_netid_list *force_broadcast, *bootp_dynamic; struct hostsfile *dhcp_hosts_file, *dhcp_opts_file; diff --git a/src/option.c b/src/option.c -index e4810fd..8efd687 100644 +index f4ff7c0..c36bf63 100644 --- a/src/option.c +++ b/src/option.c -@@ -186,6 +186,7 @@ struct myoption { - #define LOPT_STALE_CACHE 377 - #define LOPT_NORR 378 - #define LOPT_NO_IDENT 379 -+#define LOPT_BIND_MAC_IP6 380 +@@ -192,6 +192,7 @@ struct myoption { + #define LOPT_NO_DHCP4 383 + #define LOPT_MAX_PROCS 384 + #define LOPT_DNSSEC_LIMITS 385 ++#define LOPT_BIND_MAC_IP6 386 #ifdef HAVE_GETOPT_LONG static const struct option opts[] = -@@ -376,6 +377,7 @@ static const struct myoption opts[] = - { "fast-dns-retry", 2, 0, LOPT_FAST_RETRY }, +@@ -388,6 +389,7 @@ static const struct myoption opts[] = { "use-stale-cache", 2, 0 , LOPT_STALE_CACHE }, { "no-ident", 0, 0, LOPT_NO_IDENT }, + { "max-tcp-connections", 1, 0, LOPT_MAX_PROCS }, + { "bind-mac-with-ip6", 0, 0 , LOPT_BIND_MAC_IP6 }, { NULL, 0, 0, 0 } }; -@@ -573,6 +575,7 @@ static struct { - { LOPT_QUIET_TFTP, OPT_QUIET_TFTP, NULL, gettext_noop("Do not log routine TFTP."), NULL }, - { LOPT_NORR, OPT_NORR, NULL, gettext_noop("Suppress round-robin ordering of DNS records."), NULL }, +@@ -591,6 +593,7 @@ static struct { { LOPT_NO_IDENT, OPT_NO_IDENT, NULL, gettext_noop("Do not add CHAOS TXT records."), NULL }, + { LOPT_CACHE_RR, ARG_DUP, "", gettext_noop("Cache this DNS resource record type."), NULL }, + { LOPT_MAX_PROCS, ARG_ONE, "", gettext_noop("Maximum number of concurrent tcp connections."), NULL }, + { LOPT_BIND_MAC_IP6, OPT_BIND_MAC_IP6, NULL, gettext_noop("Bind mac with ipv6 address. This is an experimental feature and it conflicts with rfc3315."), NULL }, { 0, 0, NULL, NULL, NULL } }; diff --git a/src/rfc3315.c b/src/rfc3315.c -index 8754481..f093a5c 100644 +index 400d939..004ebb8 100644 --- a/src/rfc3315.c +++ b/src/rfc3315.c @@ -49,6 +49,7 @@ static void end_ia(int t1cntr, unsigned int min_time, int do_fuzz); @@ -83,7 +82,7 @@ index 8754481..f093a5c 100644 static int config_valid(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr, struct state *state, time_t now); static struct addrlist *config_implies(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr); static void add_address(struct state *state, struct dhcp_context *context, unsigned int lease_time, void *ia_option, -@@ -704,7 +705,8 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu +@@ -723,7 +724,8 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu for (c = state->context; c; c = c->current) if (!(c->flags & CONTEXT_CONF_USED) && match_netid(c->filter, solicit_tags, plain_range) && @@ -93,7 +92,7 @@ index 8754481..f093a5c 100644 { mark_config_used(state->context, &addr); if (have_config(config, CONFIG_TIME)) -@@ -1289,6 +1291,37 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu +@@ -1313,6 +1315,37 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu } @@ -132,5 +131,5 @@ index 8754481..f093a5c 100644 { void *oro; -- -2.23.0 +2.33.0 diff --git a/bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6.patch b/bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6.patch index 8efa0304cf02db631928ed0320ec2ea6d9584659..fdb7109a4a97c6d5d7aa15f0cec25c2142f6bc6c 100644 --- a/bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6.patch +++ b/bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6.patch @@ -1,22 +1,20 @@ -From 068fe05737fe86185b5d55da7de6ea6b2668c911 Mon Sep 17 00:00:00 2001 -From: liaichun -Date: Mon, 20 Apr 2020 16:17:24 +0800 -Subject: [PATCH] bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6 - -Conflict: NA -Reference: NA +From 068fe05737fe86185b5d55da7de6ea6b2668c911 Mon Sep 17 00:00:00 2001 +From: liaichun +Date: Mon, 20 Apr 2020 16:17:24 +0800 +Subject: [PATCH] bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6 + --- - src/rfc3315.c | 32 ++++++++++++++++++++++++++++++-- - 1 file changed, 30 insertions(+), 2 deletions(-) + src/rfc3315.c | 32 +++++++++++++++++++++++++++++++- + 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/src/rfc3315.c b/src/rfc3315.c -index f093a5c..7ec4e8a 100644 +index 004ebb8..8c22ded 100644 --- a/src/rfc3315.c +++ b/src/rfc3315.c -@@ -1058,12 +1058,32 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu +@@ -1077,12 +1077,32 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu case DHCP6CONFIRM: { - int good_addr = 0; + int good_addr = 0, bad_addr = 0; + int find_bind = 0; + struct dhcp_config *find_config = NULL; @@ -34,7 +32,7 @@ index f093a5c..7ec4e8a 100644 + break; + } + } -+ /* requires all mac has binding ipv6 address. */ ++ /* requires all mac has binding ipv6 address. */ + if (find_bind == 0) { + o1 = new_opt6(OPTION6_STATUS_CODE); + put_opt6_short(DHCP6NOTONLINK); @@ -47,11 +45,11 @@ index f093a5c..7ec4e8a 100644 for (opt = state->packet_options; opt; opt = opt6_next(opt, state->end)) { void *ia_option, *ia_end; -@@ -1086,7 +1106,15 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu - log6_quiet(state, "DHCPREPLY", &req_addr, _("confirm failed")); - return 1; +@@ -1106,6 +1126,16 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu + good_addr = 1; + log6_quiet(state, "DHCPREPLY", &req_addr, state->hostname); } -- ++ + if(daemon->bind_mac_with_ip6) { + if (!is_same_net6(&req_addr, &find_config->addr6, 128)) { + o1 = new_opt6(OPTION6_STATUS_CODE); @@ -61,9 +59,9 @@ index f093a5c..7ec4e8a 100644 + return 1; + } + } - good_addr = 1; - log6_quiet(state, "DHCPREPLY", &req_addr, state->hostname); } + } + -- -2.23.0 +2.33.0 diff --git a/dnsmasq-2.89.tar.xz b/dnsmasq-2.89.tar.xz deleted file mode 100644 index d870d142e3627833b6ff3ee872a3e22f869d2562..0000000000000000000000000000000000000000 Binary files a/dnsmasq-2.89.tar.xz and /dev/null differ diff --git a/dnsmasq-2.90.tar.xz b/dnsmasq-2.90.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..649c2ccaff878e27851c9fe9327b92f0d90553d5 Binary files /dev/null and b/dnsmasq-2.90.tar.xz differ diff --git a/dnsmasq.spec b/dnsmasq.spec index 15bca73de28b8795280fea211ddb6d90562cd368..71a8b3141a75d9b31c5552068e173dc9ae73306f 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -1,6 +1,6 @@ Name: dnsmasq -Version: 2.89 -Release: 2 +Version: 2.90 +Release: 1 Summary: Dnsmasq provides network infrastructure for small networks License: GPLv2 or GPLv3 URL: http://www.thekelleys.org.uk/dnsmasq/ @@ -11,10 +11,10 @@ Source2: dnsmasq-systemd-sysusers.conf Patch1: backport-dnsmasq-2.77-underflow.patch Patch2: backport-dnsmasq-2.81-configuration.patch Patch3: backport-dnsmasq-2.78-fips.patch -Patch4: backport-CVE-2023-28450-Set-the-default-maximum-DNS-UDP-packet.patch -Patch5: bugfix-allow-binding-mac-with-ipv6.patch -Patch6: bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6.patch -Patch7: backport-Fix-memory-leak-when-using-dhcp-optsfile-with-DHCPv6.patch +Patch4: backport-Fix-spurious-resource-limit-exceeded-messages.patch +Patch5: backport-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch +Patch6: bugfix-allow-binding-mac-with-ipv6.patch +Patch7: bugfix-deal-with-CONFRIM-when-binding-mac-with-ipv6.patch BuildRequires: gcc BuildRequires: dbus-devel pkgconfig libidn2-devel nettle-devel systemd @@ -104,6 +104,12 @@ install -Dpm644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysusersdir}/dnsmasq.conf %{_mandir}/man8/dnsmasq* %changelog +* Thu Feb 22 2024 renmingshuai - 2.90-1 +- Type:requirement +- Id:NA +- SUG:NA +- DESC:Update to 2.90 + * Wed Nov 22 2023 renmingshuai - 2.89-2 - Type:bugfix - Id:NA