import UBI dnsmasq-2.85-14.el9

SOURCES/dnsmasq-2.85-domain-blocklist-speedup.patch

@@ -0,0 +1,106 @@
+From e046f32d882b6acf2090cbe8830c2dea6279aa8e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Fri, 9 Jun 2023 22:11:01 +0200
+Subject: [PATCH] Use serv_domain only for regular servers
+
+Do not try to use it for --local=/x/ or --address=/x/#. Some users use
+quite long list of blocks, which slows down walking trough domain list
+considerably. But searching by server_domain_find_domain is needed only
+for normal servers, which may store there last used server and number
+of recent forwarded queries. Local addresses overrides store there no
+useful information, avoid searching and adding new domains for such
+records.
+
+Would also speed up searching servers when blocklists are used, because
+only domains of servers are tested.
+
+Resolves: rhbz#2209031
+---
+ src/forward.c |  2 +-
+ src/option.c  | 15 +++++++++------
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/src/forward.c b/src/forward.c
+index fffab7a..3d1227b 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -249,7 +249,7 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned
+       *type = 0; /* use normal servers for this domain */
+       *domain = NULL;
+     }
+-  if (serv_domain && !*serv_domain)
++  if (serv_domain && !*serv_domain && (*type & SERV_HAS_DOMAIN)==0)
+     *serv_domain = server_domain_find_domain(NULL);
+   return  flags;
+ }
+diff --git a/src/option.c b/src/option.c
+index e4e3182..25680c0 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -928,7 +928,7 @@ static struct server *add_rev4(struct in_addr addr, int msize)
+   p += sprintf(p, "in-addr.arpa");
+   
+   serv->flags = SERV_HAS_DOMAIN;
+-  server_domain_new(serv);
++  serv->serv_domain = NULL;
+   serv->next = daemon->servers;
+   daemon->servers = serv;
+ 
+@@ -953,7 +953,7 @@ static struct server *add_rev6(struct in6_addr *addr, int msize)
+   p += sprintf(p, "ip6.arpa");
+   
+   serv->flags = SERV_HAS_DOMAIN;
+-  server_domain_new(serv);
++  serv->serv_domain = NULL;
+   serv->next = daemon->servers;
+   daemon->servers = serv;
+   
+@@ -2294,7 +2294,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ 				  memset(serv, 0, sizeof(struct server));
+ 				  serv->domain = d;
+ 				  serv->flags = SERV_HAS_DOMAIN | SERV_NO_ADDR;
+-				  server_domain_new(serv);
++				  serv->serv_domain = NULL;
+ 				  serv->next = daemon->servers;
+ 				  daemon->servers = serv;
+ 				}
+@@ -2338,7 +2338,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ 				  memset(serv, 0, sizeof(struct server));
+ 				  serv->domain = d;
+ 				  serv->flags = SERV_HAS_DOMAIN | SERV_NO_ADDR;
+-				  server_domain_new(serv);
++				  serv->serv_domain = NULL;
+ 				  serv->next = daemon->servers;
+ 				  daemon->servers = serv;
+ 				}
+@@ -2591,7 +2591,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ 		newlist = serv;
+ 		serv->domain = domain;
+ 		serv->flags = domain ? SERV_HAS_DOMAIN : SERV_FOR_NODOTS;
+-		server_domain_new(serv);
++		serv->serv_domain = NULL;
+ 		arg = end;
+ 		if (rebind)
+ 		  break;
+@@ -2639,6 +2639,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ 	        server_list_free(newlist);
+ 	        ret_err(err);
+ 	      }
++	    if ((newlist->flags & SERV_LITERAL_ADDRESS)==0)
++	      server_domain_new(newlist);
+ 	  }
+ 	
+ 	serv = newlist;
+@@ -2682,7 +2684,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ 	  serv = add_rev6(&addr6, size);
+ 	else
+ 	  ret_err(gen_err);
+- 
++
++        server_domain_new(serv);
+ 	string = parse_server(comma, &serv->addr, &serv->source_addr, serv->interface, &serv->flags);
+ 	
+ 	if (string)
+-- 
+2.40.1
+

SOURCES/dnsmasq-2.85-search_servers-rhbz2182342.patch

@@ -0,0 +1,50 @@
+From d75a9691edaa2b2efd8b51f2de492c62cb57c629 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Fri, 5 May 2023 17:51:56 +0200
+Subject: [PATCH] Ensure search_servers domain is set on dnssec
+
+When dnssec validation is enabled the domain variable used when fetching
+dnssec key or domain were not properly initialized always. It were read
+anyway inside search_servers. Because it is changed only sometime, do
+not use its value on the end of function. domain can be NULL only at
+that point, use that value right away.
+
+Include also TCP.
+---
+ src/forward.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/forward.c b/src/forward.c
+index b09dc96..fffab7a 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -250,7 +250,7 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned
+       *domain = NULL;
+     }
+   if (serv_domain && !*serv_domain)
+-    *serv_domain = server_domain_find_domain(*domain);
++    *serv_domain = server_domain_find_domain(NULL);
+   return  flags;
+ }
+ 
+@@ -1097,7 +1097,7 @@ void reply_query(int fd, time_t now)
+ 		    {
+ 		      int querytype, fd, type = SERV_DO_DNSSEC;
+ 		      struct frec *next = new->next;
+-		      char *domain;
++		      char *domain = NULL;
+ 		      
+ 		      *new = *forward; /* copy everything, then overwrite */
+ 		      new->next = next;
+@@ -1633,7 +1633,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
+   while (1)
+     {
+       int type = SERV_DO_DNSSEC;
+-      char *domain;
++      char *domain = NULL;
+       size_t m; 
+       unsigned char c1, c2;
+       struct server *firstsendto = NULL;
+-- 
+2.40.1
+

SOURCES/dnsmasq-2.85-serv_domain-rh2186481-2.patch

@@ -0,0 +1,83 @@
+From 4650d0aef20db4b7e129895ffcb93ca4609e6347 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Wed, 10 May 2023 12:57:17 +0200
+Subject: [PATCH] fixup! Correct releasing of serv_domain
+
+---
+ src/dnsmasq.h |  2 +-
+ src/network.c | 20 +++++++++++---------
+ 2 files changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/src/dnsmasq.h b/src/dnsmasq.h
+index b6dcc50..c62c3d0 100644
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -1405,7 +1405,7 @@ int fix_fd(int fd);
+ int tcp_interface(int fd, int af);
+ int set_ipv6pktinfo(int fd);
+ struct server_domain *server_domain_find_domain(const char *domain);
+-struct server_domain *server_domain_new(struct server *serv);
++void server_domain_new(struct server *serv);
+ #ifdef HAVE_DHCP6
+ void join_multicast(int dienow);
+ #endif
+diff --git a/src/network.c b/src/network.c
+index 8152cac..e42220c 100644
+--- a/src/network.c
++++ b/src/network.c
+@@ -1653,6 +1653,7 @@ void add_update_server(int flags,
+ 	serv->addr = *addr;
+       if (source_addr)
+ 	serv->source_addr = *source_addr;
++      server_domain_new(serv);
+     }
+ }
+ 
+@@ -1680,14 +1681,20 @@ struct server_domain *server_domain_find_domain(const char *domain)
+ /**< Test structure has already set domain pointer.
+  *
+  * If not, create a new record. */
+-struct server_domain *server_domain_new(struct server *serv)
++void server_domain_new(struct server *serv)
+ {
+   struct server_domain *sd;
++  const char *domain = server_get_domain(serv);
+ 
+-  if ((sd = whine_malloc(sizeof(struct server_domain))))
++  sd = server_domain_find_domain(domain);
++  if (sd)
+     {
+-      const char *domain = server_get_domain(serv);
++      serv->serv_domain = sd;
++      return;
++    }
+ 
++  if ((sd = whine_malloc(sizeof(struct server_domain))))
++    {
+       /* Ensure all serv->domain values have own record in server_domain.
+        * Add a new record. */
+       if (domain)
+@@ -1701,7 +1708,6 @@ struct server_domain *server_domain_new(struct server *serv)
+       serv->serv_domain = sd;
+       daemon->server_domains = sd;
+     }
+-  return sd;
+ }
+ 
+ /**< Test structure has already set domain pointer.
+@@ -1714,11 +1720,7 @@ static void server_domain_check(struct server *serv)
+   if (sd)
+     sd->flags &= (~SERV_MARK); /* found domain, mark active */
+   else
+-    {
+-      sd = server_domain_find_domain(serv->domain);
+-      if (!sd)
+-	server_domain_new(serv);
+-    }
++    server_domain_new(serv);
+ }
+ 
+ void check_servers(void)
+-- 
+2.40.1
+

SOURCES/dnsmasq-2.85-serv_domain-rh2186481.patch

@@ -0,0 +1,108 @@
+From c0e0202736f55195104dad9fec98c20d0d15df21 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Fri, 21 Apr 2023 17:04:53 +0200
+Subject: [PATCH] Correct releasing of serv_domain
+
+In case the server->serv_domain points to domain also when it is not the
+last server used, ensure the reference to last_server is always reset.
+Some records might reference the server_domain, but cannot ever become
+last_server. Such as server=/example.com/#
+
+Correct detection of used server_domains for standard resolvers case.
+Mark domain used even in that case, so it is not freed during
+resolv.conf reading or other nameservers change.
+---
+ src/network.c | 40 +++++++++++++++++++++++++++++++---------
+ 1 file changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/src/network.c b/src/network.c
+index cf2f2e2..8152cac 100644
+--- a/src/network.c
++++ b/src/network.c
+@@ -1511,7 +1511,18 @@ void mark_servers(int flag)
+     }
+ }
+ 
+-static void server_domains_cleanup(void)
++static void server_domains_pre_cleanup(void)
++{
++  struct server_domain *sd;
++
++  /* reset removed last_server. */
++  for (sd = daemon->server_domains; sd; sd = sd->next)
++    if ((sd->flags & SERV_MARK) == 0 && sd->last_server &&
++	(sd->last_server->flags & SERV_MARK) != 0)
++      sd->last_server = NULL;
++}
++
++static void server_domains_post_cleanup(void)
+ {
+   struct server_domain *sd, *tmp, **up;
+ 
+@@ -1528,8 +1539,6 @@ static void server_domains_cleanup(void)
+        }
+       else {
+         up = &sd->next;
+-        if (sd->last_server && (sd->last_server->flags & SERV_MARK))
+-	  sd->last_server = NULL;
+       }
+     }
+ }
+@@ -1538,7 +1547,7 @@ void cleanup_servers(void)
+ {
+   struct server *serv, *tmp, **up;
+ 
+-  server_domains_cleanup();
++  server_domains_pre_cleanup();
+ 
+   /* unlink and free anything still marked. */
+   for (serv = daemon->servers, up = &daemon->servers; serv; serv = tmp) 
+@@ -1552,10 +1561,16 @@ void cleanup_servers(void)
+ 	   free(serv->domain);
+ 	 free(serv);
+        }
+-      else 
+-       up = &serv->next;
++      else
++       {
++         up = &serv->next;
++         if (serv->serv_domain && (serv->serv_domain->flags & SERV_MARK) != 0)
++           serv->serv_domain = NULL;
++       }
+     }
+ 
++  server_domains_post_cleanup();
++
+ #ifdef HAVE_LOOP
+   /* Now we have a new set of servers, test for loops. */
+   loop_send_probes();
+@@ -1699,7 +1714,11 @@ static void server_domain_check(struct server *serv)
+   if (sd)
+     sd->flags &= (~SERV_MARK); /* found domain, mark active */
+   else
+-    server_domain_new(serv);
++    {
++      sd = server_domain_find_domain(serv->domain);
++      if (!sd)
++	server_domain_new(serv);
++    }
+ }
+ 
+ void check_servers(void)
+@@ -1808,8 +1827,11 @@ void check_servers(void)
+ 	      else if (strlen(serv->domain) == 0)
+ 		s1 = _("default"), s2 = "";
+ 	      else
+-		s1 = _("domain"), s2 = serv->domain;
+-	      
++		{
++		  s1 = _("domain"), s2 = serv->domain;
++		  server_domain_check(serv);
++		}
++
+ 	      if (serv->flags & SERV_NO_ADDR)
+ 		{
+ 		  count--;
+-- 
+2.39.2
+

SOURCES/dnsmasq-2.87-coverity-forward-cache.patch

@@ -0,0 +1,77 @@
+From 2f45670951d2159ebf588e1e4943c0bc9e1cd20b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Wed, 18 Aug 2021 14:59:23 +0200
+Subject: [PATCH] Add safety checks to places pointed by Coverity
+
+GCC Analyzer (experimental)
+
+1. dnsmasq-2.85/src/forward.c:0: scope_hint: In function 'allocate_rfd.part.0'
+2. dnsmasq-2.85/src/forward.c:2321:18: warning[-Wanalyzer-null-dereference]: dereference of NULL 'rfd'
+ #  2319|     *fdlp = rfl;
+ #  2320|
+ #  2321|->   return rfl->rfd->fd;
+ #  2322|   }
+ #  2323|
+
+1. dnsmasq-2.85/src/cache.c:0: scope_hint: In function 'log_query'
+2. dnsmasq-2.85/src/cache.c:1969:20: warning[-Wanalyzer-null-dereference]: dereference of NULL 'name'
+ #  1967|       source = "cached";
+ #  1968|
+ #  1969|->   if (strlen(name) == 0)
+ #  1970|       name = ".";
+ #  1971|
+
+1. dnsmasq-2.85/src/cache.c:0: scope_hint: In function 'cache_scan_free'
+2. dnsmasq-2.85/src/cache.c:436:20: warning[-Wanalyzer-null-argument]: use of NULL 'addr' where non-null expected
+40. /usr/include/sys/un.h:37: included_from: Included from here.
+41. dnsmasq-2.85/src/dnsmasq.h:101: included_from: Included from here.
+42. dnsmasq-2.85/src/cache.c:17: included_from: Included from here.
+43. /usr/include/string.h:64:12: note: argument 2 of 'memcmp' must be non-null
+ #   434|   		   (flags & crecp->flags & F_REVERSE) &&
+ #   435|   		   (flags & crecp->flags & (F_IPV4 | F_IPV6)) &&
+ #   436|-> 		   memcmp(&crecp->addr, addr, addrlen) == 0)
+ #   437|   	    {
+ #   438|   	      *up = crecp->hash_next;
+---
+ src/cache.c   | 4 ++--
+ src/forward.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/cache.c b/src/cache.c
+index b3b3c7c..8f97947 100644
+--- a/src/cache.c
++++ b/src/cache.c
+@@ -483,7 +483,7 @@ static struct crec *cache_scan_free(char *name, union all_addr *addr, unsigned s
+ 	  else if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) &&
+ 		   (flags & crecp->flags & F_REVERSE) && 
+ 		   (flags & crecp->flags & (F_IPV4 | F_IPV6)) &&
+-		   memcmp(&crecp->addr, addr, addrlen) == 0)
++		   addr && memcmp(&crecp->addr, addr, addrlen) == 0)
+ 	    {
+ 	      *up = crecp->hash_next;
+ 	      cache_unlink(crecp);
+@@ -2067,7 +2067,7 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
+   else
+     source = "cached";
+   
+-  if (strlen(name) == 0)
++  if (name && !name[0])
+     name = ".";
+ 
+   if (option_bool(OPT_EXTRALOG))
+diff --git a/src/forward.c b/src/forward.c
+index 434ba77..f3c38d7 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -2274,7 +2274,7 @@ int allocate_rfd(struct randfd_list **fdlp, struct server *serv)
+ 	  }
+       }
+ 
+-  if (j == daemon->numrrand)
++  if (!rfd) /* should be when j == daemon->numrrand */
+     {
+       struct randfd_list *rfl_poll;
+ 
+-- 
+2.41.0
+

SOURCES/dnsmasq-2.87-log-root-writeable.patch

@@ -0,0 +1,64 @@
+From e342e4d5c3093d8dd9e2d622e46d36f67bfb4925 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Mon, 10 Jan 2022 12:34:42 +0100
+Subject: [PATCH] Add root group writeable flag to log file
+
+Some systems strips even root process capability of writing to different
+users file. That include systemd under Fedora. When
+log-facility=/var/log/dnsmasq.log is used, log file with mode 0640
+is created. But restart then fails, because such log file can be used
+only when created new. Existing file cannot be opened by root when
+starting, causing fatal error. Avoid that by adding root group writeable flag.
+
+Ensure group is always root when granting write access. If it is
+anything else, administrator has to configure correct rights.
+
+(cherry picked from commit 1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c)
+---
+ src/log.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/src/log.c b/src/log.c
+index 1ec3447..bcd6e52 100644
+--- a/src/log.c
++++ b/src/log.c
+@@ -100,10 +100,23 @@ int log_start(struct passwd *ent_pw, int errfd)
+   /* If we're running as root and going to change uid later,
+      change the ownership here so that the file is always owned by
+      the dnsmasq user. Then logrotate can just copy the owner.
+-     Failure of the chown call is OK, (for instance when started as non-root) */
+-  if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0 && 
+-      fchown(log_fd, ent_pw->pw_uid, -1) != 0)
+-    ret = errno;
++     Failure of the chown call is OK, (for instance when started as non-root).
++     
++     If we've created a file with group-id root, we also make
++     the file group-writable. This gives processes in the root group
++     write access to the file and avoids the problem that on some systems,
++     once the file is owned by the dnsmasq user, it can't be written
++     whilst dnsmasq is running as root during startup.
++ */
++  if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0)
++    {
++      struct stat ls;
++      if (getgid() == 0 && fstat(log_fd, &ls) == 0 && ls.st_gid == 0 &&
++	  (ls.st_mode & S_IWGRP) == 0)
++	(void)fchmod(log_fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP);
++      if (fchown(log_fd, ent_pw->pw_uid, -1) != 0)
++	ret = errno;
++    }
+ 
+   return ret;
+ }
+@@ -118,7 +131,7 @@ int log_reopen(char *log_file)
+       /* NOTE: umask is set to 022 by the time this gets called */
+       
+       if (log_file)
+-	log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);      
++	log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);
+       else
+ 	{
+ #if defined(HAVE_SOLARIS_NETWORK) || defined(__ANDROID__)
+-- 
+2.40.1
+

SOURCES/dnsmasq-2.89-edns0-size.patch

@@ -0,0 +1,45 @@
+From 9d8270be2e2b31437684f2d87add9a28a41f0c75 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Tue, 7 Mar 2023 22:07:46 +0000
+Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232.
+
+http://www.dnsflagday.net/2020/ refers.
+
+Thanks to Xiang Li for the prompt.
+
+(cherry picked from commit eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5)
+---
+ man/dnsmasq.8 | 3 ++-
+ src/config.h  | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index fce580f..4b0b180 100644
+--- a/man/dnsmasq.8
++++ b/man/dnsmasq.8
+@@ -171,7 +171,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP.
+ .TP
+ .B \-P, --edns-packet-max=<size>
+ Specify the largest EDNS.0 UDP packet which is supported by the DNS
+-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
++forwarder. Defaults to 1232, which is the recommended size following the
++DNS flag day in 2020. Only increase if you know what you are doing.
+ .TP
+ .B \-Q, --query-port=<query_port>
+ Send outbound DNS queries from, and listen for their replies on, the
+diff --git a/src/config.h b/src/config.h
+index 8c41943..62b7fa1 100644
+--- a/src/config.h
++++ b/src/config.h
+@@ -19,7 +19,7 @@
+ #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
+ #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
+ #define TCP_BACKLOG 32  /* kernel backlog limit for TCP connections */
+-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
++#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from  /dnsflagday.net/2020 */
+ #define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */
+ #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
+ #define DNSSEC_WORK 50 /* Max number of queries to validate one question */
+-- 
+2.39.2
+

SPECS/dnsmasq.spec

@@ -20,7 +20,7 @@
 
 Name:           dnsmasq
 Version:        2.85
-Release:        6%{?extraversion:.%{extraversion}}%{?dist}
+Release:        14%{?extraversion:.%{extraversion}}%{?dist}
 Summary:        A lightweight DHCP/caching DNS server
 
 License:        GPLv2 or GPLv3
@@ -51,6 +51,24 @@ Patch6:         dnsmasq-2.86-dhcpv6-client-arch.patch
 Patch7:         dnsmasq-2.87-CVE-2022-0934.patch
 # Downstream only patch; fixes Patch4 change
 Patch8:         dnsmasq-2.79-server-domain-fixup.patch
+# https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5
+Patch9:         dnsmasq-2.89-edns0-size.patch
+# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2186481
+# Fixes issue in Patch4
+Patch10:        dnsmasq-2.85-serv_domain-rh2186481.patch
+# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2182342
+# Another issue in Patch4
+Patch11:        dnsmasq-2.85-search_servers-rhbz2182342.patch
+# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2186481
+# complements patch10
+Patch12:        dnsmasq-2.85-serv_domain-rh2186481-2.patch
+# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c
+Patch13:        dnsmasq-2.87-log-root-writeable.patch
+# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2209031
+# complements patch12
+Patch14:        dnsmasq-2.85-domain-blocklist-speedup.patch
+# https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;h=9bbf098a970c9e5fa251939208e25fb21064d1be
+Patch15:        dnsmasq-2.87-coverity-forward-cache.patch
 
 # This is workaround to nettle bug #1549190
 # https://bugzilla.redhat.com/show_bug.cgi?id=1549190
@@ -194,6 +212,30 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
 %{_mandir}/man1/dhcp_*
 
 %changelog
+* Fri Jul 28 2023 Petr Menšík <pemensik@redhat.com> - 2.85-14
+- Backport Coverity fix to hide detected issue (#2156789)
+
+* Thu Jul 20 2023 Petr Menšík <pemensik@redhat.com> - 2.85-13
+- Rebuild with modified gating settings
+
+* Wed Jun 14 2023 Petr Menšík <pemensik@redhat.com> - 2.85-12
+- Make create logfile writeable by root (#2156789)
+
+* Fri Jun 09 2023 Petr Menšík <pemensik@redhat.com> - 2.85-11
+- Do not create and search --local and --address=/x/# domains (#2209031)
+
+* Wed May 10 2023 Petr Menšík <pemensik@redhat.com> - 2.85-10
+- Fix also dynamically set resolvers over dbus (#2186481)
+
+* Fri May 05 2023 Petr Menšík <pemensik@redhat.com> - 2.85-9
+- Properly initialize domain parameter in dnssec mode (#2182342)
+
+* Fri Apr 21 2023 Petr Menšík <pemensik@redhat.com> - 2.85-8
+- Correct possible crashes when server=/example.net/# is used (#2188712)
+
+* Mon Apr 03 2023 Petr Menšík <pemensik@redhat.com> - 2.85-7
+- Limit offered EDNS0 size 1232 (CVE-2023-28450)
+
 * Thu Jan 26 2023 Petr Menšík <pemensik@redhat.com> - 2.85-6
 - Use upstream change for CVE-2022-0934 (#2126586)