diff --git a/dnsmasq-2.81-configuration.patch b/dnsmasq-2.81-configuration.patch new file mode 100644 index 0000000..0cf66c7 --- /dev/null +++ b/dnsmasq-2.81-configuration.patch @@ -0,0 +1,79 @@ +From d07d1bcdd739da00d0acb8c4561c33bc4d27a0da Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Tue, 30 Jun 2020 18:06:29 +0200 +Subject: [PATCH] Modify upstream configuration to safe defaults + +Most important change would be to listen only on localhost. Default +configuration should not listen to request from remote hosts. Match also +user and paths to directories shipped in Fedora. +--- + dnsmasq.conf.example | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example +index bf19424..a130118 100644 +--- a/dnsmasq.conf.example ++++ b/dnsmasq.conf.example +@@ -22,7 +22,7 @@ + + # Uncomment these to enable DNSSEC validation and caching: + # (Requires dnsmasq to be built with DNSSEC option.) +-#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf ++#conf-file=/usr/share/dnsmasq/trust-anchors.conf + #dnssec + + # Replies which are not DNSSEC signed may be legitimate, because the domain +@@ -96,14 +96,16 @@ + + # If you want dnsmasq to change uid and gid to something other + # than the default, edit the following lines. +-#user= +-#group= ++user=dnsmasq ++group=dnsmasq + + # If you want dnsmasq to listen for DHCP and DNS requests only on + # specified interfaces (and the loopback) give the name of the + # interface (eg eth0) here. + # Repeat the line for more than one interface. + #interface= ++# Listen only on localhost by default ++interface=lo + # Or you can specify which interface _not_ to listen on + #except-interface= + # Or which to listen on by address (remember to include 127.0.0.1 if +@@ -114,6 +116,10 @@ + # disable DHCP and TFTP on it. + #no-dhcp-interface= + ++# Serve DNS and DHCP only to networks directly connected to this machine. ++# Any interface= line will override it. ++#local-service ++ + # On systems which support it, dnsmasq binds the wildcard address, + # even when it is listening on only some interfaces. It then discards + # requests that it shouldn't reply to. This has the advantage of +@@ -535,7 +541,7 @@ + # The DHCP server needs somewhere on disk to keep its lease database. + # This defaults to a sane location, but if you want to change it, use + # the line below. +-#dhcp-leasefile=/var/lib/misc/dnsmasq.leases ++#dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases + + # Set the DHCP server to authoritative mode. In this mode it will barge in + # and take over the lease for any client which broadcasts on the network, +@@ -673,7 +679,11 @@ + # Include all files in a directory which end in .conf + #conf-dir=/etc/dnsmasq.d/,*.conf + ++# Include all files in /etc/dnsmasq.d except RPM backup files ++conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig ++ + # If a DHCP client claims that its name is "wpad", ignore that. + # This fixes a security hole. see CERT Vulnerability VU#598349 + #dhcp-name-match=set:wpad-ignore,wpad + #dhcp-ignore-names=tag:wpad-ignore ++ +-- +2.26.2 + diff --git a/dnsmasq.spec b/dnsmasq.spec index 2db0d37..7bc3eb2 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -20,7 +20,7 @@ Name: dnsmasq Version: 2.81 -Release: 3%{?extraversion:.%{extraversion}}%{?dist} +Release: 4%{?extraversion:.%{extraversion}}%{?dist} Summary: A lightweight DHCP/caching DNS server License: GPLv2 or GPLv3 @@ -38,6 +38,8 @@ Source4: http://www.thekelleys.org.uk/srkgpg.txt # https://bugzilla.redhat.com/show_bug.cgi?id=1495409 Patch1: dnsmasq-2.77-underflow.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1852373 +Patch2: dnsmasq-2.81-configuration.patch Patch3: dnsmasq-2.78-fips.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1728701 Patch7: dnsmasq-2.80-rh1728701.patch @@ -106,12 +108,6 @@ for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do sed -i 's|/var/lib/misc/dnsmasq.leases|/var/lib/dnsmasq/dnsmasq.leases|g' "$file" done -# fix the path to the trust anchor -sed -i 's|%%%%PREFIX%%%%|%{_prefix}|' dnsmasq.conf.example - -#set dnsmasq user / group -sed -i 's|#user=|user=dnsmasq|' dnsmasq.conf.example -sed -i 's|#group=|group=dnsmasq|' dnsmasq.conf.example #set default user /group in src/config.h sed -i 's|#define CHUSER "nobody"|#define CHUSER "dnsmasq"|' src/config.h sed -i 's|#define CHGRP "dip"|#define CHGRP "dnsmasq"|' src/config.h @@ -119,14 +115,6 @@ sed -i 's|#define CHGRP "dip"|#define CHGRP "dnsmasq"|' src/config.h # optional parts sed -i 's|^COPTS[[:space:]]*=|\0 -DHAVE_DBUS -DHAVE_LIBIDN2 -DHAVE_DNSSEC|' Makefile -#enable /etc/dnsmasq.d fix bz 526703, ignore RPM backup files -cat << EOF >> dnsmasq.conf.example - -# Include all files in /etc/dnsmasq.d except RPM backup files -conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig -EOF - - %build %make_build CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS" %make_build -C contrib/lease-tools CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS" @@ -198,6 +186,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf %{_mandir}/man1/dhcp_* %changelog +* Tue Jun 30 2020 Petr Menšík - 2.81-4 +- Accept queries only from localhost (CVE-2020-14312) + * Mon May 11 2020 Petr Menšík - 2.81-3 - Correct multiple entries with the same mac address (#1834454)