diff --git a/SOURCES/dnsmasq-2.85-domain-blocklist-speedup.patch b/SOURCES/dnsmasq-2.85-domain-blocklist-speedup.patch new file mode 100644 index 0000000..a9c6ceb --- /dev/null +++ b/SOURCES/dnsmasq-2.85-domain-blocklist-speedup.patch @@ -0,0 +1,106 @@ +From e046f32d882b6acf2090cbe8830c2dea6279aa8e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Fri, 9 Jun 2023 22:11:01 +0200 +Subject: [PATCH] Use serv_domain only for regular servers + +Do not try to use it for --local=/x/ or --address=/x/#. Some users use +quite long list of blocks, which slows down walking trough domain list +considerably. But searching by server_domain_find_domain is needed only +for normal servers, which may store there last used server and number +of recent forwarded queries. Local addresses overrides store there no +useful information, avoid searching and adding new domains for such +records. + +Would also speed up searching servers when blocklists are used, because +only domains of servers are tested. + +Resolves: rhbz#2209031 +--- + src/forward.c | 2 +- + src/option.c | 15 +++++++++------ + 2 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/src/forward.c b/src/forward.c +index fffab7a..3d1227b 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -249,7 +249,7 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned + *type = 0; /* use normal servers for this domain */ + *domain = NULL; + } +- if (serv_domain && !*serv_domain) ++ if (serv_domain && !*serv_domain && (*type & SERV_HAS_DOMAIN)==0) + *serv_domain = server_domain_find_domain(NULL); + return flags; + } +diff --git a/src/option.c b/src/option.c +index e4e3182..25680c0 100644 +--- a/src/option.c ++++ b/src/option.c +@@ -928,7 +928,7 @@ static struct server *add_rev4(struct in_addr addr, int msize) + p += sprintf(p, "in-addr.arpa"); + + serv->flags = SERV_HAS_DOMAIN; +- server_domain_new(serv); ++ serv->serv_domain = NULL; + serv->next = daemon->servers; + daemon->servers = serv; + +@@ -953,7 +953,7 @@ static struct server *add_rev6(struct in6_addr *addr, int msize) + p += sprintf(p, "ip6.arpa"); + + serv->flags = SERV_HAS_DOMAIN; +- server_domain_new(serv); ++ serv->serv_domain = NULL; + serv->next = daemon->servers; + daemon->servers = serv; + +@@ -2294,7 +2294,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma + memset(serv, 0, sizeof(struct server)); + serv->domain = d; + serv->flags = SERV_HAS_DOMAIN | SERV_NO_ADDR; +- server_domain_new(serv); ++ serv->serv_domain = NULL; + serv->next = daemon->servers; + daemon->servers = serv; + } +@@ -2338,7 +2338,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma + memset(serv, 0, sizeof(struct server)); + serv->domain = d; + serv->flags = SERV_HAS_DOMAIN | SERV_NO_ADDR; +- server_domain_new(serv); ++ serv->serv_domain = NULL; + serv->next = daemon->servers; + daemon->servers = serv; + } +@@ -2591,7 +2591,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma + newlist = serv; + serv->domain = domain; + serv->flags = domain ? SERV_HAS_DOMAIN : SERV_FOR_NODOTS; +- server_domain_new(serv); ++ serv->serv_domain = NULL; + arg = end; + if (rebind) + break; +@@ -2639,6 +2639,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma + server_list_free(newlist); + ret_err(err); + } ++ if ((newlist->flags & SERV_LITERAL_ADDRESS)==0) ++ server_domain_new(newlist); + } + + serv = newlist; +@@ -2682,7 +2684,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma + serv = add_rev6(&addr6, size); + else + ret_err(gen_err); +- ++ ++ server_domain_new(serv); + string = parse_server(comma, &serv->addr, &serv->source_addr, serv->interface, &serv->flags); + + if (string) +-- +2.40.1 + diff --git a/SOURCES/dnsmasq-2.85-search_servers-rhbz2182342.patch b/SOURCES/dnsmasq-2.85-search_servers-rhbz2182342.patch new file mode 100644 index 0000000..90ab539 --- /dev/null +++ b/SOURCES/dnsmasq-2.85-search_servers-rhbz2182342.patch @@ -0,0 +1,50 @@ +From d75a9691edaa2b2efd8b51f2de492c62cb57c629 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Fri, 5 May 2023 17:51:56 +0200 +Subject: [PATCH] Ensure search_servers domain is set on dnssec + +When dnssec validation is enabled the domain variable used when fetching +dnssec key or domain were not properly initialized always. It were read +anyway inside search_servers. Because it is changed only sometime, do +not use its value on the end of function. domain can be NULL only at +that point, use that value right away. + +Include also TCP. +--- + src/forward.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/forward.c b/src/forward.c +index b09dc96..fffab7a 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -250,7 +250,7 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned + *domain = NULL; + } + if (serv_domain && !*serv_domain) +- *serv_domain = server_domain_find_domain(*domain); ++ *serv_domain = server_domain_find_domain(NULL); + return flags; + } + +@@ -1097,7 +1097,7 @@ void reply_query(int fd, time_t now) + { + int querytype, fd, type = SERV_DO_DNSSEC; + struct frec *next = new->next; +- char *domain; ++ char *domain = NULL; + + *new = *forward; /* copy everything, then overwrite */ + new->next = next; +@@ -1633,7 +1633,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si + while (1) + { + int type = SERV_DO_DNSSEC; +- char *domain; ++ char *domain = NULL; + size_t m; + unsigned char c1, c2; + struct server *firstsendto = NULL; +-- +2.40.1 + diff --git a/SOURCES/dnsmasq-2.85-serv_domain-rh2186481-2.patch b/SOURCES/dnsmasq-2.85-serv_domain-rh2186481-2.patch new file mode 100644 index 0000000..ee908c9 --- /dev/null +++ b/SOURCES/dnsmasq-2.85-serv_domain-rh2186481-2.patch @@ -0,0 +1,83 @@ +From 4650d0aef20db4b7e129895ffcb93ca4609e6347 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Wed, 10 May 2023 12:57:17 +0200 +Subject: [PATCH] fixup! Correct releasing of serv_domain + +--- + src/dnsmasq.h | 2 +- + src/network.c | 20 +++++++++++--------- + 2 files changed, 12 insertions(+), 10 deletions(-) + +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index b6dcc50..c62c3d0 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -1405,7 +1405,7 @@ int fix_fd(int fd); + int tcp_interface(int fd, int af); + int set_ipv6pktinfo(int fd); + struct server_domain *server_domain_find_domain(const char *domain); +-struct server_domain *server_domain_new(struct server *serv); ++void server_domain_new(struct server *serv); + #ifdef HAVE_DHCP6 + void join_multicast(int dienow); + #endif +diff --git a/src/network.c b/src/network.c +index 8152cac..e42220c 100644 +--- a/src/network.c ++++ b/src/network.c +@@ -1653,6 +1653,7 @@ void add_update_server(int flags, + serv->addr = *addr; + if (source_addr) + serv->source_addr = *source_addr; ++ server_domain_new(serv); + } + } + +@@ -1680,14 +1681,20 @@ struct server_domain *server_domain_find_domain(const char *domain) + /**< Test structure has already set domain pointer. + * + * If not, create a new record. */ +-struct server_domain *server_domain_new(struct server *serv) ++void server_domain_new(struct server *serv) + { + struct server_domain *sd; ++ const char *domain = server_get_domain(serv); + +- if ((sd = whine_malloc(sizeof(struct server_domain)))) ++ sd = server_domain_find_domain(domain); ++ if (sd) + { +- const char *domain = server_get_domain(serv); ++ serv->serv_domain = sd; ++ return; ++ } + ++ if ((sd = whine_malloc(sizeof(struct server_domain)))) ++ { + /* Ensure all serv->domain values have own record in server_domain. + * Add a new record. */ + if (domain) +@@ -1701,7 +1708,6 @@ struct server_domain *server_domain_new(struct server *serv) + serv->serv_domain = sd; + daemon->server_domains = sd; + } +- return sd; + } + + /**< Test structure has already set domain pointer. +@@ -1714,11 +1720,7 @@ static void server_domain_check(struct server *serv) + if (sd) + sd->flags &= (~SERV_MARK); /* found domain, mark active */ + else +- { +- sd = server_domain_find_domain(serv->domain); +- if (!sd) +- server_domain_new(serv); +- } ++ server_domain_new(serv); + } + + void check_servers(void) +-- +2.40.1 + diff --git a/SOURCES/dnsmasq-2.85-serv_domain-rh2186481.patch b/SOURCES/dnsmasq-2.85-serv_domain-rh2186481.patch new file mode 100644 index 0000000..db9f6d0 --- /dev/null +++ b/SOURCES/dnsmasq-2.85-serv_domain-rh2186481.patch @@ -0,0 +1,108 @@ +From c0e0202736f55195104dad9fec98c20d0d15df21 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Fri, 21 Apr 2023 17:04:53 +0200 +Subject: [PATCH] Correct releasing of serv_domain + +In case the server->serv_domain points to domain also when it is not the +last server used, ensure the reference to last_server is always reset. +Some records might reference the server_domain, but cannot ever become +last_server. Such as server=/example.com/# + +Correct detection of used server_domains for standard resolvers case. +Mark domain used even in that case, so it is not freed during +resolv.conf reading or other nameservers change. +--- + src/network.c | 40 +++++++++++++++++++++++++++++++--------- + 1 file changed, 31 insertions(+), 9 deletions(-) + +diff --git a/src/network.c b/src/network.c +index cf2f2e2..8152cac 100644 +--- a/src/network.c ++++ b/src/network.c +@@ -1511,7 +1511,18 @@ void mark_servers(int flag) + } + } + +-static void server_domains_cleanup(void) ++static void server_domains_pre_cleanup(void) ++{ ++ struct server_domain *sd; ++ ++ /* reset removed last_server. */ ++ for (sd = daemon->server_domains; sd; sd = sd->next) ++ if ((sd->flags & SERV_MARK) == 0 && sd->last_server && ++ (sd->last_server->flags & SERV_MARK) != 0) ++ sd->last_server = NULL; ++} ++ ++static void server_domains_post_cleanup(void) + { + struct server_domain *sd, *tmp, **up; + +@@ -1528,8 +1539,6 @@ static void server_domains_cleanup(void) + } + else { + up = &sd->next; +- if (sd->last_server && (sd->last_server->flags & SERV_MARK)) +- sd->last_server = NULL; + } + } + } +@@ -1538,7 +1547,7 @@ void cleanup_servers(void) + { + struct server *serv, *tmp, **up; + +- server_domains_cleanup(); ++ server_domains_pre_cleanup(); + + /* unlink and free anything still marked. */ + for (serv = daemon->servers, up = &daemon->servers; serv; serv = tmp) +@@ -1552,10 +1561,16 @@ void cleanup_servers(void) + free(serv->domain); + free(serv); + } +- else +- up = &serv->next; ++ else ++ { ++ up = &serv->next; ++ if (serv->serv_domain && (serv->serv_domain->flags & SERV_MARK) != 0) ++ serv->serv_domain = NULL; ++ } + } + ++ server_domains_post_cleanup(); ++ + #ifdef HAVE_LOOP + /* Now we have a new set of servers, test for loops. */ + loop_send_probes(); +@@ -1699,7 +1714,11 @@ static void server_domain_check(struct server *serv) + if (sd) + sd->flags &= (~SERV_MARK); /* found domain, mark active */ + else +- server_domain_new(serv); ++ { ++ sd = server_domain_find_domain(serv->domain); ++ if (!sd) ++ server_domain_new(serv); ++ } + } + + void check_servers(void) +@@ -1808,8 +1827,11 @@ void check_servers(void) + else if (strlen(serv->domain) == 0) + s1 = _("default"), s2 = ""; + else +- s1 = _("domain"), s2 = serv->domain; +- ++ { ++ s1 = _("domain"), s2 = serv->domain; ++ server_domain_check(serv); ++ } ++ + if (serv->flags & SERV_NO_ADDR) + { + count--; +-- +2.39.2 + diff --git a/SOURCES/dnsmasq-2.87-coverity-forward-cache.patch b/SOURCES/dnsmasq-2.87-coverity-forward-cache.patch new file mode 100644 index 0000000..1c7b2e7 --- /dev/null +++ b/SOURCES/dnsmasq-2.87-coverity-forward-cache.patch @@ -0,0 +1,77 @@ +From 2f45670951d2159ebf588e1e4943c0bc9e1cd20b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Wed, 18 Aug 2021 14:59:23 +0200 +Subject: [PATCH] Add safety checks to places pointed by Coverity + +GCC Analyzer (experimental) + +1. dnsmasq-2.85/src/forward.c:0: scope_hint: In function 'allocate_rfd.part.0' +2. dnsmasq-2.85/src/forward.c:2321:18: warning[-Wanalyzer-null-dereference]: dereference of NULL 'rfd' + # 2319| *fdlp = rfl; + # 2320| + # 2321|-> return rfl->rfd->fd; + # 2322| } + # 2323| + +1. dnsmasq-2.85/src/cache.c:0: scope_hint: In function 'log_query' +2. dnsmasq-2.85/src/cache.c:1969:20: warning[-Wanalyzer-null-dereference]: dereference of NULL 'name' + # 1967| source = "cached"; + # 1968| + # 1969|-> if (strlen(name) == 0) + # 1970| name = "."; + # 1971| + +1. dnsmasq-2.85/src/cache.c:0: scope_hint: In function 'cache_scan_free' +2. dnsmasq-2.85/src/cache.c:436:20: warning[-Wanalyzer-null-argument]: use of NULL 'addr' where non-null expected +40. /usr/include/sys/un.h:37: included_from: Included from here. +41. dnsmasq-2.85/src/dnsmasq.h:101: included_from: Included from here. +42. dnsmasq-2.85/src/cache.c:17: included_from: Included from here. +43. /usr/include/string.h:64:12: note: argument 2 of 'memcmp' must be non-null + # 434| (flags & crecp->flags & F_REVERSE) && + # 435| (flags & crecp->flags & (F_IPV4 | F_IPV6)) && + # 436|-> memcmp(&crecp->addr, addr, addrlen) == 0) + # 437| { + # 438| *up = crecp->hash_next; +--- + src/cache.c | 4 ++-- + src/forward.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/cache.c b/src/cache.c +index b3b3c7c..8f97947 100644 +--- a/src/cache.c ++++ b/src/cache.c +@@ -483,7 +483,7 @@ static struct crec *cache_scan_free(char *name, union all_addr *addr, unsigned s + else if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && + (flags & crecp->flags & F_REVERSE) && + (flags & crecp->flags & (F_IPV4 | F_IPV6)) && +- memcmp(&crecp->addr, addr, addrlen) == 0) ++ addr && memcmp(&crecp->addr, addr, addrlen) == 0) + { + *up = crecp->hash_next; + cache_unlink(crecp); +@@ -2067,7 +2067,7 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg, + else + source = "cached"; + +- if (strlen(name) == 0) ++ if (name && !name[0]) + name = "."; + + if (option_bool(OPT_EXTRALOG)) +diff --git a/src/forward.c b/src/forward.c +index 434ba77..f3c38d7 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -2274,7 +2274,7 @@ int allocate_rfd(struct randfd_list **fdlp, struct server *serv) + } + } + +- if (j == daemon->numrrand) ++ if (!rfd) /* should be when j == daemon->numrrand */ + { + struct randfd_list *rfl_poll; + +-- +2.41.0 + diff --git a/SOURCES/dnsmasq-2.87-log-root-writeable.patch b/SOURCES/dnsmasq-2.87-log-root-writeable.patch new file mode 100644 index 0000000..6a4a241 --- /dev/null +++ b/SOURCES/dnsmasq-2.87-log-root-writeable.patch @@ -0,0 +1,64 @@ +From e342e4d5c3093d8dd9e2d622e46d36f67bfb4925 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Mon, 10 Jan 2022 12:34:42 +0100 +Subject: [PATCH] Add root group writeable flag to log file + +Some systems strips even root process capability of writing to different +users file. That include systemd under Fedora. When +log-facility=/var/log/dnsmasq.log is used, log file with mode 0640 +is created. But restart then fails, because such log file can be used +only when created new. Existing file cannot be opened by root when +starting, causing fatal error. Avoid that by adding root group writeable flag. + +Ensure group is always root when granting write access. If it is +anything else, administrator has to configure correct rights. + +(cherry picked from commit 1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c) +--- + src/log.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/src/log.c b/src/log.c +index 1ec3447..bcd6e52 100644 +--- a/src/log.c ++++ b/src/log.c +@@ -100,10 +100,23 @@ int log_start(struct passwd *ent_pw, int errfd) + /* If we're running as root and going to change uid later, + change the ownership here so that the file is always owned by + the dnsmasq user. Then logrotate can just copy the owner. +- Failure of the chown call is OK, (for instance when started as non-root) */ +- if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0 && +- fchown(log_fd, ent_pw->pw_uid, -1) != 0) +- ret = errno; ++ Failure of the chown call is OK, (for instance when started as non-root). ++ ++ If we've created a file with group-id root, we also make ++ the file group-writable. This gives processes in the root group ++ write access to the file and avoids the problem that on some systems, ++ once the file is owned by the dnsmasq user, it can't be written ++ whilst dnsmasq is running as root during startup. ++ */ ++ if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0) ++ { ++ struct stat ls; ++ if (getgid() == 0 && fstat(log_fd, &ls) == 0 && ls.st_gid == 0 && ++ (ls.st_mode & S_IWGRP) == 0) ++ (void)fchmod(log_fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP); ++ if (fchown(log_fd, ent_pw->pw_uid, -1) != 0) ++ ret = errno; ++ } + + return ret; + } +@@ -118,7 +131,7 @@ int log_reopen(char *log_file) + /* NOTE: umask is set to 022 by the time this gets called */ + + if (log_file) +- log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP); ++ log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP); + else + { + #if defined(HAVE_SOLARIS_NETWORK) || defined(__ANDROID__) +-- +2.40.1 + diff --git a/SOURCES/dnsmasq-2.89-edns0-size.patch b/SOURCES/dnsmasq-2.89-edns0-size.patch new file mode 100644 index 0000000..ff835b2 --- /dev/null +++ b/SOURCES/dnsmasq-2.89-edns0-size.patch @@ -0,0 +1,45 @@ +From 9d8270be2e2b31437684f2d87add9a28a41f0c75 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Tue, 7 Mar 2023 22:07:46 +0000 +Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232. + +http://www.dnsflagday.net/2020/ refers. + +Thanks to Xiang Li for the prompt. + +(cherry picked from commit eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5) +--- + man/dnsmasq.8 | 3 ++- + src/config.h | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index fce580f..4b0b180 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -171,7 +171,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP. + .TP + .B \-P, --edns-packet-max= + Specify the largest EDNS.0 UDP packet which is supported by the DNS +-forwarder. Defaults to 4096, which is the RFC5625-recommended size. ++forwarder. Defaults to 1232, which is the recommended size following the ++DNS flag day in 2020. Only increase if you know what you are doing. + .TP + .B \-Q, --query-port= + Send outbound DNS queries from, and listen for their replies on, the +diff --git a/src/config.h b/src/config.h +index 8c41943..62b7fa1 100644 +--- a/src/config.h ++++ b/src/config.h +@@ -19,7 +19,7 @@ + #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */ + #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ + #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ +-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */ ++#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ + #define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */ + #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ + #define DNSSEC_WORK 50 /* Max number of queries to validate one question */ +-- +2.39.2 + diff --git a/SPECS/dnsmasq.spec b/SPECS/dnsmasq.spec index fc8548b..f7397bb 100644 --- a/SPECS/dnsmasq.spec +++ b/SPECS/dnsmasq.spec @@ -20,7 +20,7 @@ Name: dnsmasq Version: 2.85 -Release: 6%{?extraversion:.%{extraversion}}%{?dist} +Release: 14%{?extraversion:.%{extraversion}}%{?dist} Summary: A lightweight DHCP/caching DNS server License: GPLv2 or GPLv3 @@ -51,6 +51,24 @@ Patch6: dnsmasq-2.86-dhcpv6-client-arch.patch Patch7: dnsmasq-2.87-CVE-2022-0934.patch # Downstream only patch; fixes Patch4 change Patch8: dnsmasq-2.79-server-domain-fixup.patch +# https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 +Patch9: dnsmasq-2.89-edns0-size.patch +# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2186481 +# Fixes issue in Patch4 +Patch10: dnsmasq-2.85-serv_domain-rh2186481.patch +# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2182342 +# Another issue in Patch4 +Patch11: dnsmasq-2.85-search_servers-rhbz2182342.patch +# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2186481 +# complements patch10 +Patch12: dnsmasq-2.85-serv_domain-rh2186481-2.patch +# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c +Patch13: dnsmasq-2.87-log-root-writeable.patch +# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2209031 +# complements patch12 +Patch14: dnsmasq-2.85-domain-blocklist-speedup.patch +# https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;h=9bbf098a970c9e5fa251939208e25fb21064d1be +Patch15: dnsmasq-2.87-coverity-forward-cache.patch # This is workaround to nettle bug #1549190 # https://bugzilla.redhat.com/show_bug.cgi?id=1549190 @@ -194,6 +212,30 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf %{_mandir}/man1/dhcp_* %changelog +* Fri Jul 28 2023 Petr Menšík - 2.85-14 +- Backport Coverity fix to hide detected issue (#2156789) + +* Thu Jul 20 2023 Petr Menšík - 2.85-13 +- Rebuild with modified gating settings + +* Wed Jun 14 2023 Petr Menšík - 2.85-12 +- Make create logfile writeable by root (#2156789) + +* Fri Jun 09 2023 Petr Menšík - 2.85-11 +- Do not create and search --local and --address=/x/# domains (#2209031) + +* Wed May 10 2023 Petr Menšík - 2.85-10 +- Fix also dynamically set resolvers over dbus (#2186481) + +* Fri May 05 2023 Petr Menšík - 2.85-9 +- Properly initialize domain parameter in dnssec mode (#2182342) + +* Fri Apr 21 2023 Petr Menšík - 2.85-8 +- Correct possible crashes when server=/example.net/# is used (#2188712) + +* Mon Apr 03 2023 Petr Menšík - 2.85-7 +- Limit offered EDNS0 size 1232 (CVE-2023-28450) + * Thu Jan 26 2023 Petr Menšík - 2.85-6 - Use upstream change for CVE-2022-0934 (#2126586)