import CS dnsmasq-2.85-14.el9

This commit is contained in:
eabdullin 2023-09-21 18:18:59 +00:00
parent 52e6077875
commit ed88ae2205
8 changed files with 576 additions and 1 deletions

View File

@ -0,0 +1,106 @@
From e046f32d882b6acf2090cbe8830c2dea6279aa8e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Fri, 9 Jun 2023 22:11:01 +0200
Subject: [PATCH] Use serv_domain only for regular servers
Do not try to use it for --local=/x/ or --address=/x/#. Some users use
quite long list of blocks, which slows down walking trough domain list
considerably. But searching by server_domain_find_domain is needed only
for normal servers, which may store there last used server and number
of recent forwarded queries. Local addresses overrides store there no
useful information, avoid searching and adding new domains for such
records.
Would also speed up searching servers when blocklists are used, because
only domains of servers are tested.
Resolves: rhbz#2209031
---
src/forward.c | 2 +-
src/option.c | 15 +++++++++------
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/src/forward.c b/src/forward.c
index fffab7a..3d1227b 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -249,7 +249,7 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned
*type = 0; /* use normal servers for this domain */
*domain = NULL;
}
- if (serv_domain && !*serv_domain)
+ if (serv_domain && !*serv_domain && (*type & SERV_HAS_DOMAIN)==0)
*serv_domain = server_domain_find_domain(NULL);
return flags;
}
diff --git a/src/option.c b/src/option.c
index e4e3182..25680c0 100644
--- a/src/option.c
+++ b/src/option.c
@@ -928,7 +928,7 @@ static struct server *add_rev4(struct in_addr addr, int msize)
p += sprintf(p, "in-addr.arpa");
serv->flags = SERV_HAS_DOMAIN;
- server_domain_new(serv);
+ serv->serv_domain = NULL;
serv->next = daemon->servers;
daemon->servers = serv;
@@ -953,7 +953,7 @@ static struct server *add_rev6(struct in6_addr *addr, int msize)
p += sprintf(p, "ip6.arpa");
serv->flags = SERV_HAS_DOMAIN;
- server_domain_new(serv);
+ serv->serv_domain = NULL;
serv->next = daemon->servers;
daemon->servers = serv;
@@ -2294,7 +2294,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
memset(serv, 0, sizeof(struct server));
serv->domain = d;
serv->flags = SERV_HAS_DOMAIN | SERV_NO_ADDR;
- server_domain_new(serv);
+ serv->serv_domain = NULL;
serv->next = daemon->servers;
daemon->servers = serv;
}
@@ -2338,7 +2338,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
memset(serv, 0, sizeof(struct server));
serv->domain = d;
serv->flags = SERV_HAS_DOMAIN | SERV_NO_ADDR;
- server_domain_new(serv);
+ serv->serv_domain = NULL;
serv->next = daemon->servers;
daemon->servers = serv;
}
@@ -2591,7 +2591,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
newlist = serv;
serv->domain = domain;
serv->flags = domain ? SERV_HAS_DOMAIN : SERV_FOR_NODOTS;
- server_domain_new(serv);
+ serv->serv_domain = NULL;
arg = end;
if (rebind)
break;
@@ -2639,6 +2639,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
server_list_free(newlist);
ret_err(err);
}
+ if ((newlist->flags & SERV_LITERAL_ADDRESS)==0)
+ server_domain_new(newlist);
}
serv = newlist;
@@ -2682,7 +2684,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
serv = add_rev6(&addr6, size);
else
ret_err(gen_err);
-
+
+ server_domain_new(serv);
string = parse_server(comma, &serv->addr, &serv->source_addr, serv->interface, &serv->flags);
if (string)
--
2.40.1

View File

@ -0,0 +1,50 @@
From d75a9691edaa2b2efd8b51f2de492c62cb57c629 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Fri, 5 May 2023 17:51:56 +0200
Subject: [PATCH] Ensure search_servers domain is set on dnssec
When dnssec validation is enabled the domain variable used when fetching
dnssec key or domain were not properly initialized always. It were read
anyway inside search_servers. Because it is changed only sometime, do
not use its value on the end of function. domain can be NULL only at
that point, use that value right away.
Include also TCP.
---
src/forward.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/forward.c b/src/forward.c
index b09dc96..fffab7a 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -250,7 +250,7 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned
*domain = NULL;
}
if (serv_domain && !*serv_domain)
- *serv_domain = server_domain_find_domain(*domain);
+ *serv_domain = server_domain_find_domain(NULL);
return flags;
}
@@ -1097,7 +1097,7 @@ void reply_query(int fd, time_t now)
{
int querytype, fd, type = SERV_DO_DNSSEC;
struct frec *next = new->next;
- char *domain;
+ char *domain = NULL;
*new = *forward; /* copy everything, then overwrite */
new->next = next;
@@ -1633,7 +1633,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
while (1)
{
int type = SERV_DO_DNSSEC;
- char *domain;
+ char *domain = NULL;
size_t m;
unsigned char c1, c2;
struct server *firstsendto = NULL;
--
2.40.1

View File

@ -0,0 +1,83 @@
From 4650d0aef20db4b7e129895ffcb93ca4609e6347 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 10 May 2023 12:57:17 +0200
Subject: [PATCH] fixup! Correct releasing of serv_domain
---
src/dnsmasq.h | 2 +-
src/network.c | 20 +++++++++++---------
2 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index b6dcc50..c62c3d0 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1405,7 +1405,7 @@ int fix_fd(int fd);
int tcp_interface(int fd, int af);
int set_ipv6pktinfo(int fd);
struct server_domain *server_domain_find_domain(const char *domain);
-struct server_domain *server_domain_new(struct server *serv);
+void server_domain_new(struct server *serv);
#ifdef HAVE_DHCP6
void join_multicast(int dienow);
#endif
diff --git a/src/network.c b/src/network.c
index 8152cac..e42220c 100644
--- a/src/network.c
+++ b/src/network.c
@@ -1653,6 +1653,7 @@ void add_update_server(int flags,
serv->addr = *addr;
if (source_addr)
serv->source_addr = *source_addr;
+ server_domain_new(serv);
}
}
@@ -1680,14 +1681,20 @@ struct server_domain *server_domain_find_domain(const char *domain)
/**< Test structure has already set domain pointer.
*
* If not, create a new record. */
-struct server_domain *server_domain_new(struct server *serv)
+void server_domain_new(struct server *serv)
{
struct server_domain *sd;
+ const char *domain = server_get_domain(serv);
- if ((sd = whine_malloc(sizeof(struct server_domain))))
+ sd = server_domain_find_domain(domain);
+ if (sd)
{
- const char *domain = server_get_domain(serv);
+ serv->serv_domain = sd;
+ return;
+ }
+ if ((sd = whine_malloc(sizeof(struct server_domain))))
+ {
/* Ensure all serv->domain values have own record in server_domain.
* Add a new record. */
if (domain)
@@ -1701,7 +1708,6 @@ struct server_domain *server_domain_new(struct server *serv)
serv->serv_domain = sd;
daemon->server_domains = sd;
}
- return sd;
}
/**< Test structure has already set domain pointer.
@@ -1714,11 +1720,7 @@ static void server_domain_check(struct server *serv)
if (sd)
sd->flags &= (~SERV_MARK); /* found domain, mark active */
else
- {
- sd = server_domain_find_domain(serv->domain);
- if (!sd)
- server_domain_new(serv);
- }
+ server_domain_new(serv);
}
void check_servers(void)
--
2.40.1

View File

@ -0,0 +1,108 @@
From c0e0202736f55195104dad9fec98c20d0d15df21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Fri, 21 Apr 2023 17:04:53 +0200
Subject: [PATCH] Correct releasing of serv_domain
In case the server->serv_domain points to domain also when it is not the
last server used, ensure the reference to last_server is always reset.
Some records might reference the server_domain, but cannot ever become
last_server. Such as server=/example.com/#
Correct detection of used server_domains for standard resolvers case.
Mark domain used even in that case, so it is not freed during
resolv.conf reading or other nameservers change.
---
src/network.c | 40 +++++++++++++++++++++++++++++++---------
1 file changed, 31 insertions(+), 9 deletions(-)
diff --git a/src/network.c b/src/network.c
index cf2f2e2..8152cac 100644
--- a/src/network.c
+++ b/src/network.c
@@ -1511,7 +1511,18 @@ void mark_servers(int flag)
}
}
-static void server_domains_cleanup(void)
+static void server_domains_pre_cleanup(void)
+{
+ struct server_domain *sd;
+
+ /* reset removed last_server. */
+ for (sd = daemon->server_domains; sd; sd = sd->next)
+ if ((sd->flags & SERV_MARK) == 0 && sd->last_server &&
+ (sd->last_server->flags & SERV_MARK) != 0)
+ sd->last_server = NULL;
+}
+
+static void server_domains_post_cleanup(void)
{
struct server_domain *sd, *tmp, **up;
@@ -1528,8 +1539,6 @@ static void server_domains_cleanup(void)
}
else {
up = &sd->next;
- if (sd->last_server && (sd->last_server->flags & SERV_MARK))
- sd->last_server = NULL;
}
}
}
@@ -1538,7 +1547,7 @@ void cleanup_servers(void)
{
struct server *serv, *tmp, **up;
- server_domains_cleanup();
+ server_domains_pre_cleanup();
/* unlink and free anything still marked. */
for (serv = daemon->servers, up = &daemon->servers; serv; serv = tmp)
@@ -1552,10 +1561,16 @@ void cleanup_servers(void)
free(serv->domain);
free(serv);
}
- else
- up = &serv->next;
+ else
+ {
+ up = &serv->next;
+ if (serv->serv_domain && (serv->serv_domain->flags & SERV_MARK) != 0)
+ serv->serv_domain = NULL;
+ }
}
+ server_domains_post_cleanup();
+
#ifdef HAVE_LOOP
/* Now we have a new set of servers, test for loops. */
loop_send_probes();
@@ -1699,7 +1714,11 @@ static void server_domain_check(struct server *serv)
if (sd)
sd->flags &= (~SERV_MARK); /* found domain, mark active */
else
- server_domain_new(serv);
+ {
+ sd = server_domain_find_domain(serv->domain);
+ if (!sd)
+ server_domain_new(serv);
+ }
}
void check_servers(void)
@@ -1808,8 +1827,11 @@ void check_servers(void)
else if (strlen(serv->domain) == 0)
s1 = _("default"), s2 = "";
else
- s1 = _("domain"), s2 = serv->domain;
-
+ {
+ s1 = _("domain"), s2 = serv->domain;
+ server_domain_check(serv);
+ }
+
if (serv->flags & SERV_NO_ADDR)
{
count--;
--
2.39.2

View File

@ -0,0 +1,77 @@
From 2f45670951d2159ebf588e1e4943c0bc9e1cd20b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 18 Aug 2021 14:59:23 +0200
Subject: [PATCH] Add safety checks to places pointed by Coverity
GCC Analyzer (experimental)
1. dnsmasq-2.85/src/forward.c:0: scope_hint: In function 'allocate_rfd.part.0'
2. dnsmasq-2.85/src/forward.c:2321:18: warning[-Wanalyzer-null-dereference]: dereference of NULL 'rfd'
# 2319| *fdlp = rfl;
# 2320|
# 2321|-> return rfl->rfd->fd;
# 2322| }
# 2323|
1. dnsmasq-2.85/src/cache.c:0: scope_hint: In function 'log_query'
2. dnsmasq-2.85/src/cache.c:1969:20: warning[-Wanalyzer-null-dereference]: dereference of NULL 'name'
# 1967| source = "cached";
# 1968|
# 1969|-> if (strlen(name) == 0)
# 1970| name = ".";
# 1971|
1. dnsmasq-2.85/src/cache.c:0: scope_hint: In function 'cache_scan_free'
2. dnsmasq-2.85/src/cache.c:436:20: warning[-Wanalyzer-null-argument]: use of NULL 'addr' where non-null expected
40. /usr/include/sys/un.h:37: included_from: Included from here.
41. dnsmasq-2.85/src/dnsmasq.h:101: included_from: Included from here.
42. dnsmasq-2.85/src/cache.c:17: included_from: Included from here.
43. /usr/include/string.h:64:12: note: argument 2 of 'memcmp' must be non-null
# 434| (flags & crecp->flags & F_REVERSE) &&
# 435| (flags & crecp->flags & (F_IPV4 | F_IPV6)) &&
# 436|-> memcmp(&crecp->addr, addr, addrlen) == 0)
# 437| {
# 438| *up = crecp->hash_next;
---
src/cache.c | 4 ++--
src/forward.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/cache.c b/src/cache.c
index b3b3c7c..8f97947 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -483,7 +483,7 @@ static struct crec *cache_scan_free(char *name, union all_addr *addr, unsigned s
else if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) &&
(flags & crecp->flags & F_REVERSE) &&
(flags & crecp->flags & (F_IPV4 | F_IPV6)) &&
- memcmp(&crecp->addr, addr, addrlen) == 0)
+ addr && memcmp(&crecp->addr, addr, addrlen) == 0)
{
*up = crecp->hash_next;
cache_unlink(crecp);
@@ -2067,7 +2067,7 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
else
source = "cached";
- if (strlen(name) == 0)
+ if (name && !name[0])
name = ".";
if (option_bool(OPT_EXTRALOG))
diff --git a/src/forward.c b/src/forward.c
index 434ba77..f3c38d7 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -2274,7 +2274,7 @@ int allocate_rfd(struct randfd_list **fdlp, struct server *serv)
}
}
- if (j == daemon->numrrand)
+ if (!rfd) /* should be when j == daemon->numrrand */
{
struct randfd_list *rfl_poll;
--
2.41.0

View File

@ -0,0 +1,64 @@
From e342e4d5c3093d8dd9e2d622e46d36f67bfb4925 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 10 Jan 2022 12:34:42 +0100
Subject: [PATCH] Add root group writeable flag to log file
Some systems strips even root process capability of writing to different
users file. That include systemd under Fedora. When
log-facility=/var/log/dnsmasq.log is used, log file with mode 0640
is created. But restart then fails, because such log file can be used
only when created new. Existing file cannot be opened by root when
starting, causing fatal error. Avoid that by adding root group writeable flag.
Ensure group is always root when granting write access. If it is
anything else, administrator has to configure correct rights.
(cherry picked from commit 1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c)
---
src/log.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/src/log.c b/src/log.c
index 1ec3447..bcd6e52 100644
--- a/src/log.c
+++ b/src/log.c
@@ -100,10 +100,23 @@ int log_start(struct passwd *ent_pw, int errfd)
/* If we're running as root and going to change uid later,
change the ownership here so that the file is always owned by
the dnsmasq user. Then logrotate can just copy the owner.
- Failure of the chown call is OK, (for instance when started as non-root) */
- if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0 &&
- fchown(log_fd, ent_pw->pw_uid, -1) != 0)
- ret = errno;
+ Failure of the chown call is OK, (for instance when started as non-root).
+
+ If we've created a file with group-id root, we also make
+ the file group-writable. This gives processes in the root group
+ write access to the file and avoids the problem that on some systems,
+ once the file is owned by the dnsmasq user, it can't be written
+ whilst dnsmasq is running as root during startup.
+ */
+ if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0)
+ {
+ struct stat ls;
+ if (getgid() == 0 && fstat(log_fd, &ls) == 0 && ls.st_gid == 0 &&
+ (ls.st_mode & S_IWGRP) == 0)
+ (void)fchmod(log_fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP);
+ if (fchown(log_fd, ent_pw->pw_uid, -1) != 0)
+ ret = errno;
+ }
return ret;
}
@@ -118,7 +131,7 @@ int log_reopen(char *log_file)
/* NOTE: umask is set to 022 by the time this gets called */
if (log_file)
- log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);
+ log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);
else
{
#if defined(HAVE_SOLARIS_NETWORK) || defined(__ANDROID__)
--
2.40.1

View File

@ -0,0 +1,45 @@
From 9d8270be2e2b31437684f2d87add9a28a41f0c75 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 7 Mar 2023 22:07:46 +0000
Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232.
http://www.dnsflagday.net/2020/ refers.
Thanks to Xiang Li for the prompt.
(cherry picked from commit eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5)
---
man/dnsmasq.8 | 3 ++-
src/config.h | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index fce580f..4b0b180 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -171,7 +171,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP.
.TP
.B \-P, --edns-packet-max=<size>
Specify the largest EDNS.0 UDP packet which is supported by the DNS
-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
+forwarder. Defaults to 1232, which is the recommended size following the
+DNS flag day in 2020. Only increase if you know what you are doing.
.TP
.B \-Q, --query-port=<query_port>
Send outbound DNS queries from, and listen for their replies on, the
diff --git a/src/config.h b/src/config.h
index 8c41943..62b7fa1 100644
--- a/src/config.h
+++ b/src/config.h
@@ -19,7 +19,7 @@
#define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
#define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
#define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */
-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */
#define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */
#define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
#define DNSSEC_WORK 50 /* Max number of queries to validate one question */
--
2.39.2

View File

@ -20,7 +20,7 @@
Name: dnsmasq
Version: 2.85
Release: 6%{?extraversion:.%{extraversion}}%{?dist}
Release: 14%{?extraversion:.%{extraversion}}%{?dist}
Summary: A lightweight DHCP/caching DNS server
License: GPLv2 or GPLv3
@ -51,6 +51,24 @@ Patch6: dnsmasq-2.86-dhcpv6-client-arch.patch
Patch7: dnsmasq-2.87-CVE-2022-0934.patch
# Downstream only patch; fixes Patch4 change
Patch8: dnsmasq-2.79-server-domain-fixup.patch
# https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5
Patch9: dnsmasq-2.89-edns0-size.patch
# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2186481
# Fixes issue in Patch4
Patch10: dnsmasq-2.85-serv_domain-rh2186481.patch
# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2182342
# Another issue in Patch4
Patch11: dnsmasq-2.85-search_servers-rhbz2182342.patch
# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2186481
# complements patch10
Patch12: dnsmasq-2.85-serv_domain-rh2186481-2.patch
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c
Patch13: dnsmasq-2.87-log-root-writeable.patch
# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2209031
# complements patch12
Patch14: dnsmasq-2.85-domain-blocklist-speedup.patch
# https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;h=9bbf098a970c9e5fa251939208e25fb21064d1be
Patch15: dnsmasq-2.87-coverity-forward-cache.patch
# This is workaround to nettle bug #1549190
# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
@ -194,6 +212,30 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
%{_mandir}/man1/dhcp_*
%changelog
* Fri Jul 28 2023 Petr Menšík <pemensik@redhat.com> - 2.85-14
- Backport Coverity fix to hide detected issue (#2156789)
* Thu Jul 20 2023 Petr Menšík <pemensik@redhat.com> - 2.85-13
- Rebuild with modified gating settings
* Wed Jun 14 2023 Petr Menšík <pemensik@redhat.com> - 2.85-12
- Make create logfile writeable by root (#2156789)
* Fri Jun 09 2023 Petr Menšík <pemensik@redhat.com> - 2.85-11
- Do not create and search --local and --address=/x/# domains (#2209031)
* Wed May 10 2023 Petr Menšík <pemensik@redhat.com> - 2.85-10
- Fix also dynamically set resolvers over dbus (#2186481)
* Fri May 05 2023 Petr Menšík <pemensik@redhat.com> - 2.85-9
- Properly initialize domain parameter in dnssec mode (#2182342)
* Fri Apr 21 2023 Petr Menšík <pemensik@redhat.com> - 2.85-8
- Correct possible crashes when server=/example.net/# is used (#2188712)
* Mon Apr 03 2023 Petr Menšík <pemensik@redhat.com> - 2.85-7
- Limit offered EDNS0 size 1232 (CVE-2023-28450)
* Thu Jan 26 2023 Petr Menšík <pemensik@redhat.com> - 2.85-6
- Use upstream change for CVE-2022-0934 (#2126586)