Dnsmasq now accepts in default configuration queries only from
localhost. It received queries from any interface on the computer
before. It just dropped queries coming from wrong interfaces.
This change makes it listen only on specified interfaces. Queries coming
from different interfaces would receive ICMP error right away. Makes it
easier to understand why dnsmasq is not answering to those queries.
Enable nice checkout with --with sourcegit. It would not base sources
directory on tarball, but from git repository configured in spec.
Simplifies backporting a new patch from upstream.
Make sure IPv4 requests search only in IPv4 contexts and vice versa. Do
not accept IPv4 record for IPv6 requests, as it would lead to defined
assignment.
In some cases, DUID will change for the same machine during network
boot. Support assigning small blocks of IPv6 addresses to work around
changing DUID.
Quick made support of SO_TIMESTAMP is broken and it broke whole DHCP.
Until that is fixed and properly tested, remove its support. Just skip
call to unsupported ioctl.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
- Stop using nettle_hashes directly, use access function (#1548060)
- Do not break on cname with spaces (#1498667)
Signed-off-by: Petr Menšík <pemensik@redhat.com>
None of currently supported distributions need that.
Last one was EL5 which is EOL for a while.
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
None of currently supported distributions need that.
It was needed last for EL5 which is EOL now
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
We define some constants in dnsmasq.h, which have an influence on
stdio.h. So do not include stdio.h before dnsmasq.h.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
Further fix to 0549c73b7ea6b22a3c49beb4d432f185a81efcbc
Handles case when RR name is not a pointer to the question,
only occurs for some auth-mode replies, therefore not
detected by fuzzing (?)
Signed-off-by: Petr Menšík <pemensik@redhat.com>
creation.
Fix out-of-memory Dos vulnerability. An attacker which can
send malicious DNS queries to dnsmasq can trigger memory
allocations in the add_pseudoheader function
The allocated memory is never freed which leads to a DoS
through memory exhaustion. dnsmasq is vulnerable only
if one of the following option is specified:
--add-mac, --add-cpe-id or --add-subnet.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
Fix DoS in DNS. Invalid boundary checks in the
add_pseudoheader function allows a memcpy call with negative
size An attacker which can send malicious DNS queries
to dnsmasq can trigger a DoS remotely.
dnsmasq is vulnerable only if one of the following option is
specified: --add-mac, --add-cpe-id or --add-subnet.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
Fix information leak in DHCPv6. A crafted DHCPv6 packet can
cause dnsmasq to forward memory from outside the packet
buffer to a DHCPv6 server when acting as a relay.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
Fix stack overflow in DHCPv6 code. An attacker who can send
a DHCPv6 request to dnsmasq can overflow the stack frame and
crash or control dnsmasq.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
Fix heap overflow in IPv6 router advertisement code.
This is a potentially serious security hole, as a
crafted RA request can overflow a buffer and crash or
control dnsmasq. Attacker must be on the local network.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
Fix heap overflow in DNS code. This is a potentially serious
security hole. It allows an attacker who can make DNS
requests to dnsmasq, and who controls the contents of
a domain, which is thereby queried, to overflow
(by 2 bytes) a heap buffer and either crash, or
even take control of, dnsmasq.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
- drop forking Type and PIDfile and rather start dnsmasq with "-k" option
- drop After syslog.target as this is by default
Signed-off-by: Tomas Hozza <thozza@redhat.com>
- Send TCP DNS messages in one packet
- Fix crash on SERVFAIL when using --conntrack option
- Fix regression in dhcp_lease_time utility
- Man page typos fixes
- Note that dhcp_lease_time and dhcp_release work only for IPv4
- Fix for --dhcp-match option to work also with BOOTP protocol
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Petr Menšík
Fedora Release Engineering
Florian Weimer
Igor Gnatenko
Zbigniew Jędrzejewski-Szmek
Itamar Reis Peixoto
Pavel Šimerda
Dennis Gilmore
Tomas Hozza
Pavel Šimerda
Nils Philippsen
Peter Robinson