Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package dnsmasq for openSUSE:Factory checked
in at 2021-01-20 18:23:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/dnsmasq (Old)
and /work/SRC/openSUSE:Factory/.dnsmasq.new.28504 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dnsmasq"
Wed Jan 20 18:23:34 2021 rev:79 rq:864301 version:2.83
Changes:
--------
--- /work/SRC/openSUSE:Factory/dnsmasq/dnsmasq.changes 2020-08-03
14:13:49.360405026 +0200
+++ /work/SRC/openSUSE:Factory/.dnsmasq.new.28504/dnsmasq.changes
2021-01-20 18:24:07.839340056 +0100
@@ -1,0 +2,33 @@
+Tue Jan 19 12:24:02 UTC 2021 - Reinhard Max <m...@suse.com>
+
+- Update to 2.83:
+ * bsc#1177077: Fixed DNSpooq vulnerabilities
+ * Use the values of --min-port and --max-port in outgoing
+ TCP connections to upstream DNS servers.
+ * Fix a remote buffer overflow problem in the DNSSEC code.
+ Any dnsmasq with DNSSEC compiled in and enabled is vulnerable
+ to this, referenced by CVE-2020-25681, CVE-2020-25682,
+ CVE-2020-25683 CVE-2020-25687.
+ * Be sure to only accept UDP DNS query replies at the address
+ from which the query was originated. This keeps as much
+ entropy in the {query-ID, random-port} tuple as possible, to
+ help defeat cache poisoning attacks. Refer: CVE-2020-25684.
+ * Use the SHA-256 hash function to verify that DNS answers
+ received are for the questions originally asked. This replaces
+ the slightly insecure SHA-1 (when compiled with DNSSEC) or
+ the very insecure CRC32 (otherwise). Refer: CVE-2020-25685
+ * Handle multiple identical near simultaneous DNS queries better.
+ Previously, such queries would all be forwarded independently.
+ This is, in theory, inefficent but in practise not a problem,
+ _except_ that is means that an answer for any of the forwarded
+ queries will be accepted and cached.
+ An attacker can send a query multiple times, and for each
+ repeat, another {port, ID} becomes capable of accepting the
+ answer he is sending in the blind, to random IDs and ports.
+ The chance of a succesful attack is therefore multiplied by the
+ number of repeats of the query. The new behaviour detects
+ repeated queries and merely stores the clients sending repeats
+ so that when the first query completes, the answer can be sent
+ to all the clients who asked. Refer: CVE-2020-25686.
+
+-------------------------------------------------------------------
Old:
----
dnsmasq-2.82.tar.xz
dnsmasq-2.82.tar.xz.asc
New:
----
dnsmasq-2.83.tar.xz
dnsmasq-2.83.tar.xz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ dnsmasq.spec ++++++
--- /var/tmp/diff_new_pack.ehmvhU/_old 2021-01-20 18:24:08.851340804 +0100
+++ /var/tmp/diff_new_pack.ehmvhU/_new 2021-01-20 18:24:08.855340807 +0100
@@ -1,7 +1,7 @@
#
# spec file for package dnsmasq
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
%bcond_without tftp_user_package
%endif
Name: dnsmasq
-Version: 2.82
+Version: 2.83
Release: 0
Summary: DNS Forwarder and DHCP Server
License: GPL-2.0-only OR GPL-3.0-only
++++++ dnsmasq-2.82.tar.xz -> dnsmasq-2.83.tar.xz ++++++
++++ 2203 lines of diff (skipped)
