Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package dnsmasq for openSUSE:Factory checked in at 2021-09-26 21:48:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dnsmasq (Old) and /work/SRC/openSUSE:Factory/.dnsmasq.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dnsmasq" Sun Sep 26 21:48:37 2021 rev:83 rq:921143 version:2.86 Changes: -------- --- /work/SRC/openSUSE:Factory/dnsmasq/dnsmasq.changes 2021-07-07 18:30:23.307033903 +0200 +++ /work/SRC/openSUSE:Factory/.dnsmasq.new.1899/dnsmasq.changes 2021-09-26 21:49:27.394832806 +0200 @@ -1,0 +2,44 @@ +Thu Sep 23 08:48:12 UTC 2021 - Reinhard Max <[email protected]> + +- jsc#SLE-17936: Sync this state from Factory to SLE-15-SP1. +- SLE bugs that got fixed upstream between 2.79 and 2.86, but for + which we need to keep references when syncing: + * bsc#1176076: dnsmasq-servfail.patch + * bsc#1156543: dnsmasq-siocgstamp.patch + * bsc#1138743: dnsmasq-cache-size.patch + * bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch + * bsc#1180914: Open inotify socket only when used. + * removed dnsmasq-dnspooq.patch +- bsc#1173646: Set --local-service by default. + +------------------------------------------------------------------- +Fri Sep 17 11:10:17 UTC 2021 - Reinhard Max <[email protected]> + +- Update to 2.86: + * Handle DHCPREBIND requests in the DHCPv6 server code. + * Fix bug which caused dnsmasq to lose track of processes forked + to handle TCP DNS connections under heavy load. + * Major rewrite of the DNS server and domain handling code. This + should be largely transparent, but it drastically improves + performance and reduces memory foot-print when configuring + large numbers of domains. + * Revise resource handling for number of concurrent DNS queries. + * Improve efficiency of DNSSEC. + * Connection track mark based DNS query filtering. + * Allow smaller than 64 prefix lengths in synth-domain, with + caveats. + --synth-domain=1234:4567::/56,example.com is now valid. + * Make domains generated by --synth-domain appear in replies + when in authoritative mode. + * Ensure CAP_NET_ADMIN capability is available when conntrack + is configured. + * When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are + given a directory as argument, define the order in which files + within that directory are read (alphabetical order of filename). + +------------------------------------------------------------------- +Tue Sep 14 06:19:17 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s) (bsc#1181400). + +------------------------------------------------------------------- Old: ---- dnsmasq-2.85.tar.xz dnsmasq-2.85.tar.xz.asc New: ---- dnsmasq-2.86.tar.xz dnsmasq-2.86.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dnsmasq.spec ++++++ --- /var/tmp/diff_new_pack.cN4vDl/_old 2021-09-26 21:49:27.950833494 +0200 +++ /var/tmp/diff_new_pack.cN4vDl/_new 2021-09-26 21:49:27.954833498 +0200 @@ -22,7 +22,7 @@ %bcond_without tftp_user_package %endif Name: dnsmasq -Version: 2.85 +Version: 2.86 Release: 0 Summary: DNS Forwarder and DHCP Server License: GPL-2.0-only OR GPL-3.0-only @@ -101,9 +101,21 @@ s|CHGRP "dip"|CHGRP "nogroup"|' \ src/config.h -# Fix trust-anchor.conf location and include /etc/dnsmasq.d/*.conf by default +# Tweaks to the default configuration: +# - Fix trust-anchor.conf location +# - Include /etc/dnsmasq.d/*.conf by default +# - Only answer queries coming from the local network sed -i -e '/trust-anchors.conf/c\#conf-file=%{_sysconfdir}/dnsmasq.d/trust-anchors.conf' \ -e '/conf-dir=.*conf/s/^\#//' \ + -e '0,/^$/{/^$/a \ +# Accept DNS queries only from hosts whose address is on a local\ +# subnet, ie a subnet for which an interface exists on the server.\ +# It is intended to be set as a default on installation, to allow\ +# unconfigured installations to be useful but also safe from being\ +# used for DNS amplification attacks.\ +local-service\ + +}' \ dnsmasq.conf.example %build ++++++ dnsmasq-2.85.tar.xz -> dnsmasq-2.86.tar.xz ++++++ ++++ 37990 lines of diff (skipped) ++++++ dnsmasq.service ++++++ --- /var/tmp/diff_new_pack.cN4vDl/_old 2021-09-26 21:49:28.226833835 +0200 +++ /var/tmp/diff_new_pack.cN4vDl/_new 2021-09-26 21:49:28.230833840 +0200 @@ -5,6 +5,18 @@ Before=nss-lookup.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=dbus BusName=uk.org.thekelleys.dnsmasq ExecStartPre=/usr/sbin/dnsmasq --test
