Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package dnsmasq for openSUSE:Factory checked 
in at 2023-04-26 17:24:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/dnsmasq (Old)
 and      /work/SRC/openSUSE:Factory/.dnsmasq.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "dnsmasq"

Wed Apr 26 17:24:15 2023 rev:93 rq:1082695 version:2.89

Changes:
--------
--- /work/SRC/openSUSE:Factory/dnsmasq/dnsmasq.changes  2023-02-17 
16:44:00.210524226 +0100
+++ /work/SRC/openSUSE:Factory/.dnsmasq.new.1533/dnsmasq.changes        
2023-04-26 17:24:52.381452283 +0200
@@ -1,0 +2,6 @@
+Tue Apr 25 08:32:41 UTC 2023 - Reinhard Max <m...@suse.com>
+
+- bsc#1209358, CVE-2023-28450, dnsmasq-CVE-2023-28450.patch:
+  default maximum EDNS.0 UDP packet size should be 1232
+
+-------------------------------------------------------------------

New:
----
  dnsmasq-CVE-2023-28450.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ dnsmasq.spec ++++++
--- /var/tmp/diff_new_pack.EaqCMT/_old  2023-04-26 17:24:52.857455060 +0200
+++ /var/tmp/diff_new_pack.EaqCMT/_new  2023-04-26 17:24:52.861455084 +0200
@@ -36,6 +36,7 @@
 Source5:        rc.dnsmasq-suse
 Source6:        system-user-dnsmasq.conf
 Patch0:         dnsmasq-groups.patch
+Patch1:         dnsmasq-CVE-2023-28450.patch
 BuildRequires:  dbus-1-devel
 BuildRequires:  dos2unix
 BuildRequires:  libidn2-devel
@@ -71,7 +72,7 @@
 server's leases.
 
 %prep
-%autosetup -p1
+%autosetup -p0
 
 # Remove the executable bit from python example files to
 # avoid unwanted automatic dependencies


++++++ dnsmasq-CVE-2023-28450.patch ++++++
>From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001
From: Simon Kelley <si...@thekelleys.org.uk>
Date: Tue, 7 Mar 2023 22:07:46 +0000
Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232.

http://www.dnsflagday.net/2020/ refers.

Thanks to Xiang Li for the prompt.
---
 CHANGELOG     | 9 ++++++++-
 man/dnsmasq.8 | 3 ++-
 src/config.h  | 2 +-
 3 files changed, 11 insertions(+), 3 deletions(-)

--- CHANGELOG.orig
+++ CHANGELOG
@@ -11,7 +11,14 @@ version 2.89
        for reporting the bug and for his great efforts in chasing
        it down.
 
+       Set the default maximum DNS UDP packet sice to 1232. This
+       has been the recommended value since 2020 because it's the
+       largest value that avoid fragmentation, and fragmentation
+       is just not reliable on the modern internet, especially
+       for IPv6. It's still possible to override this with
+       --edns-packet-max for special circumstances.
 
+       
 version 2.88
        Fix bug in --dynamic-host when an interface has /16 IPv4
        address. Thanks to Mark Dietzer for spotting this.
--- man/dnsmasq.8.orig
+++ man/dnsmasq.8
@@ -183,7 +183,8 @@ to zero completely disables DNS function
 .TP
 .B \-P, --edns-packet-max=<size>
 Specify the largest EDNS.0 UDP packet which is supported by the DNS
-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
+forwarder. Defaults to 1232, which is the recommended size following the
+DNS flag day in 2020. Only increase if you know what you are doing.
 .TP
 .B \-Q, --query-port=<query_port>
 Send outbound DNS queries from, and listen for their replies on, the
--- src/config.h.orig
+++ src/config.h
@@ -19,7 +19,7 @@
 #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) 
*/
 #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP 
connection */
 #define TCP_BACKLOG 32  /* kernel backlog limit for TCP connections */
-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from  
/dnsflagday.net/2020 */
 #define SAFE_PKTSZ 1232 /* "go anywhere" UDP packet size, see 
https://dnsflagday.net/2020/ */
 #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing 
DNSSEC keys */
 #define DNSSEC_WORK 50 /* Max number of queries to validate one question */

++++++ dnsmasq-groups.patch ++++++
--- /var/tmp/diff_new_pack.EaqCMT/_old  2023-04-26 17:24:52.913455387 +0200
+++ /var/tmp/diff_new_pack.EaqCMT/_new  2023-04-26 17:24:52.917455410 +0200
@@ -1,6 +1,6 @@
---- a/src/dnsmasq.c.orig
-+++ b/src/dnsmasq.c
-@@ -581,11 +581,10 @@ int main (int argc, char **argv)
+--- src/dnsmasq.c.orig
++++ src/dnsmasq.c
+@@ -731,11 +731,10 @@ int main (int argc, char **argv)
    if (!option_bool(OPT_DEBUG) && getuid() == 0)   
      {
        int bad_capabilities = 0;

Reply via email to