Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package dnsmasq for openSUSE:Factory checked in at 2023-04-26 17:24:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dnsmasq (Old) and /work/SRC/openSUSE:Factory/.dnsmasq.new.1533 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dnsmasq" Wed Apr 26 17:24:15 2023 rev:93 rq:1082695 version:2.89 Changes: -------- --- /work/SRC/openSUSE:Factory/dnsmasq/dnsmasq.changes 2023-02-17 16:44:00.210524226 +0100 +++ /work/SRC/openSUSE:Factory/.dnsmasq.new.1533/dnsmasq.changes 2023-04-26 17:24:52.381452283 +0200 @@ -1,0 +2,6 @@ +Tue Apr 25 08:32:41 UTC 2023 - Reinhard Max <m...@suse.com> + +- bsc#1209358, CVE-2023-28450, dnsmasq-CVE-2023-28450.patch: + default maximum EDNS.0 UDP packet size should be 1232 + +------------------------------------------------------------------- New: ---- dnsmasq-CVE-2023-28450.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dnsmasq.spec ++++++ --- /var/tmp/diff_new_pack.EaqCMT/_old 2023-04-26 17:24:52.857455060 +0200 +++ /var/tmp/diff_new_pack.EaqCMT/_new 2023-04-26 17:24:52.861455084 +0200 @@ -36,6 +36,7 @@ Source5: rc.dnsmasq-suse Source6: system-user-dnsmasq.conf Patch0: dnsmasq-groups.patch +Patch1: dnsmasq-CVE-2023-28450.patch BuildRequires: dbus-1-devel BuildRequires: dos2unix BuildRequires: libidn2-devel @@ -71,7 +72,7 @@ server's leases. %prep -%autosetup -p1 +%autosetup -p0 # Remove the executable bit from python example files to # avoid unwanted automatic dependencies ++++++ dnsmasq-CVE-2023-28450.patch ++++++ >From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001 From: Simon Kelley <si...@thekelleys.org.uk> Date: Tue, 7 Mar 2023 22:07:46 +0000 Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232. http://www.dnsflagday.net/2020/ refers. Thanks to Xiang Li for the prompt. --- CHANGELOG | 9 ++++++++- man/dnsmasq.8 | 3 ++- src/config.h | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) --- CHANGELOG.orig +++ CHANGELOG @@ -11,7 +11,14 @@ version 2.89 for reporting the bug and for his great efforts in chasing it down. + Set the default maximum DNS UDP packet sice to 1232. This + has been the recommended value since 2020 because it's the + largest value that avoid fragmentation, and fragmentation + is just not reliable on the modern internet, especially + for IPv6. It's still possible to override this with + --edns-packet-max for special circumstances. + version 2.88 Fix bug in --dynamic-host when an interface has /16 IPv4 address. Thanks to Mark Dietzer for spotting this. --- man/dnsmasq.8.orig +++ man/dnsmasq.8 @@ -183,7 +183,8 @@ to zero completely disables DNS function .TP .B \-P, --edns-packet-max=<size> Specify the largest EDNS.0 UDP packet which is supported by the DNS -forwarder. Defaults to 4096, which is the RFC5625-recommended size. +forwarder. Defaults to 1232, which is the recommended size following the +DNS flag day in 2020. Only increase if you know what you are doing. .TP .B \-Q, --query-port=<query_port> Send outbound DNS queries from, and listen for their replies on, the --- src/config.h.orig +++ src/config.h @@ -19,7 +19,7 @@ #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */ #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ -#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */ +#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ #define SAFE_PKTSZ 1232 /* "go anywhere" UDP packet size, see https://dnsflagday.net/2020/ */ #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ #define DNSSEC_WORK 50 /* Max number of queries to validate one question */ ++++++ dnsmasq-groups.patch ++++++ --- /var/tmp/diff_new_pack.EaqCMT/_old 2023-04-26 17:24:52.913455387 +0200 +++ /var/tmp/diff_new_pack.EaqCMT/_new 2023-04-26 17:24:52.917455410 +0200 @@ -1,6 +1,6 @@ ---- a/src/dnsmasq.c.orig -+++ b/src/dnsmasq.c -@@ -581,11 +581,10 @@ int main (int argc, char **argv) +--- src/dnsmasq.c.orig ++++ src/dnsmasq.c +@@ -731,11 +731,10 @@ int main (int argc, char **argv) if (!option_bool(OPT_DEBUG) && getuid() == 0) { int bad_capabilities = 0;
