Received: by mail.netbsd.org (Postfix, from userid 605) id 23A5584D44; Sat, 17 Feb 2024 02:20:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netbsd.org; s=20240131; t=1708136429; bh=E2NOzXlkJhgsYOL0Ro7cQ5ywDD3Z6jNEAqB1yIyGYlU=; h=Date:From:Subject:To:Reply-To:List-Id:List-Unsubscribe; b=uvGATJkPq76BGkCB9A88UJP0kMtJMh1fttdTPtyZK5WWXZQ3PumhllztJVN7idC73 WVEpLYUMfcCQx+2SrugalP3wcgVFoXNS0ptRDJ/uJHKo8wZ8ycjSkPYI/EmeXT9MAU mtn8uoeFV5iZwTfOHdvNxs3v9bYuIpqrvfg4FDKE= Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 15F8B84D17 for ; Sat, 17 Feb 2024 02:20:28 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id vvE3bFGn_TVV for ; Sat, 17 Feb 2024 02:20:26 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id B1FF684C13 for ; Sat, 17 Feb 2024 02:20:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netbsd.org; s=20240131; t=1708136426; bh=E2NOzXlkJhgsYOL0Ro7cQ5ywDD3Z6jNEAqB1yIyGYlU=; h=Date:From:Subject:To:Reply-To; b=bhQl8xZq5lXzR8jsPRulch+EQ2DKrTON+hh4VvLDVTlzePGLbUKo1eLNEbp2wu2D1 kfrdZnHHklEHhoDlH7KZ17Fmy5pXF9tpQGoXLlsRZRaV+3S/1TBv3ZKAuY21ZUX8Ye ihcbCMwG9O1Tj7gE+I+rMr3ABPkM51hvhj0Vr6w4= Received: by cvs.NetBSD.org (Postfix, from userid 500) id A332EF9F2; Sat, 17 Feb 2024 02:20:26 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1708136426273450" MIME-Version: 1.0 Date: Sat, 17 Feb 2024 02:20:26 +0000 From: "Adam Ciarcinski" Subject: CVS commit: pkgsrc/net/dnsmasq To: pkgsrc-changes@NetBSD.org Reply-To: adam@netbsd.org X-Mailer: log_accum Message-Id: <20240217022026.A332EF9F2@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1708136426273450 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: adam Date: Sat Feb 17 02:20:26 UTC 2024 Modified Files: pkgsrc/net/dnsmasq: Makefile distinfo Removed Files: pkgsrc/net/dnsmasq/patches: patch-src_dhcp-common.c patch-src_dhcp.c patch-src_loop.c patch-src_option.c Log Message: dnsmasq: updated to 2.90 version 2.90 Fix reversion in --rev-server introduced in 2.88 which caused breakage if the prefix length is not exactly divisible by 8 (IPv4) or 4 (IPv6). Fix possible SEGV when there server(s) for a particular domain are configured, but no server which is not qualified for a particular domain. Thanks to Daniel Danzberger for spotting this bug. Set the default maximum DNS UDP packet sice to 1232. This has been the recommended value since 2020 because it's the largest value that avoid fragmentation, and fragmentation is just not reliable on the modern internet, especially for IPv6. It's still possible to override this with --edns-packet-max for special circumstances. Add --no-dhcpv4-interface and --no-dhcpv6-interface for better control over which inetrfaces are providing DHCP service. Fix issue with stale caching: After replying with stale data, dnsmasq sends the query upstream to refresh the cache asynchronously and sometimes sends the wrong packet: packet length can be wrong, and if an EDE marking stale data is added to the answer that can end up in the query also. This bug only seems to cause problems when the usptream server is a DOH/DOT proxy. Thanks to Justin He for the bug report. Add configurable caching for arbitrary RR-types. Add --filter-rr option, to filter arbitrary RR-types. --filter-rr=ANY has a special meaning: it filters the answers to queries for the ANY RR-type. Add limits on the resources used to do DNSSEC validation. DNSSEC introduces a potential CPU DoS, because a crafted domain can force a validator to a large number of cryptographic operations whilst attempting to do validation. When using TCP transport a DNSKEY RRset contain thousands of members and any RRset can have thousands of signatures. The potential number of signature validations to follow the RFC for validation for one RRset is the cross product of the keys and signatures, so millions. In practice, the actual numbers are much lower, so attacks can be mitigated by limiting the amount of cryptographic "work" to a much lower amount. The actual limits are number a signature validation fails per RRset(20), number of signature validations and hash computations per query(200), number of sub-queries to fetch DS and DNSKEY RRsets per query(40), and the number of iterations in a NSEC3 record(150). These values are sensible, but there is, as yet, no standardisation on the values for a "conforming" domain, so a new option --dnssec-limit is provided should they need to be altered. The algorithm to validate DS records has also been altered to reduce the maximum work from cross product of the number of DS records and number of DNSKEYs to the cross product of the number of DS records and supported DS digest types. As the number of DS digest types is in single figures, this reduces the exposure. Credit is due to Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner from the German National Research Center for Applied Cybersecurity ATHENE for finding this vulnerability. CVE 2023-50387 and CVE 2023-50868 apply. Note that the is a security vulnerablity only when DNSSEC validation is enabled. To generate a diff of this commit: cvs rdiff -u -r1.50 -r1.51 pkgsrc/net/dnsmasq/Makefile cvs rdiff -u -r1.48 -r1.49 pkgsrc/net/dnsmasq/distinfo cvs rdiff -u -r1.1 -r0 pkgsrc/net/dnsmasq/patches/patch-src_dhcp-common.c \ pkgsrc/net/dnsmasq/patches/patch-src_dhcp.c \ pkgsrc/net/dnsmasq/patches/patch-src_loop.c \ pkgsrc/net/dnsmasq/patches/patch-src_option.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1708136426273450 Content-Disposition: inline Content-Length: 2067 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/net/dnsmasq/Makefile diff -u pkgsrc/net/dnsmasq/Makefile:1.50 pkgsrc/net/dnsmasq/Makefile:1.51 --- pkgsrc/net/dnsmasq/Makefile:1.50 Sat Feb 25 03:30:47 2023 +++ pkgsrc/net/dnsmasq/Makefile Sat Feb 17 02:20:26 2024 @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.50 2023/02/25 03:30:47 riastradh Exp $ +# $NetBSD: Makefile,v 1.51 2024/02/17 02:20:26 adam Exp $ -DISTNAME= dnsmasq-2.89 -PKGREVISION= 1 +DISTNAME= dnsmasq-2.90 CATEGORIES= net MASTER_SITES= https://thekelleys.org.uk/dnsmasq/ EXTRACT_SUFX= .tar.xz Index: pkgsrc/net/dnsmasq/distinfo diff -u pkgsrc/net/dnsmasq/distinfo:1.48 pkgsrc/net/dnsmasq/distinfo:1.49 --- pkgsrc/net/dnsmasq/distinfo:1.48 Sat Feb 25 03:30:47 2023 +++ pkgsrc/net/dnsmasq/distinfo Sat Feb 17 02:20:26 2024 @@ -1,13 +1,7 @@ -$NetBSD: distinfo,v 1.48 2023/02/25 03:30:47 riastradh Exp $ +$NetBSD: distinfo,v 1.49 2024/02/17 02:20:26 adam Exp $ -BLAKE2s (dnsmasq-2.89.tar.xz) = 1b14c7403ee3e3de7d88acf0f34ff946ca03b870e9b196745285ea53aa72f90b -SHA512 (dnsmasq-2.89.tar.xz) = 4384ed5b673e10eaf6532e6eaeb5c0a6b817581433cc28c632bdcbadbfc050a0ab73bc5b73c98d708cd39515bb3f72168714b0aa5f16436cebdd18020648d428 -Size (dnsmasq-2.89.tar.xz) = 562700 bytes +BLAKE2s (dnsmasq-2.90.tar.xz) = 3fded3fc5310c3dd68af5ed02abdadc556aa7ec467dd09e6736279c21ff7d317 +SHA512 (dnsmasq-2.90.tar.xz) = e169de1892f935e219b0f49d90107f95cba42b40bca20bd3c973313c2cd4df58b929af6628cd988419051d81c3b4ccf8e9f816274df7d0840e79f5bf49602442 +Size (dnsmasq-2.90.tar.xz) = 570672 bytes SHA1 (patch-src_bpf.c) = 4115a5391f57564663bbfc448fbb865c370318a6 -SHA1 (patch-src_dhcp-common.c) = e7b8ac99e756bc5964e1070cfe8d07f4e3a5a7b1 -SHA1 (patch-src_dhcp.c) = 10cf20de250479172e97a627ff4c8fbb8e414fe7 SHA1 (patch-src_dump.c) = e5788d9e3112b1e5b2ef7ce500b0262b95c375c6 -SHA1 (patch-src_loop.c) = 6c8009326658c8e603a5e651a93e0fa7a8650604 -SHA1 (patch-src_option.c) = a2267ddbcfe40ef197ff0138d3177ba184e6a69a -SHA1 (patch-src_rfc2131.c) = 200ed9e1752d2295de7d27830654e07e669881bd -SHA1 (patch-src_tftp.c) = a72180e297b9da4858b77b7d8bc7a7e69f7f3468 --_----------=_1708136426273450--