"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "CHANGELOG" between
dnsmasq-2.84.tar.xz and dnsmasq-2.85.tar.xz

About: Dnsmasq is a lightweight caching DNS forwarder and DHCP server.

CHANGELOG  (dnsmasq-2.84.tar.xz):CHANGELOG  (dnsmasq-2.85.tar.xz)
version 2.85
Fix problem with DNS retries in 2.83/2.84.
The new logic in 2.83/2.84 which merges distinct requests
for the same domain causes problems with clients which do
retries as distinct requests (differing IDs and/or source ports.)
The retries just get piggy-backed on the first, failed, request.
The logic is now changed so that distinct requests for repeated
queries still get merged into a single ID/source port, but
they now always trigger a re-try upstream.
Thanks to Nicholas Mu for his analysis.
Tweak sort order of tags in get-version. v2.84 sorts
before v2.83, but v2.83 sorts before v2.83rc1 and 2.83rc1
sorts before v2.83test1. This fixes the problem which lead
to 2.84 announcing itself as 2.84rc2.
Avoid treating a --dhcp-host which has an IPv6 address
as eligible for use with DHCPv4 on the grounds that it has
no address, and vice-versa. Thanks to Viktor Papp for
spotting the problem. (This bug was fixed was back in 2.67, and
then regressed in 2.81).
Add --dynamic-host option: A and AAAA records which take their
network part from the network of a local interface. Useful
for routers with dynamically prefixes. Thanks
to Fred F for the suggestion.
Teach --bogus-nxdomain and --ignore-address to take an IPv4 subnet.
Use random source ports where possible if source
addresses/interfaces in use.
CVE-2021-3448 applies. Thanks to Petr Menšík for spotting this.
It's possible to specify the source address or interface to be
used when contacting upstream name servers: server=8.8.8.8@1.2.3.4
or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of
these have, until now, used a single socket, bound to a fixed
port. This was originally done to allow an error (non-existent
interface, or non-local address) to be detected at start-up. This
means that any upstream servers specified in such a way don't use
random source ports, and are more susceptible to cache-poisoning
attacks.
We now use random ports where possible, even when the
source is specified, so server=8.8.8.8@1.2.3.4 or
server=8.8.8.8@eth0 will use random source
ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will
use the explicitly configured port, and should only be done with
understanding of the security implications.
Note that this change changes non-existing interface, or non-local
source address errors from fatal to run-time. The error will be
logged and communication with the server not possible.
Change the method of allocation of random source ports for DNS.
Previously, without min-port or max-port configured, dnsmasq would
default to the compiled in defaults for those, which are 1024 and
65535. Now, when neither are configured, it defaults instead to
the kernel's ephemeral port range, which is typically
32768 to 60999 on Linux systems. This change eliminates the
possibility that dnsmasq may be using a registered port > 1024
when a long-running daemon starts up and wishes to claim it.
This change does likely slightly reduce the number of random ports
and therefore the protection from reply spoofing. The older
behaviour can be restored using the min-port and max-port config
switches should that be a concern.
Scale the size of the DNS random-port pool based on the
value of the --dns-forward-max configuration.
Tweak TFTP code to check sender of all received packets, as
specified in RFC 1350 para 4.
version 2.84
Fix a problem, introduced in 2.83, which could see DNS replies
being sent via the wrong socket. On machines running both
IPv4 and IPv6 this could result in sporadic messages of
the form "failed to send packet: Network is unreachable" and
the lost of the query. Since the error is sporadic and of
low probability, the client retry would normally succeed.
Change HAVE_NETTLEHASH compile-time to HAVE_CRYPTOHASH.
version 2.83 version 2.83
Use the values of --min-port and --max-port in outgoing Use the values of --min-port and --max-port in outgoing
TCP connections to upstream DNS servers. TCP connections to upstream DNS servers.
Fix a remote buffer overflow problem in the DNSSEC code. Any Fix a remote buffer overflow problem in the DNSSEC code. Any
dnsmasq with DNSSEC compiled in and enabled is vulnerable to this, dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
CVE-2020-25687. CVE-2020-25687.
Be sure to only accept UDP DNS query replies at the address Be sure to only accept UDP DNS query replies at the address
skipping to change at line 22 skipping to change at line 102
in the {query-ID, random-port} tuple as possible, to help defeat in the {query-ID, random-port} tuple as possible, to help defeat
cache poisoning attacks. Refer: CVE-2020-25684. cache poisoning attacks. Refer: CVE-2020-25684.
Use the SHA-256 hash function to verify that DNS answers Use the SHA-256 hash function to verify that DNS answers
received are for the questions originally asked. This replaces received are for the questions originally asked. This replaces
the slightly insecure SHA-1 (when compiled with DNSSEC) or the slightly insecure SHA-1 (when compiled with DNSSEC) or
the very insecure CRC32 (otherwise). Refer: CVE-2020-25685. the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
Handle multiple identical near simultaneous DNS queries better. Handle multiple identical near simultaneous DNS queries better.
Previously, such queries would all be forwarded Previously, such queries would all be forwarded
independently. This is, in theory, inefficent but in practise independently. This is, in theory, inefficient but in practise
not a problem, _except_ that is means that an answer for any not a problem, _except_ that is means that an answer for any
of the forwarded queries will be accepted and cached. of the forwarded queries will be accepted and cached.
An attacker can send a query multiple times, and for each repeat, An attacker can send a query multiple times, and for each repeat,
another {port, ID} becomes capable of accepting the answer he is another {port, ID} becomes capable of accepting the answer he is
sending in the blind, to random IDs and ports. The chance of a sending in the blind, to random IDs and ports. The chance of a
succesful attack is therefore multiplied by the number of repeats successful attack is therefore multiplied by the number of repeats
of the query. The new behaviour detects repeated queries and of the query. The new behaviour detects repeated queries and
merely stores the clients sending repeats so that when the merely stores the clients sending repeats so that when the
first query completes, the answer can be sent to all the first query completes, the answer can be sent to all the
clients who asked. Refer: CVE-2020-25686. clients who asked. Refer: CVE-2020-25686.
version 2.82 version 2.82
Improve behaviour in the face of network interfaces which come Improve behaviour in the face of network interfaces which come
and go and change index. Thanks to Petr Mensik for the patch. and go and change index. Thanks to Petr Mensik for the patch.
Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user
 End of changes. 3 change blocks. 
2 lines changed or deleted 82 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)