dnsmasq - Debian Package Tracker

general

source: dnsmasq (main)
version: 2.89-1
maintainer: Simon Kelley (DMD)
arch: all any
std-ver: 3.9.8
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.80-1+deb10u1
o-o-sec: 2.80-1+deb10u1
oldstable: 2.85-1
stable: 2.89-1
testing: 2.89-1
unstable: 2.89-1

versioned links

2.80-1+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.85-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.89-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

dnsmasq (54 bugs: 0, 41, 13, 0)
dnsmasq-base (4 bugs: 0, 2, 2, 0)
dnsmasq-base-lua
dnsmasq-utils (1 bugs: 0, 1, 0, 0)

action needed

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2023-28450: An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.

Created: 2023-06-11 Last update: 2023-11-08 06:08

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2023-28450: An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.

Created: 2023-03-16 Last update: 2023-11-08 06:08

lintian reports 2 errors and 21 warnings high

Lintian reports 2 errors and 21 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2023-02-10 Last update: 2023-02-18 12:36

Standards version of the package is outdated. high

The package is severely out of date with respect to the Debian Policy. The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 3.9.8).

Created: 2017-10-03 Last update: 2023-02-05 08:14

6 bugs tagged patch in the BTS normal

The BTS contains patches fixing 6 bugs, consider including or untagging them.

Created: 2023-09-13 Last update: 2023-12-04 21:31

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2.90-1, distribution unstable) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 63ba726e1f8d1ac53db260110657bc82539b2d97
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Sun Dec 3 17:48:56 2023 +0000

    Fix --synth-domain NXDOMAIN responses.
    
    By design, dnsmasq forwards queries for RR-types it has no data
    on, even if it has data for the same domain and other RR-types.
    
    This can lead to an inconsitent view of the DNS when an upstream
    server returns NXDOMAIN for an RR-type and domain but the same domain
    but a different RR-type gets an answer from dnsmasq. To avoid this,
    dnsmasq converts NXDOMAIN answer from upstream to NODATA answers if
    it would answer a query for the domain and a different RR-type.
    
    An oversight missed out --synth-domain from the code to do this, so
    --synth-domain=thekelleys.org.uk,192.168.0.0/24
    would result in the correct answer to an A query for
    192-168.0.1.thekelleys.org.uk and an AAAA query for the same domain
    would be forwarded upstream and the resulting NXDOMAIN reply
    returned.
    
    After the fix, the reply gets converted to NODATA.
    
    Thanks to Matt Wong for spotting the bug.

commit f1beb79429338d35d3b7f821ea33053ab980ccf5
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Sun Dec 3 16:09:08 2023 +0000

    Fix problem with domains associated with DHCP hosts at startup.
    
    At startup, the leases file is read by lease_init(), and
    in lease_init() undecorated hostnames are expanded into
    FQDNs by adding the domain associated with the address
    of the lease.
    
    lease_init() happens relavtively early in the startup, party because
    if it calls  the dhcp-lease helper script, we don't want that to inherit
    a load of sensitive file descriptors. This has implications if domains
    are defined using the --domain=example.com,eth0 format since it's long
    before we call enumerate_interfaces(), so get_domain fails for such domains.
    
    The patch just moves the hostname expansion function to a seperate
    subroutine that gets called later, after enumerate_interfaces().

commit cd4db8246ed221c83b8c7dbba9e1fc6a7e1e888c
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Thu Nov 30 12:46:47 2023 +0000

    Fix typo in dnsmasq.conf.example
    
    Thanks to Brenton Bostick for the report.

commit 69877f565a969260cf2761b2fd512d6c28dbf2f0
Author: Damian Sawicki <dsawicki@google.com>
Date:   Thu Nov 30 15:55:51 2023 +0000

    Add information on process-forking for TCP connections to metrics.
    
    Add the relevant information to the metrics and to the output of
    dump_cache() (which is called when dnsmasq receives SIGUSR1).
    Hence, users not collecting metrics will still be able to
    troubleshoot with SIGUSR1. In addition to the current usage,
    dump_cache() contains the information on the highest usage
    since it was last called.

commit 744231d99505cdead314d13506b5ff8c44a13088
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Nov 27 23:08:31 2023 +0000

    Tighten up error checking in --bind-dynamic mode.
    
    In bind-dynamic mode, its OK to fail to bind a socket to an address
    given by --listen-address if no interface with that address exists
    for the time being. Dnsmasq will attempt to create the socket again
    when the host's network configuration changes.
    
    The code used to ignore pretty much any error from bind(), which is
    incorrect and can lead to confusing behaviour. This change make ONLY
    a return of EADDRNOTAVAIL from bind() a non-error: anything else will be
    fatal during startup phase, or logged after startup phase.
    
    Thanks to Petr Menšík for the problem report and first-pass patch.

commit 65c2d6afd67a032f45f40d7e4d620f5d73e5f07d
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Wed Nov 22 22:02:05 2023 +0000

    Fix standalone SHA256 implementation.
    
    Bug report here:
    https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2023q4/017332.html
    
    This error probably has no practical effect since even if the hash
    is wrong, it's only compared internally to other hashes computed using
    the same code.
    
    Understanding the error:
    
    hash-questions.c:168:21: runtime error: left shift of 128 by 24 places
    cannot be represented in type 'int'
    
    requires a certain amount of c-lawyerliness. I think the problem is that
    
    m[i] = data[j] << 24
    
    promotes the unsigned char data array value to int before doing the shift and
    then promotes the result to unsigned char to match the type of m[i].
    What needs to happen is to cast the unsigned char to unsigned int
    BEFORE the shift.
    
    This patch does that with explicit casts.

commit b27b94cfdc5e0cad6a5a8675471e0bdc64676006
Merge: b8b5b73 568fb02
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Wed Nov 22 15:29:10 2023 +0000

    Merge branch 'master' of ssh://thekelleys.org.uk/var/local/git/dnsmasq

commit b8b5b734b4175311e7d432d86a9ca69401b0717d
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Wed Nov 22 15:20:53 2023 +0000

    Fix misuse of const pointer in src/nftset.c.
    
    Thanks to  Kevin Darbyshire-Bryant for the initial patch, which was
    modified by srk - any remaining bugs are his.

commit 568fb02449a8b43cce7c8da212558ecf022a5f40
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Nov 13 22:08:08 2023 +0000

    Fix use-after-free in cache_remove_uid().
    
    Thanks to Kevin Darbyshire-Bryant for the bug report.

commit 77ef9b260352c7820b6fee7d91c73415a41cbf1d
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Fri Nov 10 23:13:46 2023 +0000

    Fix crash when DNS disabled, introduced in 416390f9962e455769aa8ab6df0e105cae07ae55

commit 416390f9962e455769aa8ab6df0e105cae07ae55
Author: Damian Sawicki <dsawicki@google.com>
Date:   Sat Nov 4 23:33:28 2023 +0000

    Add --max-tcp-connections option to make this dynamically configurable.

commit 24804b7431f6ace109e91876aef859a751bf3147
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Sat Nov 4 16:58:30 2023 +0000

    Fix compile warning introduced by a889c554a7df71ff93a8299ef96037fbe05f2f55

commit 1fe9d2ba450fbb4aba2823c6fe210fe3c64ac652
Author: Dominik Derigs <dl6er@dl6er.de>
Date:   Sat Nov 4 16:52:09 2023 +0000

    Add RESINFO RR-type to the table of RR-type names.

commit 3868066085f4f73055d303ad2af59ad66245cf27
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Wed Oct 11 22:33:17 2023 +0100

    Fix bad reply to DHCPCONFIRM messages (wrong message type).
    
    Thanks to renmingshuai <renmingshuai@huawei.com> for
    spotting the error, and making the initial patch.

commit a889c554a7df71ff93a8299ef96037fbe05f2f55
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Oct 9 21:50:15 2023 +0100

    Work around possible Linux bug with VRF interfaces and DHCPv6.
    
    The scope_id in the source address of recieved packets gets set
    to the index of the VRF interface, not the slave. Fortunately,
    the interface index returned by packetinfo is correct so we use
    instead.
    
    Thanks to Luci Stanescu <luci@safebits.tech> for characterising this.
    
    Ref: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2023q4/017276.html

commit ca8d04a8ff951896578c1f1026a014955a0b40a7
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Oct 9 21:15:13 2023 +0100

    Cache zero-TTL DNS replies when stale-caching is enabled.

commit 8b606543a3fb687f0e49d4e832f98be9a08924d0
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Oct 9 21:00:11 2023 +0100

    Fix memory leak in arbitrary-RR caching.
    
    If the cache insertion process fails for any reason, any
    blockdata storage allocated needs to be freed.
    
    Thanks to Damian Sawicki for spotting the problem and
    supplying patches against earlier releases. This patch by SRK,
    and any bugs are his.

commit d16b995756dc079b1fdc2e63665793979f766a26
Author: renmingshuai <renmingshuai@huawei.com>
Date:   Sat Sep 30 23:31:08 2023 +0100

    Fix memory leak when using --dhcp-optsfile with DHCPv6 options.

commit 768b45a0238b3183f0c19def82c1e09e847fd4fc
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Sep 11 22:11:50 2023 +0100

    Remove two-decade old hack.
    
    answer_request() builds answers in the same packet buffer
    as the request.  This means that any EDNS0 header from the
    original request is overwritten. If the answer is in cache, that's
    fine: dnsmasq adds its own EDNS0 header, but if the cache lookup fails
    partially and the request needs to be sent upstream, it's a problem.
    
    This was fixed a long, long time ago by running the cache
    lookup twice if the request included an EDNS0 header. The first time,
    nothing would be written to the answer packet, nad if the cache
    lookup failed, the untouched question packet was still available
    to forward upstream. If cache lookup succeeded, the whole thing
    was done again, this time writing the data into the reply packet.
    In a world where EDNS0 was rare and so was memory, this was a
    reasonable solution. Today EDNS0 is ubiquitous so basically
    every query is being looked up twice in the cache. There's also
    the problem that any code change which makes successive cache lookups
    for a query possibly return different answers adds a subtle hidden
    bug, because this hack depends on absence of that behaviour.
    
    This commit removes the lookup-twice hack entirely. answer_request()
    can now return zero and overwrite the question packet. The code which
    was previously added to support stale caching by saving a copy of the
    query in the block-storage system is extended to always be active.
    This handles the case where answer_request() returns no answer OR
    a stale answer and a copy of the original query is needed to forward
    upstream.

commit 3b5ddf37d9c841ce48a63cff653cf2bdc2a9b4b7
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Sat Sep 2 21:34:54 2023 +0100

    Fix problem with arbitrary RR caching.
    
    Caching an answer which has more that one RR, with at least
    one answer being <=13 bytes and at least one being >13 bytes
    can screw up the F_KEYTAG flag bit, resulting in the wrong
    type of the address union being used and either a bad value
    return or a crash in the block code.
    
    Thanks to Dominik Derigs and the Pi-hole project for finding
    and characterising this.

commit 9bbf098a970c9e5fa251939208e25fb21064d1be
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Fri May 26 18:19:15 2023 +0100

    =/== typo in last commit.

commit 6536187b629382000299cc8e0dee43876c7382d2
Merge: 1419de2 50adf82
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Fri May 26 18:01:58 2023 +0100

    Merge branch 'master' of ssh://thekelleys.org.uk/var/local/git/dnsmasq

commit 50adf82199c362da6c542f1d22be2eeab7481211
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Fri May 26 17:55:35 2023 +0100

    Behave better when attempting to contact unresponsive TCP servers.
    
    By default TCP connect takes minutes to fail when trying to
    connect a server which is not responding and for which the
    network layer doesn't generate HOSTUNREACH errors.
    
    This is doubled because having failed to connect in FASTOPEN
    mode, the code then tries again with a call to connect().
    
    We set TCP_SYNCNT to 2, which make the timeout about 10 seconds.
    This in an unportable Linux feature, so it doesn't work on other
    platforms.
    
    No longer try connect() if sendmsg in fastopen mode fails with
    ETIMEDOUT or EHOSTUNREACH since the story will just be the same.

commit 1419de285fdacde2dc9683b701ee2d71090eade3
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Wed May 17 23:19:30 2023 +0100

    Log truncated DNS replies.

commit 31c91b40bdb1b4758e3fc6d0c3f7f3e8c831a8f8
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon May 15 18:11:06 2023 +0100

    Handle SERVFAIL responses to DS queries better.
    
    On 15/5/2023 8.8.8.8 was returning SERVFAIL for a query on ec.europa.eu
    
    ec.europa.eu is not a domain cut, that happens at jrc.ec.europa.eu. which
    does return a signed proof of non-existance for a DS record.
    Abandoning the search for a DS or proof of non existence at ec.europa.eu
    renders everything within that domain BOGUS, since nothing is signed.
    
    This code changes behaviour on a SERVFAIL to continue looking
    deeper for a DS or proof of its nonexistence.

commit 1d6fe0ea84689a84c16dfee68b5e2700a62fc892
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon May 1 23:06:29 2023 +0100

    Code tidying.

commit d774add784d01c8346b271e8fb5cbedc44d7ed08
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon May 1 20:42:30 2023 +0100

    Fix issue with stale caching.
    
    After replying with stale data, dnsmasq sends the query upstream to
    refresh the cache asynchronously and sometimes sends the wrong packet:
    packet length can be wrong, and if an EDE marking stale data is added
    to the answer that can end up in the query also. This bug only seems
    to cause problems when the usptream server is a DOH/DOT proxy. Thanks
    to Justin He for the bug report.

commit 7500157cff8ea28ab03e6e62e0d1575e4d01746b
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Apr 24 15:07:55 2023 +0100

    Improve RFC3315 para 15 packet validation.
    
    Thanks to Shashikumar Shashil for spotting the ommision.

commit 52e6ad2761e4e39c3e89fe3b8d68b98cf538a27c
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Apr 17 21:25:30 2023 +0100

    Log failure to determine MAC address in DHCPv6.

commit bcb46809dcf8992aeb36a3267e4af4ac1c04f471
Author: Petr Menšík <pemensik@redhat.com>
Date:   Mon Apr 17 21:05:00 2023 +0100

    Optimization of socket events handling of dbus.
    
    Reduces calls to locate the file descriptor structure. Should lower CPU usage when monitoring
    dbus watches.

commit 33635d8564f96cedcef9bf9826cbbca76f28aa81
Author: Petr Menšík <pemensik@redhat.com>
Date:   Mon Apr 17 20:55:31 2023 +0100

    Fix crash in dbus code.
    
    If I configure dnsmasq to use dbus and then restart dbus.service with watchers present,
    it crashes dnsmasq. The reason is simple, it uses loop to walk over watchers to call
    dbus handling code. But from that code the same list can be modified and watchers removed.
    But the list iteration continues anyway.
    
    Restart the loop if list were modified.

commit bd188e306a06ca0acb6c213ecc0e1dc0dc22c3f6
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Apr 17 16:23:06 2023 +0100

    Fix paren blunder in aaba66efbd3b4e7283993ca3718df47706a8549b
    
    Thanks to Dominik Derigs for spotting this.

commit aaba66efbd3b4e7283993ca3718df47706a8549b
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Wed Apr 12 22:55:14 2023 +0100

    Add --no-dhcpv4-interface and --no-dhcpv6-interface options.

commit 597378cdf55b248a54b930fa31acbad7415aaefd
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Wed Apr 12 16:25:49 2023 +0100

    Turn "used" member of struct iname into flags in preparation for more.

commit 15dcdc824ad49e98aaa1a527d82ac6502bdb50fb
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Wed Apr 5 17:42:23 2023 +0100

    Missed copyright date.

commit 86ee779e22e9fc3a6f3add1935d3392e27df1dca
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Wed Apr 5 17:29:04 2023 +0100

    Make --server=/#/<addr> behave the same as --server=<addr>
    
    For consistency with --address and older dnsmasq releases.

commit df242de5c695b297cf96bcba5095158c87c3a93d
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Wed Apr 5 12:34:34 2023 +0100

    Bump copyrights to 2023.

commit b14aa762ff2a42573b8b9ead85ccfa1f2b938a72
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Sat Apr 1 22:03:49 2023 +0100

    Fix long-term bug in TCP caching code which would lose NXDOMAIN.
    
    A NXDOMAIN answer recieved over TCP by a child process would
    be correctly sent back to the master process which would then
    fail to insert it into the cache.

commit a78487a4df8f23f99e8e8d5bb7449b6429bae1fa
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Sat Apr 1 21:35:26 2023 +0100

    Use a simpler arrangement for the all_addr union to avoid
    the compiler padding it with an extra 8 bytes.
    
    Use the F_KEYTAG flag in a a cache record to discriminate between
    an arbitrary RR stored entirely in the addr union and one
    which has a point to block storage.

commit 3a601d06bdf22f0312177a26f606d9b5f857c1ae
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Sat Apr 1 00:50:29 2023 +0100

    Fix copy-n-paste error in 138e1e2a2d918b37cb0274fe310d53be35acf4cf

commit 047256a6d89ae4b2de0aa51d1f490b521ba32fa1
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Fri Mar 31 23:28:56 2023 +0100

    --domain=# is valid. --synth-domain=# isn't.

commit c244d92d8a3f96e3a16b53f733190faa17004ae3
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Fri Mar 31 18:49:22 2023 +0100

    Allow --cache-rr=ANY with the obvious meaning.

commit 138e1e2a2d918b37cb0274fe310d53be35acf4cf
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Fri Mar 31 17:44:02 2023 +0100

    Optimse memory use for arbitrary-RR caching.
    
    RRs 13 bytes or less don't need to allocate block storage.

commit 153eeb070b2135cac9e12fc38e944ca8683b74c7
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Thu Mar 30 16:00:04 2023 +0100

    Optimise no-action case in rrfilter().

commit a3c8b75972604443cf763fb06e259b38ceec3351
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Wed Mar 29 22:43:21 2023 +0100

    Add filtering of arbitrary RR-types.

commit 042c64273d553c8305d3747849b44a0b257b0622
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Tue Mar 28 18:24:22 2023 +0100

    Remove code for caching SRV.
    
    Function replaced by the ability to cache any RR type.
    
    For backwards compatibilty SRV records are always on the
    list of cacheable RR-types.

commit 638c7c4d20004c0f320820098e29df62a27dd2a1
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Thu Mar 23 17:15:35 2023 +0000

    Add --cache-rr to enable caching of arbitrary RR types.

commit 88fc6c80236e946c7b719a8ef0bd0b08bdbc3295
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Mar 20 23:11:38 2023 +0000

    Fold F_NOERR and F_DNSSEC to make space for new F_RR.

commit 3fb10cd0d8217b42071ab575c2edaae2554b1780
Merge: 0427e37 ff28a48
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Mar 20 22:30:11 2023 +0000

    Merge branch 'master' into all-rr-type

commit ff28a485cf8b592a6c21b39bbb8e42f5bc390685
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Mar 20 22:22:46 2023 +0000

    Close Debian bug.

commit 1f0f86a0d0d0759de4c5eb1080333618563ee5a0
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Mar 20 18:32:14 2023 +0000

    Add EDE "filtered" extended error when --filter-A or --filter-AAAA act.
    
    If a NODATA answer is returned instead of actual data for A or AAAA
    queries because of the existence of --filter-A or --filter-AAAA
    config options, then mark the replies with an EDE "filtered" tag.
    
    Basic patch by Petr Menšík, tweaked by Simon Kelley to apply onto
    the preceding caching patches.

commit 28429720355c21739c851c28b003b6d0b4aee549
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Mar 20 17:14:17 2023 +0000

    More --filter-AAAA caching improvements.
    
    Cache answers before filtering and filter coming out of the cache.

commit 5a9eae429a7d0680d606f03f2759d7dde0bbe3f0
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Mar 20 15:16:29 2023 +0000

    Improve cache use with --filter-A and --filter-AAAA
    
    If --filter-AAAA is set and we have cached entry for
    the domain in question fpr any RR type that allows us to
    return a NODATA reply when --filter-AAAA is set without
    going upstream. Similarly for --filter-A.

commit 946180701191ea7e552fa5a939140a635d47b566
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Thu Mar 16 15:16:17 2023 +0000

    Remove limitation on --dynamic-host.
    
    Dynamic-host was implemented to ignore interface addresses with /32
    (or /128 for IPv6) prefix lengths, since they are not useful for
    synthesising addresses.
    
    Due to a bug before 2.88, this didn't work for IPv4, and some have
    used --dynamic-host=example.com,0.0.0.0,eth0 to do the equivalent of
    --interface-name for such interfaces. When the bug was fixed in 2.88
    these uses broke.
    
    Since this behaviour seems to violate the principle of least surprise,
    and since the 2.88 fix is breaking existing imstallations, this
    commit removes the check on /32 and /128 prefix lengths to solve both
    problems.

commit 00be8b39e240934e404533deda08cbae2aae25a8
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Wed Mar 15 21:12:55 2023 +0000

    Fix DHCPv6 "use multicast" response which previously failed
    to set the message type correctly.
    
    Thanks to Petr Menšík for spotting the problem.

commit ef5aac95d4391fb1290fd76a3826b2851e589bbc
Author: Clayton Craft <clayton@craftyguy.net>
Date:   Wed Mar 8 15:35:05 2023 +0000

    Allow configuring filter-A/AAAA via dbus.

commit ef8e930e4295265b8f46898a8e166f17d7f8ddc8
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Tue Mar 7 22:46:44 2023 +0000

    Generalise cached NXDOMAIN replies.
    
    We can cache an NXDOMAIN reply to a query for any RRTYPE
    and reply from a cached NXDOMAIN to any RRTYPE.

commit eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Tue Mar 7 22:07:46 2023 +0000

    Set the default maximum DNS UDP packet size to 1232.
    
    http://www.dnsflagday.net/2020/ refers.
    
    Thanks to Xiang Li for the prompt.

commit 9a698434dd9cc0f3abbf98f9b266c491d322d20f
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Mar 6 23:30:36 2023 +0000

    Bump version in Debian changelog.

commit f5ef0f064c3f06b250a9eeda36dc239227658b00
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Mar 6 23:00:58 2023 +0000

    Fix possible SEGV when no servers defined.
    
    If there exists a --address=/<domain>/  or --server=/<domain>/#
    configuration but no upstream server config unqualified by
    domain then when a query which doesnt match the domain is
    recieved it will use the qualfied server config and in the process
    possibly make an out-of-bounds memory access.
    
    Thanks to Daniel Danzberger for spotting the bug.

commit 997982f78bd3f8c311b9557e1ef825555e7290bb
Author: Dominik Derigs <dl6er@dl6er.de>
Date:   Fri Mar 3 18:05:26 2023 +0100

    Fix --rev-server option. It was broken in 1db9943c6879c160a5fbef885d5ceadd3668b74d when resolving upstream servers by name was extended to --rev-server without accounting for the fact that re-using one and the same upstream server for each of the x.y.z.in-addr.arpa is actually a wanted feature
    
    Signed-off-by: DL6ER <dl6er@dl6er.de>

commit 7d6b68c5d7016aca5372f12e9f0c25f0a108644d
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Mon Mar 6 13:06:03 2023 +0000

    Document suppressing deafult options in --dhcp-option.

commit 137ae2e9cf0dc3596641e7c8b91d15307a35319e
Author: Taylor R Campbell <campbell+dnsmasq@mumble.net>
Date:   Sat Feb 25 15:00:30 2023 +0000

    Avoid undefined behaviour with the ctype(3) functions.
    
    As defined in the C standard:
    
            In all cases the argument is an int, the value of which shall
            be representable as an unsigned char or shall equal the value
            of the macro EOF.  If the argument has any other value, the
            behavior is undefined.
    
    This is because they're designed to work with the int values returned
    by getc or fgetc; they need extra work to handle a char value.
    
    If EOF is -1 (as it almost always is), with 8-bit bytes, the allowed
    inputs to the ctype(3) functions are:
    
            {-1, 0, 1, 2, 3, ..., 255}.
    
    However, on platforms where char is signed, such as x86 with the
    usual ABI, code like
    
            char *arg = ...;
            ... isspace(*arg) ...
    
    may pass in values in the range:
    
            {-128, -127, -126, ..., -2, -1, 0, 1, ..., 127}.
    
    This has two problems:
    
    1. Inputs in the set {-128, -127, -126, ..., -2} are forbidden.
    
    2. The non-EOF byte 0xff is conflated with the value EOF = -1, so
       even though the input is not forbidden, it may give the wrong
       answer.
    
    Casting char to int first before passing the result to ctype(3)
    doesn't help: inputs like -128 are unchanged by this cast.  It is
    necessary to cast char inputs to unsigned char first; you can then
    cast to int if you like but there's no need because the functions
    will always convert the argument to int by definition.  So the above
    fragment needs to be:
    
            char *arg = ...;
            ... isspace((unsigned char)*arg) ...
    
    This patch inserts unsigned char casts where necessary, and changes
    int casts to unsigned char casts where the input is char.
    
    I left alone int casts where the input is unsigned char already --
    they're not immediately harmful, although they would have the effect
    of suppressing some compiler warnings if the input is ever changed to
    be char instead of unsigned char, so it might be better to remove
    those casts too.
    
    I also left alone calls where the input is int to begin with because
    it came from getc; casting to unsigned char here would be wrong, of
    course.

commit 0427e371160882a24825df6f4f963961257df952
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Thu Feb 2 20:20:13 2023 +0000

    Replace dead link in dnsmasq.conf.example.
    
    Thanks to Timo van Roermund for spotting this.

Created: 2023-02-28 Last update: 2023-12-04 21:00

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2022-12-04 Last update: 2023-12-04 19:05

2 low-priority security issues in bullseye low

There are 2 open security issues in bullseye.

2 issues left for the package maintainer to handle:

CVE-2022-0934: (needs triaging) A single-byte, non-arbitrary write/use-after-free flaw was found in dnsmasq. This flaw allows an attacker who sends a crafted packet processed by dnsmasq, potentially causing a denial of service.
CVE-2023-28450: (needs triaging) An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-07-04 Last update: 2023-11-08 06:08

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2023-28450: (needs triaging) An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.

You can find information about how to handle this issue in the security team's documentation.

Created: 2023-06-10 Last update: 2023-11-08 06:08

news

[rss feed]

[2023-02-15] dnsmasq 2.89-1 MIGRATED to testing (Debian testing watch)
[2023-02-05] Accepted dnsmasq 2.89-1 (source) into unstable (Simon Kelley)
[2022-12-15] dnsmasq 2.88-1 MIGRATED to testing (Debian testing watch)
[2022-12-04] Accepted dnsmasq 2.88-1 (source) into unstable (Simon Kelley)
[2022-10-20] dnsmasq 2.87-1.1 MIGRATED to testing (Debian testing watch)
[2022-10-15] Accepted dnsmasq 2.87-1.1 (source) into unstable (Michael Biebl)
[2022-10-06] dnsmasq 2.87-1 MIGRATED to testing (Debian testing watch)
[2022-09-25] Accepted dnsmasq 2.87-1 (source) into unstable (Simon Kelley)
[2021-11-20] dnsmasq 2.86-1.1 MIGRATED to testing (Debian testing watch)
[2021-11-12] Accepted dnsmasq 2.86-1.1 (source) into unstable (Michael Biebl)
[2021-09-08] Accepted dnsmasq 2.86-1 (source) into unstable (Simon Kelley)
[2021-04-17] dnsmasq 2.85-1 MIGRATED to testing (Debian testing watch)
[2021-04-07] Accepted dnsmasq 2.85-1 (source) into unstable (Simon Kelley)
[2021-04-01] Accepted dnsmasq 2.84-1.2 (source) into unstable (Andreas Beckmann)
[2021-03-30] Accepted dnsmasq 2.84-1.1 (source) into unstable (Sébastien Villemot)
[2021-03-22] Accepted dnsmasq 2.76-5+deb9u3 (source) into oldstable (Sylvain Beucler)
[2021-02-06] Accepted dnsmasq 2.80-1+deb10u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Sebastien Delafond)
[2021-02-05] dnsmasq 2.84-1 MIGRATED to testing (Debian testing watch)
[2021-02-02] Accepted dnsmasq 2.80-1+deb10u1 (source) into stable->embargoed, stable (Debian FTP Masters) (signed by: Sebastien Delafond)
[2021-01-25] Accepted dnsmasq 2.84-1 (source) into unstable (Simon Kelley)
[2021-01-23] dnsmasq 2.83-1 MIGRATED to testing (Debian testing watch)
[2021-01-19] Accepted dnsmasq 2.83-1 (source) into unstable (Simon Kelley)
[2020-07-31] dnsmasq 2.82-1 MIGRATED to testing (Debian testing watch)
[2020-07-19] Accepted dnsmasq 2.82-1 (source) into unstable (Simon Kelley)
[2020-07-07] dnsmasq 2.81-4 MIGRATED to testing (Debian testing watch)
[2020-06-26] Accepted dnsmasq 2.81-4 (source) into unstable (Simon Kelley)
[2020-04-19] Accepted dnsmasq 2.81-3 (source amd64 all) into unstable (Simon Kelley)
[2020-04-18] Accepted dnsmasq 2.81-2 (source amd64 all) into unstable (Simon Kelley)
[2020-04-12] Accepted dnsmasq 2.81-1 (source amd64 all) into unstable (Simon Kelley)
[2019-12-26] dnsmasq 2.80-1.1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 66 69
RC: 0
I&N: 47 50
M&W: 18
F&P: 1
patch: 6

links

homepage
lintian (2, 21)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 39)

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.89-1
37 bugs