Commit graph

42 commits

Author SHA1 Message Date
Martin Weinelt
c9fef6230a dnsmasq: 2.80 → 2.81
Fixes: CVE-2019-14834

A vulnerability was found in dnsmasq before version 2.81, where the
memory leak allows remote attackers to cause a denial of service
(memory consumption) via vectors involving DHCP response creation.

Changelog:

version 2.81
	Improve cache behaviour for TCP connections. For ease of
	implementaion, dnsmasq has always forked a new process to handle
	each incoming TCP connection. A side-effect of this is that
	any DNS queries answered from TCP connections are not cached:
	when TCP connections were rare, this was not a problem.
	With the coming of DNSSEC, it is now the case that some
	DNSSEC queries have answers which spill to TCP, and if,
	for instance, this applies to the keys for the root, then
	those never get cached, and performance is very bad.
	This fix passes cache entries back from the TCP child process to
	the main server process, and fixes the problem.

	Remove the NO_FORK compile-time option, and support for uclinux.
	In an era where everything has an MMU, this looks like
	an anachronism, and it adds to (Ok, multiplies!) the
	combinatorial explosion of compile-time options. Thanks to
	Kevin Darbyshire-Bryant for the patch.

	Fix line-counting when reading /etc/hosts and friends; for
	correct error messages. Thanks to Christian Rosentreter
	for reporting this.

	Fix bug in DNS non-terminal code, added in 2.80, which could
	sometimes cause a NODATA rather than an NXDOMAIN reply.
	Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski
	for spotting and diagnosing the bug and providing patches.

	Support TCP-fastopen (RFC-7413) on both incoming and
	outgoing TCP connections, if supported and enabled in the OS.

	Improve kernel-capability manipulation code under Linux. Dnsmasq
	now fails early if a required capability is not available, and
	tries not to request capabilities not required by its
	configuration.

	Add --shared-network config. This enables allocation of addresses
	by the DHCP server in subnets where the server (or relay) does not
	have an interface on the network in that subnet. Many thanks to
	kamp.de for sponsoring this feature.

	Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
	validation check got borked in commit 2b38e382 and release 2.80.
	Thanks to Tomasz Szajner for spotting this.

	Fix compilation against nettle version 3.5 and later.

	Fix spurious DNSSEC validation failures when the auth section
	of a reply contains unsigned RRs from a signed zone,
	with the exception that NSEC and NSEC3 RRs must always be signed.
        Thanks to Tore Anderson for spotting and diagnosing the bug.

	Add --dhcp-ignore-clid. This disables reading of DHCP client
	identifier option (option 61), so clients are only identified by
	MAC addresses.

	Fix a bug which stopped --dhcp-name-match from working when a hostname
	is supplied in --dhcp-host. Thanks to James Feeney for spotting this.

	Fix bug which caused very rarely caused zero-length DHCPv6 packets.
	Thanks to Dereck Higgins for spotting this.

	Add --tftp-single-port option.

	Enhance --conf-dir to load files in a deterministic order. Thanks to
	Evgenii Seliavka for the suggestion and initial patch.

	In the router advert code, handle case where we have two
	different interfaces on the same IPv6 net, and we are doing
	RA/DHCP service on only one of them. Thanks to NIIBE Yutaka
	for spotting this case and making the initial patch.

	Support prefixed ranges of ipv6 addresses in dhcp-host.
	This eases problems chain-netbooting, where each link in the
	chain requests an address using a different UID. With a single
	address, only one gets the "static" address, but with this
	fix, enough addresses can be reserved for all the stages of the
	boot. Many thanks to Harald Jensås for his work on this idea and
	earlier patches.

	Add filtering by tag of --dhcp-host directives. Based on a patch
	by Harald Jensås.

	Allow empty server spec in --rev-server, to match --server.

	Remove DSA signature verification from DNSSEC, as specified in
	RFC 8624. Thanks to Loganaden Velvindron for the original patch.

	Add --script-on-renewal option.
2020-04-29 04:22:08 +02:00
Michael Reilly
84cf00f980
treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
Vladimír Čunát
944775e0c5
dnsmasq: correct previous change for Darwin
I was a bit hasty in commit 482642a73.
2020-02-19 15:20:46 +01:00
Vladimír Čunát
482642a733
dnsmasq: fixup build after kernel header changes
https://github.com/torvalds/linux/commit/0768e17073d
2020-02-19 13:14:04 +01:00
worldofpeace
9058ad8c74 dnsmasq: fix build with nettle 3.5 2019-10-14 18:25:28 -04:00
worldofpeace
2220086061 dnsmasq: Move D-Bus conf file to share/dbus-1/system.d
Since D-Bus 1.9.18 configuration files installed by third-party should
go in share/dbus-1/system.d. The old location is for sysadmin overrides.
2019-09-16 13:59:09 -04:00
Robin Gloster
4e60b0efae
treewide: update globin's maintained drvs 2019-08-20 19:36:05 +02:00
R. RyanTM
904ae0b116 dnsmasq: 2.79 -> 2.80
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/dnsmasq/versions
2018-11-10 03:18:29 -08:00
volth
52f53c69ce pkgs/*: remove unreferenced function arguments 2018-07-21 02:48:04 +00:00
Matthew Bauer
76999cc40e treewide: remove aliases in nixpkgs
This makes the command ‘nix-env -qa -f. --arg config '{skipAliases =
true;}'’ work in Nixpkgs.

Misc...

- qtikz: use libsForQt5.callPackage

  This ensures we get the right poppler.

- rewrites:

  docbook5_xsl -> docbook_xsl_ns
  docbook_xml_xslt -> docbook_xsl

diffpdf: fixup
2018-07-18 23:25:20 -04:00
Franz Pletz
d856ad7fc4
dnsmasq: 2.78 -> 2.79 2018-07-15 20:15:36 +02:00
adisbladis
b492e2a164
dnsmasq: Patch CVE-2017-15107 2018-02-24 01:36:45 +08:00
Franz Pletz
2f188ff37f
dnsmasq: 2.77 -> 2.78 for multiple CVEs
Fixes CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494,
CVE-2017-14495, CVE-2017-14496.
2017-10-02 17:06:22 +02:00
Franz Pletz
bc3ee6bfd4
dnsmasq: 2.76 -> 2.77 2017-06-20 03:45:43 +02:00
Nick Novitski
44cf3c44b0 dnsmasq: install launchd plist on darwin 2017-03-09 11:30:50 +13:00
Robin Gloster
5185bc1773 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-15 14:41:01 +00:00
Franz Pletz
033e593a4f dnsmasq: 2.75 -> 2.76 (security)
Fixes CVE-2015-8899.
2016-07-10 10:48:10 +02:00
Franz Pletz
aff1f4ab94 Use general hardening flag toggle lists
The following parameters are now available:

  * hardeningDisable
    To disable specific hardening flags
  * hardeningEnable
    To enable specific hardening flags

Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.

cc-wrapper supports the following flags:

  * fortify
  * stackprotector
  * pie (disabled by default)
  * pic
  * strictoverflow
  * format
  * relro
  * bindnow
2016-03-05 18:55:26 +01:00
Robin Gloster
e392824fb3 dnsmasq: enable pie hardening 2016-02-26 17:55:51 +00:00
Dan Peebles
50a00101c1 dnsmasq: get it working on darwin again 2015-12-24 23:27:31 -05:00
Domen Kožar
29befbeb95 dnsmasq: install dhcp_* tools 2015-12-03 11:09:40 +01:00
William A. Kennington III
8c244bc21c dnsmasq: 2.73 -> 2.75 2015-08-03 12:52:22 -07:00
William A. Kennington III
6f4fbcc981 dnsmasq: Fix build 2015-06-19 00:54:41 -07:00
William A. Kennington III
bdeac100db dnsmasq: 2.72 -> 2.73 2015-06-18 21:56:18 -07:00
Aristid Breitkreuz
68c15230c6 dnsmasq: update from 2.71 to 2.72 2014-10-06 22:31:43 +02:00
Patrick Mahoney
7fc369cfca dnsmasq: Replace deprecated ensureDir with mkdir. 2014-08-30 09:19:23 -05:00
William A. Kennington III
9194f69e73 dnsmasq: Meta Update 2014-08-28 11:39:03 -07:00
Paul Colomiets
adbb9ff796 dnsmasq: upgrade to 2.71, fixed dnsmasq module
* The module now has systemd config

* Add resolveLocalQueries option which sets up it as a dns server for
  local host (including reasonable setup of resolvconf)

* Add "dnsmasq" user for running daemon

* Enabled dbus and dnssec support for the package

Conflicts:
	nixos/modules/misc/ids.nix
2014-08-28 11:39:03 -07:00
Frerich Raabe
965237a6ee Use .tar.xz instead of .tar.gz for dnsmasq
To save precious bandwidth.
2014-08-07 21:40:45 +02:00
Frerich Raabe
dee49fa1b2 Update dnsmasq to version 2.71 2014-08-07 21:40:45 +02:00
Frerich Raabe
1ff81347ec Enable dnsmasq on OS X
It seems to work alright.
2014-08-07 21:40:45 +02:00
Eelco Dolstra
1833b1a4cc dnsmasq: Update to 2.69 2014-04-18 15:39:11 +02:00
Nixpkgs Monitor
53261424c3 dnsmasq: update from 2.67 to 2.68 2013-12-15 12:19:28 +02:00
Bjørn Forsman
f21e9f0a07 dnsmasq: bump 2.63 -> 2.67
See changelog at http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
2013-11-27 19:29:37 +01:00
Eelco Dolstra
0efbc7d3bf dnsmasq: Update to 2.63 2012-10-26 16:23:30 +02:00
Eelco Dolstra
9da1dd6c90 * dnsmasq updated to 2.59.
svn path=/nixpkgs/trunk/; revision=32334
2012-02-16 18:03:12 +00:00
Eelco Dolstra
8dc531a5b7 * dnsmasq updated to 2.57.
svn path=/nixpkgs/trunk/; revision=26249
2011-03-10 13:35:19 +00:00
Eelco Dolstra
48229f2b0d * dnsmasq updated to 2.55.
svn path=/nixpkgs/trunk/; revision=24222
2010-10-11 19:30:54 +00:00
Eelco Dolstra
4bf5b0d36b * Fix some more "args: with args".
svn path=/nixpkgs/trunk/; revision=22828
2010-07-30 14:47:23 +00:00
Marc Weber
5f044d6f3f fix: dnsmasq can now be started after installing..
What has gone wrong by my first commit attempt?

svn path=/nixpkgs/trunk/; revision=12294
2008-07-07 11:40:16 +00:00
Yury G. Kudryashov
5bca69ac34 Nix-expr style review
Unneded args.something replaced with
args: with args;
line. After this line args is the only place where we can recieve variables from.

Also removed several
buildInputs = [];
lines.

svn path=/nixpkgs/trunk/; revision=10415
2008-01-30 17:20:48 +00:00
Marc Weber
088a6817db added:
dnsmasq, uisp, fltk libixp_for_wmii, acerhk kernel module, reiserfsprogs, radeontools, msmtp,
procmail, pstree, gxemul

changed:
umlutilities to also support building tunctl optionally (needing kernel header files)
wmii updated and wmiimenu added                                                 

svn path=/nixpkgs/trunk/; revision=9242
2007-09-03 12:10:57 +00:00