all from dnsmasq's Git repository hosted by Simon Kelley:
+ Fix DHCPv6 "use multicast" response
+ Avoid undefined behaviour with the ctype(3) functions.
+ Document suppressing default options in --dhcp-option.
+ Fix --rev-server option.
+ Set the default maximum DNS UDP packet size to 1232.
+ Generalise cached NXDOMAIN replies.
+ Fix possible SEGV when no servers defined.
and bump PORTREVISION. This is so we can let it mature
for two weeks before 2023Q2 and because the upstream
release schedule is unforeseeable.
Obtained from: Simon Kelley <simon@thekelleys.org.uk>
Obtained from: Dominik Derigs <dl6er@dl6er.de>
Obtained from: Taylor R Campbell <campbell+dnsmasq@mumble.net>
Simon Kelley sent an advisory that in rare circumstances, the cache can
become corrupted and the DNS subsystem then became disfunctional.
This is reported as regression in 2.88.
Chances seem higher this happens with DNSSEC enabled, but seems not limited
to it. For details, please see the patch contained in this commit, or
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2023q1/016821.html
The symptom of this happening is apparently a cache internal error.
2.89 with this fix and a few others is slated for release in a week.
Let's fix the patch already and MFH to 2023Q1 so we keep our liberties
to decide whether we need to move quarterly to 2.89 or rather stick
with 2.88_1.
originally
Reported by: Timo van Roermund (to Simon Kelley in private)
Reported by: Simon Kelley (upstream maintainer, through mailing list)
Obtained from: Simon Kelley (upstream maintainer, Git repository)
MFH: 2023Q1
Commit b7f05445c0 has added WWW entries to port Makefiles based on
WWW: lines in pkg-descr files.
This commit removes the WWW: lines of moved-over URLs from these
pkg-descr files.
Approved by: portmgr (tcberner)
It has been common practice to have one or more URLs at the end of the
ports' pkg-descr files, one per line and prefixed with "WWW:". These
URLs should point at a project website or other relevant resources.
Access to these URLs required processing of the pkg-descr files, and
they have often become stale over time. If more than one such URL was
present in a pkg-descr file, only the first one was tarnsfered into
the port INDEX, but for many ports only the last line did contain the
port specific URL to further information.
There have been several proposals to make a project URL available as
a macro in the ports' Makefiles, over time.
This commit implements such a proposal and moves one of the WWW: entries
of each pkg-descr file into the respective port's Makefile. A heuristic
attempts to identify the most relevant URL in case there is more than
one WWW: entry in some pkg-descr file. URLs that are not moved into the
Makefile are prefixed with "See also:" instead of "WWW:" in the pkg-descr
files in order to preserve them.
There are 1256 ports that had no WWW: entries in pkg-descr files. These
ports will not be touched in this commit.
The portlint port has been adjusted to expect a WWW entry in each port
Makefile, and to flag any remaining "WWW:" lines in pkg-descr files as
deprecated.
Approved by: portmgr (tcberner)
Cherry-pick these Git commits from the upstream:
--local should behave as --server, not as --address [...]
Fix confusion in DNS retries and --strict-order.
Fix confusion with log-IDs and DNS retries.
loosely prompted by Olivier's
PR: 260331
The conflict checks compare the patterns first against the package
names without version (as reported by "pkg query "%n"), then - if
there was no match - agsinst the full package names including the
version (as reported by "pkg query "%n-%v").
Approved by: portmgr (blanket)
Upstream blessed v2.84 rc2 (which 2.83_1 effectively already was)
into v2.84 release, so take it (and patch the upstream bug of
leaving "rc2" in the version out).
MFH: 2021Q1 (regression fixes for security fix release)
Apparently there are situations where dnsmasq 2.83 can confuse
its peers or sockets, and the upstream Git contains fixes for them.
These four fixes essentially take dnsmasq to 2.84test3.
Obtained from: Simon Kelley <simon@thekelleys.org.uk>'s Git repository
CHANGELOG of version 2.83:
Use the values of --min-port and --max-port in outgoing
TCP connections to upstream DNS servers.
Fix a remote buffer overflow problem in the DNSSEC code. Any
dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
CVE-2020-25687.
Be sure to only accept UDP DNS query replies at the address
from which the query was originated. This keeps as much entropy
in the {query-ID, random-port} tuple as possible, to help defeat
cache poisoning attacks. Refer: CVE-2020-25684.
Use the SHA-256 hash function to verify that DNS answers
received are for the questions originally asked. This replaces
the slightly insecure SHA-1 (when compiled with DNSSEC) or
the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
Handle multiple identical near simultaneous DNS queries better.
Previously, such queries would all be forwarded
independently. This is, in theory, inefficent but in practise
not a problem, _except_ that is means that an answer for any
of the forwarded queries will be accepted and cached.
An attacker can send a query multiple times, and for each repeat,
another {port, ID} becomes capable of accepting the answer he is
sending in the blind, to random IDs and ports. The chance of a
succesful attack is therefore multiplied by the number of repeats
of the query. The new behaviour detects repeated queries and
merely stores the clients sending repeats so that when the
first query completes, the answer can be sent to all the
clients who asked. Refer: CVE-2020-25686.
MFH: 2021Q1
Security: 5b5cf6e5-5b51-11eb-95ac-7f9491278677
Security: CVE-2020-25684
Security: CVE-2020-25685
Security: CVE-2020-25686
Security: CVE-2020-25681
Security: CVE-2020-25682
Security: CVE-2020-25683
Security: CVE-2020-25687
The pkg-message contains a security note that is necessary on
new installs and on updates alike.
Since per the porter's handbook, the UCL does not support enumeration
of types, and this is not relevant on removal, the UCL change must be
reverted. While here, remove formatting.
Failure inducing commit:
|------------------------------------------------------------------------
|r508835 | mat | 2019-08-13 18:01:59 +0200 (Tue, 13 Aug 2019) | 2 lines
|
|Convert to UCL & cleanup pkg-message (categories d)
|
|------------------------------------------------------------------------
NOTE: The UCL conversion of files/pkg-message.in was not authorized
and damaging and no heads-up was sent to the maintainer.
portmgr@ MUST act more carefully with sweeping changes and hand them out
for review first.
Security: the installed example configuration file shows a way of
disabling WPAD hijacking, but leaves it commented out. Extend pkg-message.
Changelog: <http://thekelleys.org.uk/dnsmasq/CHANGELOG>
Since installing v2.80 isn't a fix against the vulnerability, and fixing
it needs administrator intervention on upgrades, I am not marking this in
vuxml for now, since we'd need to mark v2.80 vulnerable, too.
MFH: 2018Q4
Security: CERT VU#598349
Regression in v2.77 caused by a patch proposed by yours truly.
Reported by: Steven Shiau (via upstream dnsmasq-discuss mailing list)
Obtained from: Chris Novakovich and Simon Kelley
Pointyhat to: mandree@
This adds a new ports option, IPSET, defaulting to on.
Use the opportunity to use the options helpers OPT_CFLAGS[_OFF] on the
trivial options.
PR: 217900
Submitted by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
