| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: dnsmasq-utils | Distribution: openSUSE Tumbleweed |
| Version: 2.91 | Vendor: openSUSE |
| Release: 2.1 | Build date: Thu Aug 21 17:45:52 2025 |
| Group: Productivity/Networking/DNS/Servers | Build host: reproducible |
| Size: 204719 | Source RPM: dnsmasq-2.91-2.1.src.rpm |
| Packager: http://bugs.opensuse.org | |
| Url: https://thekelleys.org.uk/dnsmasq/ | |
| Summary: Utilities for manipulating DHCP server leases | |
Utilities that use the standard DHCP protocol to query/remove a DHCP server's leases.
GPL-2.0-only OR GPL-3.0-only
* Thu Aug 21 2025 Reinhard Max <max@suse.com>
- bsc#1247812: Fix a segfault when setting up supplementary groups,
but no username was specified.
* Sun May 18 2025 Gerald Chen <gerald_chen@foxmail.com>
- update to 2.91:
* Fix spurious "resource limit exceeded messages".
* Fix out-of-bounds heap read in order_qsort().
* Fix buffer overflow when configured lease-change script name
is too long.
* Improve behaviour in the face of non-responsive upstream TCP DNS
servers. Without shorter timeouts, clients are blocked for too long
and fail with their own timeouts.
* Set --fast-dns-retries by default when doing DNSSEC. A single
downstream query can trigger many upstream queries. On an
unreliable network, there may not be enough downstream retries
to ensure that all these queries complete.
* Improve behaviour in the face of truncated answers to queries
for DNSSEC records. Getting these answers by TCP doesn't now
involve a faked truncated answer to the downstream client to
force it to move to TCP. This improves performance and robustness
in the face of broken clients which can't fall back to TCP.
* No longer remove data from truncated upstream answers. If an
upstream replies with a truncated answer, but the answer has some
RRs included, return those RRs, rather than returning and
empty answer.
* Fix handling of EDNS0 UDP packet sizes.
* Modify the behaviour of --synth-domain for IPv6.
* Fix broken dhcp-relay on *BSD.
* Add --dhcp-option-pxe config. This acts almost exactly like
- -dhcp-option except that the defined option is only sent when
replying to PXE clients. More importantly, these options are sent
in reply PXE clients when dnsmasq in acting in PXE proxy mode. In
PXE proxy mode, the set of options sent is defined by the PXE standard
and the normal set of options is not sent. This config allows arbitrary
options in PXE-proxy replies. A typical use-case is to send option
175 to iPXE.
* Support PXE proxy-DHCP and DHCP-relay at the same time.
* Fix erroneous "DNSSEC validated" state with non-DNSSEC
upstream servers.
* Handle queries with EDNS client subnet fields better. If dnsmasq
is configured to add an EDNS client subnet to a query, it is careful
to suppress use of the cache, since a cached answer may not be valid
for a query with a different client subnet. Extend this behaviour
to queries which arrive a dnsmasq already carrying an EDNS client
subnet.
* Handle DS queries to auth zones. When dnsmasq is configured to
act as an authoritative server and has an authoritative zone
configured, and receives a query for that zone _as_forwarder_
it answers the query directly rather than forwarding it. This
doesn't affect the answer, but it saves dnsmasq forwarding the
query to the recursor upstream, which then bounces it back to dnsmasq
in auth mode. The exception should be when the query is for the root
of zone, for a DS RR. The answer to that has to come from the parent,
via the recursor, and will typically be a proof-of-non-existence
since dnsmasq doesn't support signed zones. This patch suppresses
local answers and forces forwarding to the upstream recursor for such
queries. It stops breakage when a DNSSEC validating client makes
queries to dnsmasq acting as forwarder for a zone for which it is
authoritative.
* Implement "DNS-0x20 encoding", for extra protection against
reply-spoof attacks. Since DNS queries are case-insensitive,
it's possible to randomly flip the case of letters in a query
and still get the correct answer back.
* Fix a long-standing problem when two queries which are identical
in every repect _except_ case, get combined by dnsmasq. If
dnsmasq gets eg, two queries for example.com and Example.com
in quick succession it will get the answer for example.com from
upstream and send that answer to both requestors. This means that
the query for Example.com will get an answer for example.com, and
in the modern DNS, that answer may not be accepted.
* Wed Jan 22 2025 Dominique Leuenberger <dimstar@opensuse.org>
- Drop rcFOO symlinks for CODE16 (PED-266).
* Tue Jan 14 2025 Reinhard Max <max@suse.com>
- bsc#1235834: Don't let compile time options change silently.
- Use pkgconfig for libidn2.
- Disable --nftset for SLE-15-SP3 and older.
- bsc#1235517: Reintroduce nogroup for SLE-15-SP3 and older.
* Tue Oct 08 2024 Lukas Straub <lukasstraub2@web.de>
- Enable --nftset support
* Wed Feb 14 2024 Reinhard Max <max@suse.com>
- update to 2.90:
* CVE-2023-50387, CVE-2023-50868, bsc#1219823, bsc#1219826:
Denial Of Service while trying to validate specially crafted
DNSSEC responses
* CVE-2023-49441, bsc#1226091: integer overflow via forward_query
* Fix reversion in --rev-server introduced in 2.88 which caused
breakage if the prefix length is not exactly divisible by 8
(IPv4) or 4 (IPv6).
* Fix possible SEGV when there server(s) for a particular domain
are configured, but no server which is not qualified for a
particular domain.
* Set the default maximum DNS UDP packet sice to 1232.
Obsoletes: dnsmasq-CVE-2023-28450.patch
* Add --no-dhcpv4-interface and --no-dhcpv6-interface for better
control over which inetrfaces are providing DHCP service.
* Fix issue with stale caching
* Add configurable caching for arbitrary RR-types.
* Add --filter-rr option, to filter arbitrary RR-types.
* Fri Oct 13 2023 Thorsten Kukuk <kukuk@suse.com>
- SLP got dropped, remove config (bsc#1214884)
* Sat May 13 2023 Callum Farmer <gmbr3@opensuse.org>
- Correct rundir from /var/run to /run for pid file
* Tue Apr 25 2023 Reinhard Max <max@suse.com>
- bsc#1209358, CVE-2023-28450, dnsmasq-CVE-2023-28450.patch:
default maximum EDNS.0 UDP packet size should be 1232
* Mon Feb 06 2023 Paolo Stivanin <info@paolostivanin.com>
- update to 2.89:
* Fix bug introduced in 2.88 (commit fe91134b) which can result
in corruption of the DNS cache internal data structures and
logging of "cache internal error". This has only been seen
in one place in the wild, and it took considerable effort
to even generate a test case to reproduce it, but there's
no way to be sure it won't strike, and the effect is to break
the cache badly. Installations with DNSSEC enabled are more
likely to see the problem, but not running DNSSEC does not
guarantee that it won't happen. Thanks to Timo van Roermund
for reporting the bug and for his great efforts in chasing
it down. (boo#1207174)
- remove no longer needed rpmlintrc filters
* Fri Dec 23 2022 Dirk Müller <dmueller@suse.com>
- update to 2.88:
* Fix bug in --dynamic-host when an interface has /16 IPv4
* address.
* Add --fast-dns-retry option. This gives dnsmasq the ability
to originate retries for upstream DNS queries itself, rather
than relying on the downstream client. This is most useful
when doing DNSSEC over unreliable upstream networks. It comes
with some cost in memory usage and network bandwidth.
* Add --use-stale-cache option. When set, if a DNS name exists
in the cache, but its time-to-live has expired, dnsmasq will
return the data anyway.
* handle removal of whole files or entries within files.
* Wed Oct 26 2022 Dirk Müller <dmueller@suse.com>
- update to 2.87 (bsc#1197872, CVE-2022-0934):
* Allow arbitrary prefix lengths in --rev-server and
- -domain=....,local
* Replace --address=/#/..... functionality which got
missed in the 2.86 domain search rewrite.
* Add --nftset option, like --ipset but for the newer nftables.
* Add --filter-A and --filter-AAAA options, to remove IPv4 or IPv6
addresses from DNS answers.
* Fix crash doing netbooting when --port is set to zero
to disable the DNS server. Thanks to Drexl Johannes
for the bug report.
* Generalise --dhcp-relay. Sending via broadcast/multicast is
now supported for both IPv4 and IPv6 and the configuration
syntax made easier (but backwards compatible).
* Add snooping of IPv6 prefix-delegations to the DHCP-relay system.
* Finesse parsing of --dhcp-remoteid and --dhcp-subscrid. To be treated
as hex, the pattern must consist of only hex digits AND contain
at least one ':'. Thanks to Bengt-Erik Sandstrom who tripped
over a pattern consisting of a decimal number which was interpreted
surprisingly.
* Include client address in TFTP file-not-found error reports.
Thanks to Stefan Rink for the initial patch, which has been
re-worked by me (srk). All bugs mine.
* Note in manpage the change in behaviour of -address. This behaviour
actually changed in v2.86, but was undocumented there. From 2.86 on,
(eg) --address=/example.com/1.2.3.4 ONLY applies to A queries. All other
types of query will be sent upstream. Pre 2.86, that would catch the
whole example.com domain and queries for other types would get
a local NODATA answer. The pre-2.86 behaviour is still available,
by configuring --address=/example.com/1.2.3.4 --local=/example.com/
* Fix problem with binding DHCP sockets to an individual interface.
Despite the fact that the system call tales the interface _name_ as
a parameter, it actually, binds the socket to interface _index_.
Deleting the interface and creating a new one with the same name
leaves the socket bound to the old index. (Creating new sockets
always allocates a fresh index, they are not reused). We now
take this behaviour into account and keep up with changing indexes.
* Add --conf-script configuration option.
* Enhance --domain to accept, for instance,
- -domain=net2.thekelleys.org.uk,eth2 so that hosts get a domain
which relects the interface they are attached to in a way which
doesn't require hard-coding addresses. Thanks to Sten Spans for
the idea.
* Fix write-after-free error in DHCPv6 server code.
CVE-2022-0934 refers.
* Add the ability to specify destination port in
DHCP-relay mode. This change also removes a previous bug
where --dhcp-alternate-port would affect the port used
to relay _to_ as well as the port being listened on.
The new feature allows configuration to provide bug-for-bug
compatibility, if required. Thanks to Damian Kaczkowski
for the feature suggestion.
* Bound the value of UDP packet size in the EDNS0 header of
forwarded queries to the configured or default value of
edns-packet-max. There's no point letting a client set a larger
value if we're unable to return the answer. Thanks to Bertie
Taylor for pointing out the problem and supplying the patch.
- drop dnsmasq-CVE-2022-0934.patch, dnsmasq-resolv-conf.patch (upstream)
* Fri Sep 09 2022 Callum Farmer <gmbr3@opensuse.org>
- Ensure the dnsmasq user's group is used
- Remove nogroup requirement
* Wed Jun 08 2022 Callum Farmer <gmbr3@opensuse.org>
- Move the dbus-1 system.d file to /usr (bsc#1200344)
* Tue Apr 05 2022 Reinhard Max <max@suse.com>
- bsc#1197872, CVE-2022-0934, dnsmasq-CVE-2022-0934.patch:
Heap use after free in dhcp6_no_relay
/usr/bin/dhcp_lease_time /usr/bin/dhcp_release /usr/bin/dhcp_release6 /usr/share/man/man1/dhcp_lease_time.1.gz /usr/share/man/man1/dhcp_release.1.gz /usr/share/man/man1/dhcp_release6.1.gz
Generated by rpm2html 1.8.1
Fabrice Bellet, Thu Oct 23 23:06:42 2025