./net/dnsmasq, Lightweight, easy to configure DNS forwarder

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 2.78, Package name: dnsmasq-2.78, Maintainer: pkgsrc-users

Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP
server. It is designed to provide DNS and, optionally, DHCP, to a
small network. It can serve the names of local machines which are not
in the global DNS. The DHCP server integrates with the DNS server and
allows machines with DHCP-allocated addresses to appear in the DNS
with names configured either in each host or in a central
configuration file. Dnsmasq supports static and dynamic DHCP leases
and BOOTP for network booting of diskless machines.



Package options: inet6

Master sites:

SHA1: 07d452c0a18637a9d4e2751e57971b493631bb23
RMD160: a724387aeb5ea46080b85caac6bddc9bb04a5814
Filesize: 477.707 KB

Version history: (Expand)


CVS history: (Expand)


   2017-10-24 03:04:19 by Pierre Pronchery | Files touched by this commit (1)
Log message:
Add support for LDFLAGS

This notably fixes building with RELRO enabled.
   2017-10-02 17:50:55 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
dnsmasq: update to 2.78.

version 2.78
        Fix logic of appending ".<layer>" to PXE basename. \ 
Thanks to Chris
	Novakovic for the patch.

	Revert ping-check of address in DHCPDISCOVER if there
	already exists a lease for the address. Under some
	circumstances, and netbooted windows installation can reply
	to pings before if has a DHCP lease and block allocation
	of the address it already used during netboot. Thanks to
	Jan Psota for spotting this.

	Fix DHCP relaying, broken in 2.76 and 2.77 by commit
	ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to
	John Fitzgibbon for the diagnosis and patch.

        Try other servers if first returns REFUSED when
	--strict-order active. Thanks to Hans Dedecker
	for the patch

	Fix regression in 2.77, ironically added as a security
	improvement, which resulted in a crash when a DNS
	query exceeded 512 bytes (or the EDNS0 packet size,
	if different.) Thanks to Christian Kujau, Arne Woerner
	Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
	chasing this one down.  CVE-2017-13704 applies.

	Fix heap overflow in DNS code. This is a potentially serious
	security hole. It allows an attacker who can make DNS
	requests to dnsmasq, and who controls the contents of
	a domain, which is thereby queried, to overflow
	(by 2 bytes) a heap buffer and either crash, or
	even take control of, dnsmasq.
	CVE-2017-14491 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix heap overflow in IPv6 router advertisement code.
	This is a potentially serious security hole, as a
	crafted RA request can overflow a buffer and crash or
	control dnsmasq. Attacker must be on the local network.
	CVE-2017-14492 applies.
        Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	and Kevin Hamacher of the Google Security Team for
	finding this.

	Fix stack overflow in DHCPv6 code. An attacker who can send
	a DHCPv6 request to dnsmasq can overflow the stack frame and
	crash or control dnsmasq.
	CVE-2017-14493 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix information leak in DHCPv6. A crafted DHCPv6 packet can
	cause dnsmasq to forward memory from outside the packet
	buffer to a DHCPv6 server when acting as a relay.
	CVE-2017-14494 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix DoS in DNS. Invalid boundary checks in the
	add_pseudoheader function allows a memcpy call with negative
	size An attacker which can send malicious DNS queries
	to dnsmasq can trigger a DoS remotely.
	dnsmasq is vulnerable only if one of the following option is
	specified: --add-mac, --add-cpe-id or --add-subnet.
	CVE-2017-14496 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.

	Fix out-of-memory Dos vulnerability. An attacker which can
	send malicious DNS queries to dnsmasq can trigger memory
	allocations in the add_pseudoheader function
	The allocated memory is never freed which leads to a DoS
	through memory exhaustion. dnsmasq is vulnerable only
	if one of the following option is specified:
	--add-mac, --add-cpe-id or --add-subnet.
	CVE-2017-14495 applies.
	Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
	Kevin Hamacher and Ron Bowes of the Google Security Team for
	finding this.
   2017-06-02 10:37:49 by Adam Ciarcinski | Files touched by this commit (5)
Log message:
version 2.77
	    Generate an error when configured with a CNAME loop,
	    rather than a crash. Thanks to George Metz for
	    spotting this problem.

	    Calculate the length of TFTP error reply packet
	    correctly. This fixes a problem when the error
	    message in a TFTP packet exceeds the arbitrary
	    limit of 500 characters. The message was correctly
	    truncated, but not the packet length, so
	    extra data was appended. This is a possible
	    security risk, since the extra data comes from
	    a buffer which is also used for DNS, so that
	    previous DNS queries or replies may be leaked.

	    Fix logic error in Linux netlink code. This could
	    cause dnsmasq to enter a tight loop on systems
	    with a very large number of network interfaces.

	    Fix problem with --dnssec-timestamp whereby receipt
	    of SIGHUP would erroneously engage timestamp checking.

	    Bump zone serial on reloading /etc/hosts and friends
	    when providing authoritative DNS.

	    Handle v4-mapped IPv6 addresses sanely in --synth-domain.
	    These have standard representation like ::ffff:1.2.3.4
	    and are now converted to names like
	    <prefix>--ffff-1-2-3-4.<domain>

	    Handle binding upstream servers to an interface
	    (--server=1.2.3.4@eth0) when the named interface
	    is destroyed and recreated in the kernel.

	    Allow wildcard CNAME records in authoritative zones.
	    For example --cname=*.example.com,default.example.com

more...
   2017-03-21 10:18:15 by Filip Hajny | Files touched by this commit (2)
Log message:
Fix build on SunOS with IPv6.
   2016-11-08 12:59:05 by Makoto Fujiwara | Files touched by this commit (3) | Package updated
Log message:
Updated net/dnsmasq to 2.76
---------------------------
version 2.76
            Include 0.0.0.0/8 in DNS rebind checks. This range
	    translates to hosts on  the local network, or, at
	    least, 0.0.0.0 accesses the local host, so could
	    be targets for DNS rebinding. See RFC 5735 section 3
	    for details. Thanks to Stephen R旦ttger for the bug report.

	    Enhance --add-subnet to allow arbitrary subnet addresses.
            Thanks to Ed Barsley for the patch.

	    Respect the --no-resolv flag in inotify code. Fixes bug
	    which caused dnsmasq to fail to start if a resolv-file
	    was a dangling symbolic link, even of --no-resolv set.
	    Thanks to Alexander Kurtz for spotting the problem.

	    Fix crash when an A or AAAA record is defined locally,
	    in a hosts file, and an upstream server sends a reply
	    that the same name is empty. Thanks to Edwin T旦r旦k for
	    the patch.

	    Fix failure to correctly calculate cache-size when
	    reading a hosts-file fails. Thanks to Andr辿 Gl端pker
	    for the patch.

	    Fix wrong answer to simple name query when --domain-needed
	    set, but no upstream servers configured. Dnsmasq returned
	    REFUSED, in this case, when it should be the same as when
	    upstream servers are configured - NOERROR. Thanks to
	    Allain Legacy for spotting the problem.

	    Return REFUSED when running out of forwarding table slots,
	    not SERVFAIL.

            Add --max-port configuration. Thanks to Hans Dedecker for
	    the patch.

	    Add --script-arp and two new functions for the dhcp-script.
	    These are "arp" and "arp-old" which announce the arrival and
	    removal of entries in the ARP or nieghbour tables.

	    Extend --add-mac to allow a new encoding of the MAC address
	    as base64, by configurting --add-mac=base64

	    Add --add-cpe-id option.

            Don't crash with divide-by-zero if an IPv6 dhcp-range
	    is declared as a whole /64.
	    (ie xx::0 to xx::ffff:ffff:ffff:ffff)
	    Thanks to Laurent Bendel for spotting this problem.

	    Add support for a TTL parameter in --host-record and
	    --cname.

	    Add --dhcp-ttl option.

	    Add --tftp-mtu option. Thanks to Patrick McLean for the
	    initial patch.

	    Check return-code of inet_pton() when parsing dhcp-option.
	    Bad addresses could fail to generate errors and result in
	    garbage dhcp-options being sent. Thanks to Marc Branchaud
	    for spotting this.

	    Fix wrong value for EDNS UDP packet size when using
	    --servers-file to define upstream DNS servers. Thanks to
	    Scott Bonar for the bug report.

	    Move the dhcp_release and dhcp_lease_time tools from
	    contrib/wrt to contrib/lease-tools.

	    Add dhcp_release6 to contrib/lease-tools. Many thanks
	    to Sergey Nechaev for this code.

	    To avoid filling logs in configurations which define
	    many upstream nameservers, don't log more that 30 servers.
	    The number to be logged can be changed as SERVERS_LOGGED
	    in src/config.h.

	    Swap the values if BC_EFI and x86-64_EFI in --pxe-service.
	    These were previously wrong due to an error in RFC 4578.
	    If you're using BC_EFI to boot 64-bit EFI machines, you
	    will need to update your config.

	    Add ARM32_EFI and ARM64_EFI as valid architectures in
	    --pxe-service.

            Fix PXE booting for UEFI architectures. Modify PXE boot
	    sequence in this case to force the client to talk to dnsmasq
	    over port 4011. This makes PXE and especially proxy-DHCP PXE
	    work with these archictectures.

	    Workaround problems with UEFI PXE clients. There exist
	    in the wild PXE clients which have problems with PXE
	    boot menus. To work around this, when there's a single
	    --pxe-service which applies to client, then that target
	    will be booted directly, rather then sending a
	    single-item boot menu.

            Many thanks to Jarek Polok, Michael Kuron and Dreamcat4
	    for their work on the long-standing UEFI PXE problem.

	    Subtle change in the semantics of "basename" in
	    --pxe-service. The historical behaviour has always been
	    that the actual filename downloaded from the TFTP server
	    is <basename>.<layer> where <layer> is an integer which
	    corresponds to the layer parameter supplied by the client.
	    It's not clear what the function of the "layer"
	    actually is in the PXE protocol, and in practise layer
	    is always zero, so the filename is <basename>.0
	    The new behaviour is the same as the old, except when
	    <basename> includes a file suffix, in which case
	    the layer suffix is no longer added. This allows
	    sensible suffices to be used, rather then the
	    meaningless ".0". Only in the unlikely event that you
	    have a config with a basename which already has a
	    suffix, is this an incompatible change, since the file
	    downloaded will change from name.suffix.0 to justy
	    name.suffix
   2016-06-08 12:02:27 by Jonathan Perkin | Files touched by this commit (44)
Log message:
Change the service_bundle name to "export" to reduce diffs between the
original manifest.xml file and the output from "svccfg export".
   2016-02-25 17:20:53 by Jonathan Perkin | Files touched by this commit (47)
Log message:
Use OPSYSVARS.
   2015-11-04 01:35:47 by Alistair G. Crooks | Files touched by this commit (748)
Log message:
Add SHA512 digests for distfiles for net category

Problems found with existing digests:
	Package haproxy distfile haproxy-1.5.14.tar.gz
	159f5beb8fdc6b8059ae51b53dc935d91c0fb51f [recorded]
	da39a3ee5e6b4b0d3255bfef95601890afd80709 [calculated]

Problems found locating distfiles:
	Package bsddip: missing distfile bsddip-1.02.tar.Z
	Package citrix_ica: missing distfile citrix_ica-10.6.115659/en.linuxx86.tar.gz
	Package djbdns: missing distfile djbdns-1.05-test25.diff.bz2
	Package djbdns: missing distfile djbdns-cachestats.patch
	Package djbdns: missing distfile 0002-dnscache-cache-soa-records.patch
	Package gated: missing distfile gated-3-5-11.tar.gz
	Package owncloudclient: missing distfile owncloudclient-2.0.2.tar.xz
	Package poink: missing distfile poink-1.6.tar.gz
	Package ra-rtsp-proxy: missing distfile rtspd-src-1.0.0.0.tar.gz
	Package ucspi-ssl: missing distfile ucspi-ssl-0.70-ucspitls-0.1.patch
	Package waste: missing distfile waste-source.tar.gz

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.