Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

dnsmasq-2.86-lp152.7.9.1 RPM for aarch64

From OpenSuSE Ports Leap 15.2 updates for aarch64

Name: dnsmasq Distribution: openSUSE Leap 15.2
Version: 2.86 Vendor: openSUSE
Release: lp152.7.9.1 Build date: Mon Dec 6 22:12:54 2021
Group: Productivity/Networking/DNS/Servers Build host: obs-arm-10
Size: 1366916 Source RPM: dnsmasq-2.86-lp152.7.9.1.src.rpm
Summary: DNS Forwarder and DHCP Server
Dnsmasq provides network infrastructure for small networks: DNS,
DHCP, router advertisement and network boot.

The DNS subsystem supprots forwarding of all query types, and caching
of common record types, DNSSEC included. The DHCP subsystem supports
DHCPv4, DHCPv6, BOOTP and PXE. RA can be used stand-alone or in
conjunction with DHCPv6.




GPL-2.0-only OR GPL-3.0-only


* Thu Nov 18 2021 Reinhard Max <>
  - bsc#1192529, dnsmasq-resolv-conf.patch:
    Fix a segfault when re-reading an empty resolv.conf
  - Remove "nogroup" membership from the dnsmasq user.
* Wed Oct 20 2021 Callum Farmer <>
  - Use systemd-sysusers from 15.3 onwards
* Thu Sep 23 2021 Reinhard Max <>
  - jsc#SLE-17936: Sync this state from Factory to SLE-15-SP1.
  - SLE bugs that got fixed upstream between 2.79 and 2.86, but for
    which we need to keep references when syncing:
    * bsc#1176076: dnsmasq-servfail.patch
    * bsc#1156543: dnsmasq-siocgstamp.patch
    * bsc#1138743: dnsmasq-cache-size.patch
    * bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch
    * bsc#1180914: Open inotify socket only when used.
    * removed dnsmasq-dnspooq.patch
  - bsc#1173646, CVE-2020-14312: Set --local-service by default.
* Fri Sep 17 2021 Reinhard Max <>
  - Update to 2.86:
    * Handle DHCPREBIND requests in the DHCPv6 server code.
    * Fix bug which caused dnsmasq to lose track of processes forked
      to handle TCP DNS connections under heavy load.
    * Major rewrite of the DNS server and domain handling code. This
      should be largely transparent, but it drastically improves
      performance and reduces memory foot-print when configuring
      large numbers of domains.
    * Revise resource handling for number of concurrent DNS queries.
    * Improve efficiency of DNSSEC.
    * Connection track mark based DNS query filtering.
    * Allow smaller than 64 prefix lengths in synth-domain, with
    - -synth-domain=1234:4567::/56, is now valid.
    * Make domains generated by --synth-domain appear in replies
      when in authoritative mode.
    * Ensure CAP_NET_ADMIN capability is available when conntrack
      is configured.
    * When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
      given a directory as argument, define the order in which files
      within that directory are read (alphabetical order of filename).
* Tue Sep 14 2021 Johannes Segitz <>
  - Added hardening to systemd service(s) (bsc#1181400).
* Sun Jun 13 2021 Callum Farmer <>
  - Add now working CONFIG parameter to sysusers generator
* Wed Jun 02 2021 Callum Farmer <>
  - Change to using systemd-sysusers on TW
* Mon Apr 19 2021 Reinhard Max <>
  - Update to 2.85:
    * Fix problem with DNS retries in 2.83/2.84.
    * Tweak sort order of tags in get-version.
    * Avoid treating a --dhcp-host which has an IPv6 address as
      eligible for use with DHCPv4 on the grounds that it has
      no address, and vice-versa.
    * Add --dynamic-host option: A and AAAA records which take their
      network part from the network of a local interface. Useful
      for routers with dynamically prefixes.
    * Teach --bogus-nxdomain and --ignore-address to take an IPv4
    * CVE-2021-3448, bsc#1183709: Use random source ports where
      possible if source addresses/interfaces in use.
    * Change the method of allocation of random source ports for DNS.
    * Scale the size of the DNS random-port pool based on the
      value of the --dns-forward-max configuration.
    * Tweak TFTP code to check sender of all received packets, as
      specified in RFC 1350 para 4.
* Mon Feb 08 2021 Dirk Müller <>
  - update to 2.84:
    * Change HAVE_NETTLEHASH compile-time to HAVE_CRYPTOHASH
    * Tidy initialisation in hash_questions.c
    * Optimise sort_rrset for the case where the RR type
    * Move fd into frec_src
* Wed Jan 27 2021 Callum Farmer <>
  - Fix building with lua54
* Tue Jan 19 2021 Reinhard Max <>
  - Update to 2.83:
    * bsc#1177077: Fixed DNSpooq vulnerabilities
    * Use the values of --min-port and --max-port in outgoing
      TCP connections to upstream DNS servers.
    * Fix a remote buffer overflow problem in the DNSSEC code.
      Any dnsmasq with DNSSEC compiled in and enabled is vulnerable
      to this, referenced by CVE-2020-25681, CVE-2020-25682,
      CVE-2020-25683 CVE-2020-25687.
    * Be sure to only accept UDP DNS query replies at the address
      from which the query was originated. This keeps as much
      entropy in the {query-ID, random-port} tuple as possible, to
      help defeat cache poisoning attacks. Refer: CVE-2020-25684.
    * Use the SHA-256 hash function to verify that DNS answers
      received are for the questions originally asked. This replaces
      the slightly insecure SHA-1 (when compiled with DNSSEC) or
      the very insecure CRC32 (otherwise). Refer: CVE-2020-25685
    * Handle multiple identical near simultaneous DNS queries better.
      Previously, such queries would all be forwarded independently.
      This is, in theory, inefficent but in practise not a problem,
      _except_ that is means that an answer for any of the forwarded
      queries will be accepted and cached.
      An attacker can send a query multiple times, and for each
      repeat, another {port, ID} becomes capable of accepting the
      answer he is sending in the blind, to random IDs and ports.
      The chance of a succesful attack is therefore multiplied by the
      number of repeats of the query. The new behaviour detects
      repeated queries and merely stores the clients sending repeats
      so that when the first query completes, the answer can be sent
      to all the clients who asked. Refer: CVE-2020-25686.
* Tue Jul 28 2020 Martin Rey <>
  - Update to 2.82:
    * Improve behaviour in the face of network interfaces which come
      and go and change index.
    * Convert hard startup failure on NETLINK_NO_ENOBUFS under
      qemu-user to a warning.
    * Allow IPv6 addresses ofthe form [::ffff:] in
    - -dhcp-option.
    * Fix crash under heavy TCP connection load introduced in 2.81.
    * Change default lease time for DHCPv6 to one day.
    * Alter calculation of preferred and valid times in router
      advertisements, so that these do not have a floor applied of
      the lease time in the dhcp-range if this is not explicitly
      specified and is merely the default.
  - Reformat spec file with spec-cleaner
* Tue May 05 2020 Paolo Stivanin <>
  - Update to 2.81:
    * Improve cache behaviour for TCP connections
    * Remove the NO_FORK compile-time option, and support for uclinux
    * Fix line-counting when reading /etc/hosts and friends
    * Fix bug in DNS non-terminal code, added in 2.80, which could
    sometimes cause a NODATA rather than an NXDOMAIN reply.
    * Support TCP-fastopen (RFC-7413) on both incoming and
    outgoing TCP connections, if supported and enabled in the OS.
    * Improve kernel-capability manipulation code under Linux
    * Add --shared-network config. This enables allocation of addresses
    by the DHCP server in subnets where the server (or relay) does not
    have an interface on the network in that subnet. Many thanks to for sponsoring this feature.
    * Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
    validation check got borked in commit 2b38e382 and release 2.80.
    Thanks to Tomasz Szajner for spotting this.
    * Fix compilation against nettle version 3.5 and later.
    * Fix spurious DNSSEC validation failures when the auth section
    of a reply contains unsigned RRs from a signed zone,
    with the exception that NSEC and NSEC3 RRs must always be signed.
      Thanks to Tore Anderson for spotting and diagnosing the bug.
    * Add --dhcp-ignore-clid. This disables reading of DHCP client
    identifier option (option 61), so clients are only identified by
    MAC addresses.
    * Fix a bug which stopped --dhcp-name-match from working when a hostname
    is supplied in --dhcp-host. Thanks to James Feeney for spotting this.
    * Fix bug which caused very rarely caused zero-length DHCPv6 packets.
    Thanks to Dereck Higgins for spotting this.
    * Add --tftp-single-port option.
    * Enhance --conf-dir to load files in a deterministic order
    * Add filtering by tag of --dhcp-host directives
    * Remove DSA signature verification from DNSSEC, as specified in
    RFC 8624
    * Add --script-on-renewal option.
  - Remove Fix-build-with-libnettle-3.5.patch
  - Remove 0001-fix-build-after-y2038-changes-in-glibc.patch
  - Remove dnsmasq-CVE-2019-14834.patch
* Sat Nov 30 2019 Dominique Leuenberger <>
  - Remove redundant %else without meaning (if/else/else/endif?)
* Wed Nov 13 2019 Reinhard Max <>
  - bsc#1154849, CVE-2019-14834, dnsmasq-CVE-2019-14834.patch:
    memory leak in the create_helper() function in /src/helper.c
  - bsc#1143454: Require user(tftp) instead of creating it ourselves.
  - Package contrib/lease-tools/dhcp_release6.
  - bsc#1152539: include config files from /etc/dnsmasq.d/*.conf .
* Wed Sep 04 2019 Stefan Brüns <>
  - Add Fix-build-with-libnettle-3.5.patch
* Tue Jul 23 2019
  - removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
    firewalld, see [1].
* Wed Jul 10 2019 Jiri Slaby <>
  - add 0001-fix-build-after-y2038-changes-in-glibc.patch
* Tue Jun 11 2019 Dominique Leuenberger <>
  - BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to
    shortcut the build queues by allowing usage of systemd-mini
* Fri Feb 22 2019 Franck Bui <>
  - Drop use of $FIRST_ARG in .spec
    The use of $FIRST_ARG was probably required because of the
    %service_* rpm macros were playing tricks with the shell positional
    parameters. This is bad practice and error prones so let's assume
    that no macros should do that anymore and hence it's safe to assume
    that positional parameters remains unchanged after any rpm macro
* Wed Jan 23 2019 Cristian Rodríguez <>
  - libidn should not be used anymore, switch to libidn2
* Mon Oct 22 2018 Jan Engelhardt <>
  - Ensure neutrality of descriptions. / Replace description with
    new upstream description.
  - Do not hide failures from user/group additions.
  - Replace old $RPM_* shell vars by macros.
* Sun Oct 21 2018
  - Updated to dnsmasq 2.80
    * Add support for RFC 4039 DHCP rapid commit
    * Alter the default for dnssec-check-unsigned
    * Fix DHCP when --no-ping and --dhcp-sequential-ip are set
    * Allow zone transfer in authoritative mode if auth-peer is specified
    * FIx missing fatal errors with some malformed options
    * Fix crash on startup with a --synth-domain which has no prefix
* Fri Oct 19 2018
  - enabled lua scripting interface (FATE#327143).
* Wed Aug 29 2018
  - add missing prereq on the group to be created (bsc#1106446)
* Mon Jul 16 2018
  - Don't require systemd explicit, fix spec file to handle both
    cases correct. In containers we don't have systemd.
  - Adjust pre/post install for transactional updates.
  - Use %license instead of %doc [bsc#1082318]
* Mon Dec 04 2017
  - Update keyring
* Fri Dec 01 2017
  - Get rid of python dependency due to examples. (fate#323526)
* Mon Oct 02 2017
  - Security update to version 2.78:
    * bsc#1060354, CVE-2017-14491: 2 byte heap based overflow.
    * bsc#1060355, CVE-2017-14492: heap based overflow.
    * bsc#1060360, CVE-2017-14493: stack based overflow.
    * bsc#1060361, CVE-2017-14494: DHCP - info leak.
    * bsc#1060362, CVE-2017-14495: DNS - OOM DoS.
    * bsc#1060364, CVE-2017-14496: DNS - DoS Integer underflow.
    * Fix DHCP relaying, broken in 2.76 and 2.77.
    * For other changes, see
  - Obsoleted patches:
    * Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch
    * Handle-binding-upstream-servers-to-an-interface.patch
* Tue Sep 12 2017
  - Fix /srv/tftpboot permissions wrt bsc#940608
* Fri Aug 18 2017
  - reload system dbus to pick up policy change on install (bsc#1054429)
* Wed Jan 04 2017
  - Handle binding upstream servers to an interface if interface
    is destroyed and recreated (boo#1018160)
    Added two patches from upstream:
    * added Handle-binding-upstream-servers-to-an-interface.patch
    * added Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch
* Wed Aug 03 2016
  - Update to 2.76:
    * Include in DNS rebind checks.
    * Enhance --add-subnet to allow arbitrary subnet addresses.
    * Respect the --no-resolv flag in inotify code. Fixes bug
      which caused dnsmasq to fail to start if a resolv-file
      was a dangling symbolic link, even of --no-resolv set.
    * Fix crash when an A or AAAA record is defined locally,
      in a hosts file, and an upstream server sends a reply
      that the same name is empty (CVE-2015-8899, bsc#983273).
    * Fix failure to correctly calculate cache-size when reading a
      hosts-file fails.
    * Fix wrong answer to simple name query when --domain-needed
      set, but no upstream servers configured.
    * Return REFUSED when running out of forwarding table slots,
      not SERVFAIL.
    * Add --max-port configuration.
    * Add --script-arp and two new functions for the dhcp-script.
    * Extend --add-mac to allow a new encoding of the MAC address
      as base64, by configurting --add-mac=base64
    * Add --add-cpe-id option.
    * Don't crash with divide-by-zero if an IPv6 dhcp-range is
      declared as a whole /64.
      (ie xx::0 to xx::ffff:ffff:ffff:ffff)
    * Add support for a TTL parameter in --host-record and --cname.
    * Add --dhcp-ttl option.
    * Add --tftp-mtu option.
    * Check return-code of inet_pton() when parsing dhcp-option.
    * Fix wrong value for EDNS UDP packet size when using
    - -servers-file to define upstream DNS servers.
    * Add dhcp_release6 to contrib/lease-tools.
* Thu Jun 16 2016
  - dnsmasq-groups.patch: Initialize the supplementary groups of the
    dnsmasq user (bsc#859298).
* Tue Feb 02 2016
  - Add gpg signature
* Mon Aug 24 2015
  - spec file cleanup, get rid of redifinition warnings
* Tue Aug 11 2015
  - Update to 2.75, announce message:
      Fix reversion on 2.74 which caused 100% CPU use when a
      dhcp-script is configured. Thanks to Adrian Davey for
      reporting the bug and testing the fix.
  - Update to 2.74, announce message:
      Fix reversion in 2.73 where --conf-file would attempt to
      read the default file, rather than no file.
      Fix inotify code to handle dangling symlinks better and
      not SEGV in some circumstances.
      DNSSEC fix. In the case of a signed CNAME generated by a
      wildcard which pointed to an unsigned domain, the wrong
      status would be logged, and some necessary checks omitted.
  - Update to 2.73, announce message:
      Fix crash at startup when an empty suffix is supplied to
    - -conf-dir, also trivial memory leak. Thanks to
      Tomas Hozza for spotting this.
      Remove floor of 4096 on advertised EDNS0 packet size when
      DNSSEC in use, the original rationale for this has long gone.
      Thanks to Anders Kaseorg for spotting this.
      Use inotify for checking on updates to /etc/resolv.conf and
      friends under Linux. This fixes race conditions when the files are
      updated rapidly and saves CPU by noy polling. To build
      a binary that runs on old Linux kernels without inotify,
      use make COPTS=-DNO_INOTIFY
      Fix breakage of --domain=<domain>,<subnet>,local - only reverse
      queries were intercepted. THis appears to have been broken
      since 2.69. Thanks to Josh Stone for finding the bug.
      Eliminate IPv6 privacy addresses and deprecated addresses from
      the answers given by --interface-name. Note that reverse queries
      (ie looking for names, given addresses) are not affected.
      Thanks to Michael Gorbach for the suggestion.
      Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids
      for the bug report.
      Add --ignore-address option. Ignore replies to A-record
      queries which include the specified address. No error is
      generated, dnsmasq simply continues to listen for another
      reply. This is useful to defeat blocking strategies which
      rely on quickly supplying a forged answer to a DNS
      request for certain domains, before the correct answer can
      arrive. Thanks to Glen Huang for the patch.
      Revisit the part of DNSSEC validation which determines if an
      unsigned answer is legit, or is in some part of the DNS
      tree which should be signed. Dnsmasq now works from the
      DNS root downward looking for the limit of signed
      delegations, rather than working bottom up. This is
      both more correct, and less likely to trip over broken
      nameservers in the unsigned parts of the DNS tree
      which don't respond well to DNSSEC queries.
      Add --log-queries=extra option, which makes logs easier
      to search automatically.
      Add --min-cache-ttl option. I've resisted this for a long
      time, on the grounds that disbelieving TTLs is never a
      good idea, but I've been persuaded that there are
      sometimes reasons to do it. (Step forward, GFW).
      To avoid misuse, there's a hard limit on the TTL
      floor of one hour. Thansk to RinSatsuki for the patch.
      Cope with multiple interfaces with the same link-local
      address. (IPv6 addresses are scoped, so this is allowed.)
      Thanks to Cory Benfield for help with this.
      Add --dhcp-hostsdir. This allows addition of new host
      configurations to a running dnsmasq instance much more
      cheaply than having dnsmasq re-read all its existing
      configuration each time.
      Don't reply to DHCPv6 SOLICIT messages if we're not
      configured to do stateful DHCPv6. Thanks to Win King Wan
      for the patch.
      Fix broken DNSSEC validation of ECDSA signatures.
      Add --dnssec-timestamp option, which provides an automatic
      way to detect when the system time becomes valid after
      boot on systems without an RTC, whilst allowing DNS
      queries before the clock is valid so that NTP can run.
      Thanks to Kevin Darbyshire-Bryant for developing this idea.
      Add --tftp-no-fail option. Thanks to Stefan Tomanek for
      the patch.
      Fix crash caused by looking up servers.bind, CHAOS text
      record, when more than about five --servers= lines are
      in the dnsmasq config. This causes memory corruption
      which causes a crash later. Thanks to Matt Coddington for
      sterling work chasing this down.
      Fix crash on receipt of certain malformed DNS requests.
      Thanks to Nick Sampanis for spotting the problem.
      Note that this is could allow the dnsmasq process's
      memory to be read by an attacker under certain
      circumstances, so it has a CVE, CVE-2015-3294
      Fix crash in authoritative DNS code, if a .arpa zone
      is declared as authoritative, and then a PTR query which
      is not to be treated as authoritative arrived. Normally,
      directly declaring .arpa zone as authoritative is not
      done, so this crash wouldn't be seen. Instead the
      relevant .arpa zone should be specified as a subnet
      in the auth-zone declaration. Thanks to Johnny S. Lee
      for the bugreport and initial patch.
      Fix authoritative DNS code to correctly reply to NS
      and SOA queries for .arpa zones for which we are
      declared authoritative by means of a subnet in auth-zone.
      Previously we provided correct answers to PTR queries
      in such zones (including NS and SOA) but not direct
      NS and SOA queries. Thanks to Johnny S. Lee for
      pointing out the problem.
      Fix logging of DHCPREPLY which should be suppressed
      by quiet-dhcp6. Thanks to J. Pablo Abonia for
      spotting the problem.
      Try and handle net connections with broken fragmentation
      that lose large UDP packets. If a server times out,
      reduce the maximum UDP packet size field in the EDNS0
      header to 1280 bytes. If it then answers, make that
      change permanent.
      Check IPv4-mapped IPv6 addresses when --stop-rebind
      is active. Thanks to Jordan Milne for spotting this.
      Allow DHCPv4 options T1 and T2 to be set using --dhcp-option.
      Thanks to Kevin Benton for patches and work on this.
      Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses
      in the correct subnet, even of not in dynamic address
      allocation range. Thanks to Steve Hirsch for spotting
      the problem.
      Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks
      to Nicolas Cavallari for the patch.
      Allow configuration of router advertisements without the
      "on-link" bit set. Thanks to Neil Jerram for the patch.
      Extend --bridge-interface to DHCPv6 and router
      advertisements. Thanks to Neil Jerram for the patch.
* Wed Jun 17 2015
  - dnsmasq.service: Order  and as this service may provide
    name resolution even for the localhost.
* Mon Apr 20 2015
  - Move trust-anchors.conf into /etc/dnsmasq.d to be AppArmor conform.
* Tue Jan 06 2015
  - The change from Wed Dec 24 messed group w/ user IDs. Switch them
    back and be more careful w/ what is changed.
* Mon Dec 29 2014
  - Fix symlink of rcFOO to /usr/sbin/service, resolving a dangling
    symlink lint warning (and remove the same from rpmlintrc).
* Thu Dec 25 2014
  - Remove from spec group_and_isc.patch, forgotten in previous commit
* Wed Dec 24 2014
  - Update to 2.72, announce message:
      Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
      Add support for "ipsets" in *BSD, using pf. Thanks to
      Sven Falempim for the patch.
      Fix race condition which could lock up dnsmasq when an
      interface goes down and up rapidly. Thanks to Conrad
      Kostecki for helping to chase this down.
      Add DBus methods SetFilterWin2KOption and SetBogusPrivOption
      Thanks to the Smoothwall project for the patch.
      Fix failure to build against Nettle-3.0. Thanks to Steven
      Barth for spotting this and finding the fix.
      When assigning existing DHCP leases to intefaces by comparing
      networks, handle the case that two or more interfaces have the
      same network part, but different prefix lengths (favour the
      longer prefix length.) Thanks to Lung-Pin Chang for the
      Add a mode which detects and removes DNS forwarding loops, ie
      a query sent to an upstream server returns as a new query to
      dnsmasq, and would therefore be forwarded again, resulting in
      a query which loops many times before being dropped. Upstream
      servers which loop back are disabled and this event is logged.
      Thanks to Smoothwall for their sponsorship of this feature.
      Extend --conf-dir to allow filtering of files. So
    - -conf-dir=/etc/dnsmasq.d,\*.conf
      will load all the files in /etc/dnsmasq.d which end in .conf
      Fix bug when resulted in NXDOMAIN answers instead of NODATA in
      some circumstances.
      Fix bug which caused dnsmasq to become unresponsive if it
      failed to send packets due to a network interface disappearing.
      Thanks to Niels Peen for spotting this.
      Fix problem with --local-service option on big-endian platforms
      Thanks to Richard Genoud for the patch.
  - Add dnsmasq-rpmlintrc, for false positive scripts and symlink
  - Add BuildRequires for dos2unix
  - Use sed instead of simple patch group_and_isc.patch
* Sun Nov 09 2014
  - fix logging, PrivateDevices=yes kills it (bnc#902511, bnc#904537)



Generated by rpm2html 1.8.1

Fabrice Bellet, Mon May 9 14:43:54 2022