| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
- Remove duplicate variables
- Remove nop variables
- Sort categories
- Remove redundant option descriptions that match the default ones
Reported by: portscan
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob_plain;f=CHANGELOG;hb=v2.85
Configurations where server lines contain a @ character,
f.i. server=1.1.1.1@em0 or server=1.1.1.1@192.0.2.1, disabled
source port randomization, making cache poisoning attacks possible.
v2.85 mitigates this.
MFH: 2021Q2
Security: CVE-2021-3448
Security: 5b72b1ff-877c-11eb-bd4f-2f1d57dafe46 (VuXML)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is to fix a port randomization flaw that subjects dnsmasq to a cache poisoning attack.
ChangeLog:
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=CHANGELOG;h=155fc966f9542259596b41594f4b85775d1f9c9a;hb=023ace8e54c2e83e88082a1073a281d659f2a860#l1
Add CONFLICTS_INSTALL markers.
Security: CVE-2021-3448
Security: 5b72b1ff-877c-11eb-bd4f-2f1d57dafe46
Notes:
svn path=/head/; revision=568702
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream blessed v2.84 rc2 (which 2.83_1 effectively already was)
into v2.84 release, so take it (and patch the upstream bug of
leaving "rc2" in the version out).
MFH: 2021Q1 (regression fixes for security fix release)
Notes:
svn path=/head/; revision=562980
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently there are situations where dnsmasq 2.83 can confuse
its peers or sockets, and the upstream Git contains fixes for them.
These four fixes essentially take dnsmasq to 2.84test3.
Obtained from: Simon Kelley <simon@thekelleys.org.uk>'s Git repository
Notes:
svn path=/head/; revision=562461
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CHANGELOG of version 2.83:
Use the values of --min-port and --max-port in outgoing
TCP connections to upstream DNS servers.
Fix a remote buffer overflow problem in the DNSSEC code. Any
dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
CVE-2020-25687.
Be sure to only accept UDP DNS query replies at the address
from which the query was originated. This keeps as much entropy
in the {query-ID, random-port} tuple as possible, to help defeat
cache poisoning attacks. Refer: CVE-2020-25684.
Use the SHA-256 hash function to verify that DNS answers
received are for the questions originally asked. This replaces
the slightly insecure SHA-1 (when compiled with DNSSEC) or
the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
Handle multiple identical near simultaneous DNS queries better.
Previously, such queries would all be forwarded
independently. This is, in theory, inefficent but in practise
not a problem, _except_ that is means that an answer for any
of the forwarded queries will be accepted and cached.
An attacker can send a query multiple times, and for each repeat,
another {port, ID} becomes capable of accepting the answer he is
sending in the blind, to random IDs and ports. The chance of a
succesful attack is therefore multiplied by the number of repeats
of the query. The new behaviour detects repeated queries and
merely stores the clients sending repeats so that when the
first query completes, the answer can be sent to all the
clients who asked. Refer: CVE-2020-25686.
MFH: 2021Q1
Security: 5b5cf6e5-5b51-11eb-95ac-7f9491278677
Security: CVE-2020-25684
Security: CVE-2020-25685
Security: CVE-2020-25686
Security: CVE-2020-25681
Security: CVE-2020-25682
Security: CVE-2020-25683
Security: CVE-2020-25687
Notes:
svn path=/head/; revision=562154
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Quoting Simon Kelley "This fixes a nasty problem
introduced in 2.81 which causes random crashes on systems where there's
significant DNS activity over TCP. It also fixes DNSSEC validation
problems with zero-TTL DNSKEY and DS records."
Changelog:
<http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=CHANGELOG;h=e6a223119ffcd9ead6cb15153cd49bd3c61e114f;hb=f60fea1fb0a288011f57a25dfb653b8f6f8b46b9#l1>
MFH: 2020Q3 (regression and bug fixes)
Notes:
svn path=/head/; revision=542600
|
|
|
|
| |
Notes:
svn path=/head/; revision=535391
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pkg-message contains a security note that is necessary on
new installs and on updates alike.
Since per the porter's handbook, the UCL does not support enumeration
of types, and this is not relevant on removal, the UCL change must be
reverted. While here, remove formatting.
Failure inducing commit:
|------------------------------------------------------------------------
|r508835 | mat | 2019-08-13 18:01:59 +0200 (Tue, 13 Aug 2019) | 2 lines
|
|Convert to UCL & cleanup pkg-message (categories d)
|
|------------------------------------------------------------------------
NOTE: The UCL conversion of files/pkg-message.in was not authorized
and damaging and no heads-up was sent to the maintainer.
portmgr@ MUST act more carefully with sweeping changes and hand them out
for review first.
Notes:
svn path=/head/; revision=531475
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update dns/dnsmasq to the new upstream version 2.81.
The Makefile has been rearranged with portfmt, except the
LDFLAGS+=..._intllibs... line that portfmt does not recognize.
Changelog:
<http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=CHANGELOG;h=60b08d015b2d5a979f39b8ad43633b419135cb64;hb=7ddb99d251c3f5870c8c308a98bb8f283c831872#l1>
(or see CHANGELOG in the package)
Unlink dnsmasq-devel from the build, but keep the sources,
and mark it IGNORE and list dnsmasq-devel in MOVED.
Notes:
svn path=/head/; revision=531473
|
|
|
|
|
|
|
| |
Reported by: swills@ (IRC)
Notes:
svn path=/head/; revision=526921
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a patch taken from upstream. Tested successfully on 11.3-RELEASE amd64.
The upstream fix is an extended version of a fix proposed by
Dave Mueller in the PR.
See also:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q4/013412.html
PR: 241068
Reported by: Phil Chadwick
Obtained from: Simon Kelley, http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=936bd82755e8f75fc09c1e9a67fb390175b157d4
MFH: 2019Q4
Notes:
svn path=/head/; revision=514404
|
|
|
|
| |
Notes:
svn path=/head/; revision=514130
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Bump PORTREVISION of dependent ports for shlib change
- Fix build of devel/pijul [1]
Changes: https://git.lysator.liu.se/nettle/nettle/blob/master/NEWS
PR: 238991
Exp-run by: antoine
Thanks to: tobik [1]
Notes:
svn path=/head/; revision=506289
|
|
|
|
|
|
|
|
|
| |
- Bump PORTREVISION of dependent ports for shlib change
Changes: https://gitlab.com/libidn/libidn2/blob/master/NEWS
Notes:
svn path=/head/; revision=492534
|
|
|
|
|
|
|
|
|
| |
- Bump PORTREVISION of dependent ports for shlib change
Changes: https://gitlab.com/libidn/libidn2/blob/master/NEWS
Notes:
svn path=/head/; revision=489529
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Security: the installed example configuration file shows a way of
disabling WPAD hijacking, but leaves it commented out. Extend pkg-message.
Changelog: <http://thekelleys.org.uk/dnsmasq/CHANGELOG>
Since installing v2.80 isn't a fix against the vulnerability, and fixing
it needs administrator intervention on upgrades, I am not marking this in
vuxml for now, since we'd need to mark v2.80 vulnerable, too.
MFH: 2018Q4
Security: CERT VU#598349
Notes:
svn path=/head/; revision=482439
|
|
|
|
|
|
|
|
| |
Note there are a few incompatible changes. For details, please see the...
Changelog: <http://thekelleys.org.uk/dnsmasq/CHANGELOG>
Notes:
svn path=/head/; revision=465034
|
|
|
|
|
|
|
|
|
|
| |
PR: 222739
Approved by: ports-secteam
MFH: 2017Q4
Security: b77b5646-a778-11e7-ac58-b499baebfeaf
Notes:
svn path=/head/; revision=451095
|
|
|
|
|
|
|
|
|
|
|
| |
Regression in v2.77 caused by a patch proposed by yours truly.
Reported by: Steven Shiau (via upstream dnsmasq-discuss mailing list)
Obtained from: Chris Novakovich and Simon Kelley
Pointyhat to: mandree@
Notes:
svn path=/head/; revision=442888
|
|
|
|
|
|
|
| |
Changelog: <http://thekelleys.org.uk/dnsmasq/CHANGELOG>
Notes:
svn path=/head/; revision=442303
|
|
|
|
|
|
|
|
| |
Related to:
PR: 217900
Notes:
svn path=/head/; revision=436661
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a new ports option, IPSET, defaulting to on.
Use the opportunity to use the options helpers OPT_CFLAGS[_OFF] on the
trivial options.
PR: 217900
Submitted by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
Notes:
svn path=/head/; revision=436660
|
|
|
|
|
|
|
|
| |
Submitted by: emaste@
Differential Revision: https://reviews.freebsd.org/D7881
Notes:
svn path=/head/; revision=433702
|
|
|
|
|
|
|
|
|
| |
by default anyway and don't need to be listed
Approved by: portmgr blanket
Notes:
svn path=/head/; revision=415742
|
|
|
|
|
|
|
|
|
|
|
|
| |
The upstream maintainer's change log is here, and in the installed
CHANGELOG file:
<http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob_plain;f=CHANGELOG;hb=v2.76>
Drop two patch files that were previously cherry-picked from the
post-v2.75 upstream repository and should no longer be needed.
Notes:
svn path=/head/; revision=415466
|
|
|
|
|
|
|
|
| |
With hat: portmgr
Sponsored by: Absolight
Notes:
svn path=/head/; revision=412346
|
|
|
|
| |
Notes:
svn path=/head/; revision=407058
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(But bump PORTREVISION instead of PORTEPOCH ;-))
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=0007ee90646a5a78a96ee729932e89d31c69513a
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=41a8d9e99be9f2cc8b02051dd322cb45e0faac87
Submitted by: garga@
Obtained from: Edwin Török, Simon Kelley
Differential Revision: D4813
Notes:
svn path=/head/; revision=405491
|
|
|
|
| |
Notes:
svn path=/head/; revision=404736
|
|
|
|
|
|
|
| |
Critical bug fix for --dhcp-script
Notes:
svn path=/head/; revision=393361
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
version 2.74
Fix reversion in 2.73 where --conf-file would attempt to
read the default file, rather than no file.
Fix inotify code to handle dangling symlinks better and
not SEGV in some circumstances.
DNSSEC fix. In the case of a signed CNAME generated by a
wildcard which pointed to an unsigned domain, the wrong
status would be logged, and some necessary checks omitted.
Notes:
svn path=/head/; revision=393256
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog: http://www.thekelleys.org.uk/dnsmasq/CHANGELOGDisable dnsmasq-devel (older than stable).
Switch to using @sample keyword [1].
PR: 200717 [1]
Submitted by: Jimmy Olgeni
Notes:
svn path=/head/; revision=389788
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Bump PORTREVISION
PR: 199999
Approved by: mandree@ (maintainer)
Obtained from: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=ad4a8ff7d9097008d7623df8543df435bfddeac8
MFH: 2015Q2
Security: CVE-2015-3294
Sponsored by: Netgate
Notes:
svn path=/head/; revision=385553
|
|
|
|
|
|
|
| |
Approved by: portmgr blanket
Notes:
svn path=/head/; revision=384203
|
|
|
|
|
|
|
|
|
|
|
| |
Remove @dir* stuff from pkg-plist. @sample isn't documented properly
and isn't up to handling files with non-.sample suffix, so stay
away from that part of pkg-plist.
ChangeLog: http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
Notes:
svn path=/head/; revision=369281
|
|
|
|
| |
Notes:
svn path=/head/; revision=367886
|
|
|
|
|
|
|
|
|
|
| |
- Add USES=libtool and bump dependent ports
- Add INSTALL_TARGET=install-strip
- Always install libidn-components.png because it is used by libidn.info
- Add -lintl to Libs.private instead of Libs in libidn.pc
Notes:
svn path=/head/; revision=366659
|
|
|
|
|
|
|
|
|
| |
say, libnettle.so.
Submitted by: Allen Hewes
Notes:
svn path=/head/; revision=363645
|
|
|
|
| |
Notes:
svn path=/head/; revision=361941
|
|
|
|
|
|
|
|
| |
PR: 190149
Submitted by: Kevin Zheng
Notes:
svn path=/head/; revision=354963
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
version 2.71
Subtle change to error handling to help DNSSEC validation
when servers fail to provide NODATA answers for
non-existent DS records.
Tweak code which removes DNSSEC records from answers when
not required. Fixes broken answers when additional section
has real records in it. Thanks to Marco Davids for the bug
report.
Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
for spotting that too.
Fix total DNS failure and 100% CPU use if cachesize set to zero,
regression introduced in 2.69. Thanks to James Hunt and
the Ubuntu crowd for assistance in fixing this.
Notes:
svn path=/head/; revision=354476
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix crash, introduced in 2.69, on TCP request when dnsmasq compiled
with DNSSEC support, but running without DNSSEC enabled. Thanks to
Manish Sing for spotting that one.
Fix regression which broke ipset functionality. Thanks to Wang Jian
for the bug report.
Submitted by: Herbert J. Skuhra
Notes:
svn path=/head/; revision=352463
|
|
|
|
| |
Notes:
svn path=/head/; revision=351724
|
|
|
|
|
|
|
|
| |
PR: ports/188548
Submitted by: Jeroen van der Ham <jeroen@1sand0s.nl>
Notes:
svn path=/head/; revision=351356
|
|
|
|
|
|
|
| |
Full changelog: <http://www.thekelleys.org.uk/dnsmasq/CHANGELOG>
Notes:
svn path=/head/; revision=350849
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes bind-interfaces with IPv6 on FreeBSD.
version 2.68
Use random addresses for DHCPv6 temporary address
allocations, instead of algorithmically determined stable
addresses.
Fix bug which meant that the DHCPv6 DUID was not available
in DHCP script runs during the lifetime of the dnsmasq
process which created the DUID de-novo. Once the DUID was
created and stored in the lease file and dnsmasq
restarted, this bug disappeared.
Fix bug introduced in 2.67 which could result in erroneous
NXDOMAIN returns to CNAME queries.
Fix build failures on MacOS X and openBSD.
Allow subnet specifications in --auth-zone to be interface
names as well as address literals. This makes it possible
to configure authoritative DNS when local address ranges
are dynamic and works much better than the previous
work-around which exempted contructed DHCP ranges from the
IP address filtering. As a consequence, that work-around
is removed. Under certain circumstances, this change wil
break existing configuration: if you're relying on the
contructed-range exception, you need to change --auth-zone
to specify the same interface as is used to construct your
DHCP ranges, probably with a trailing /6 like this:
--auth-zone=example.com,eth0/6 to limit the addresses to
IPv6 addresses of eth0.
Fix problems when advertising deleted IPv6 prefixes. If
the prefix is deleted (rather than replaced), it doesn't
get advertised with zero preferred time. Thanks to Tsachi
for the bug report.
Fix segfault with some locally configured CNAMEs. Thanks
to Andrew Childs for spotting the problem.
Fix memory leak on re-reading /etc/hosts and friends,
introduced in 2.67.
Check the arrival interface of incoming DNS and TFTP
requests via IPv6, even in --bind-interfaces mode. This
isn't possible for IPv4 and can generate scary warnings,
but as it's always possible for IPv6 (the API always
exists) then we should do it always.
Tweak the rules on prefix-lengths in --dhcp-range for
IPv6. The new rule is that the specified prefix length
must be larger than or equal to the prefix length of the
corresponding address on the local interface.
Notes:
svn path=/head/; revision=335916
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
particularly with NLS enabled when libidn was built without NLS.
While here, group OPTIONS and clean up things a bit, and print
configuration of port and libidn port for debugging.
The particular build failure was
Reported by: Yuri Vorobyev
Notes:
svn path=/head/; revision=331782
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog: <http://www.thekelleys.org.uk/dnsmasq/CHANGELOG>
Enable NLS and IPV6 options by default.
Use shebangfix on files that need it.
Mark dnsmasq-devel (older than release) IGNORE.
Notes:
svn path=/head/; revision=331639
|