Skip to content
Snippets Groups Projects
Commit 03ef4311 authored by alice's avatar alice
Browse files

main/dnsmasq: fix CVE-2023-28450

parent 510fa6eb
No related branches found
No related tags found
No related merge requests found
......@@ -2,7 +2,7 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
pkgname=dnsmasq
pkgver=2.86
pkgrel=1
pkgrel=2
pkgdesc="A lightweight DNS, DHCP, RA, TFTP and PXE server"
url="https://www.thekelleys.org.uk/dnsmasq/"
arch="all"
......@@ -15,10 +15,13 @@ subpackages="$pkgname-doc $pkgname-dnssec"
source="https://www.thekelleys.org.uk/dnsmasq/dnsmasq-$pkgver.tar.xz
CVE-2022-0934.patch
uncomment-conf-dir.patch
CVE-2023-28450.patch
$pkgname.initd
$pkgname.confd
"
# secfixes:
# 2.86-r2:
# - CVE-2023-28450
# 2.86-r1:
# - CVE-2022-0934
# 2.85-r0:
......@@ -84,6 +87,7 @@ sha512sums="
487eae0afbc8bb3d5282a729ffb0cb2c9bdc7d8e46e2e8aa114cd7c5d82e0fd66f49926e7fa4028577548d6f57e8a865aca17f33963a589874584d608ab2deaf dnsmasq-2.86.tar.xz
b04ad7a5019a64feb9e4237e5fbc4f2dc1b1ae12c092222a5e14099566022f17aa4eb9139f69a5a778166c6a096e311ab5ec6ce44fff8409f7df5f5ab86bdd60 CVE-2022-0934.patch
01e9e235e667abda07675009fb1947547863e0bb0256393c5a415978e2a49c1007585c7f0b51e8decce79c05e6f2ced3f400b11343feaa4de9b2e524f74a1ee3 uncomment-conf-dir.patch
bb7b39a3611e749155a561213499b6aa112514130286615afd1d0cd2dbaa1c8c507d995ebff1684648c3e8b76dedddeee2d6c436ff524ca017c71259881b6cee CVE-2023-28450.patch
a7d64a838d10f4f69e0f2178cf66f0b3725901696e30df9e8e3e09f2afd7c86e9d95af64d2b63ef66f18b8a637397b7015573938df9ad961e2b36c391c3ac579 dnsmasq.initd
9a401bfc408bf1638645c61b8ca734bea0a09ef79fb36648ec7ef21666257234254bbe6c73c82cc23aa1779ddcdda0e6baa2c041866f16dfb9c4e0ba9133eab8 dnsmasq.confd
"
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 7 Mar 2023 22:07:46 +0000 (+0000)
Subject: Set the default maximum DNS UDP packet size to 1232.
X-Git-Url: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff_plain;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5;hp=9a698434dd9cc0f3abbf98f9b266c491d322d20f
Set the default maximum DNS UDP packet size to 1232.
http://www.dnsflagday.net/2020/ refers.
Thanks to Xiang Li for the prompt.
---
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 7ffccad..e4eb5e4 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -172,7 +172,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP.
.TP
.B \-P, --edns-packet-max=<size>
Specify the largest EDNS.0 UDP packet which is supported by the DNS
-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
+forwarder. Defaults to 1232, which is the recommended size following the
+DNS flag day in 2020. Only increase if you know what you are doing.
.TP
.B \-Q, --query-port=<query_port>
Send outbound DNS queries from, and listen for their replies on, the
diff --git a/src/config.h b/src/config.h
index 30e23d8..830adb2 100644
--- a/src/config.h
+++ b/src/config.h
@@ -19,7 +19,7 @@
#define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
#define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
#define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */
-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */
#define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */
#define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
#define DNSSEC_WORK 50 /* Max number of queries to validate one question */
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment