Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
aports
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Model registry
Monitor
Service Desk
Analyze
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
alpine
aports
Commits
03ef4311
Commit
03ef4311
authored
1 year ago
by
alice
Browse files
Options
Downloads
Patches
Plain Diff
main/dnsmasq: fix CVE-2023-28450
parent
510fa6eb
No related branches found
No related tags found
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
main/dnsmasq/APKBUILD
+5
-1
5 additions, 1 deletion
main/dnsmasq/APKBUILD
main/dnsmasq/CVE-2023-28450.patch
+39
-0
39 additions, 0 deletions
main/dnsmasq/CVE-2023-28450.patch
with
44 additions
and
1 deletion
main/dnsmasq/APKBUILD
+
5
−
1
View file @
03ef4311
...
...
@@ -2,7 +2,7 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
pkgname
=
dnsmasq
pkgver
=
2.86
pkgrel
=
1
pkgrel
=
2
pkgdesc
=
"A lightweight DNS, DHCP, RA, TFTP and PXE server"
url
=
"https://www.thekelleys.org.uk/dnsmasq/"
arch
=
"all"
...
...
@@ -15,10 +15,13 @@ subpackages="$pkgname-doc $pkgname-dnssec"
source
=
"https://www.thekelleys.org.uk/dnsmasq/dnsmasq-
$pkgver
.tar.xz
CVE-2022-0934.patch
uncomment-conf-dir.patch
CVE-2023-28450.patch
$pkgname
.initd
$pkgname
.confd
"
# secfixes:
# 2.86-r2:
# - CVE-2023-28450
# 2.86-r1:
# - CVE-2022-0934
# 2.85-r0:
...
...
@@ -84,6 +87,7 @@ sha512sums="
487eae0afbc8bb3d5282a729ffb0cb2c9bdc7d8e46e2e8aa114cd7c5d82e0fd66f49926e7fa4028577548d6f57e8a865aca17f33963a589874584d608ab2deaf dnsmasq-2.86.tar.xz
b04ad7a5019a64feb9e4237e5fbc4f2dc1b1ae12c092222a5e14099566022f17aa4eb9139f69a5a778166c6a096e311ab5ec6ce44fff8409f7df5f5ab86bdd60 CVE-2022-0934.patch
01e9e235e667abda07675009fb1947547863e0bb0256393c5a415978e2a49c1007585c7f0b51e8decce79c05e6f2ced3f400b11343feaa4de9b2e524f74a1ee3 uncomment-conf-dir.patch
bb7b39a3611e749155a561213499b6aa112514130286615afd1d0cd2dbaa1c8c507d995ebff1684648c3e8b76dedddeee2d6c436ff524ca017c71259881b6cee CVE-2023-28450.patch
a7d64a838d10f4f69e0f2178cf66f0b3725901696e30df9e8e3e09f2afd7c86e9d95af64d2b63ef66f18b8a637397b7015573938df9ad961e2b36c391c3ac579 dnsmasq.initd
9a401bfc408bf1638645c61b8ca734bea0a09ef79fb36648ec7ef21666257234254bbe6c73c82cc23aa1779ddcdda0e6baa2c041866f16dfb9c4e0ba9133eab8 dnsmasq.confd
"
This diff is collapsed.
Click to expand it.
main/dnsmasq/CVE-2023-28450.patch
0 → 100644
+
39
−
0
View file @
03ef4311
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 7 Mar 2023 22:07:46 +0000 (+0000)
Subject: Set the default maximum DNS UDP packet size to 1232.
X-Git-Url: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff_plain;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5;hp=9a698434dd9cc0f3abbf98f9b266c491d322d20f
Set the default maximum DNS UDP packet size to 1232.
http://www.dnsflagday.net/2020/ refers.
Thanks to Xiang Li for the prompt.
---
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 7ffccad..e4eb5e4 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -172,7 +172,8 @@
to zero completely disables DNS function, leaving only DHCP and/or TFTP.
.TP
.B \-P, --edns-packet-max=<size>
Specify the largest EDNS.0 UDP packet which is supported by the DNS
-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
+forwarder. Defaults to 1232, which is the recommended size following the
+DNS flag day in 2020. Only increase if you know what you are doing.
.TP
.B \-Q, --query-port=<query_port>
Send outbound DNS queries from, and listen for their replies on, the
diff --git a/src/config.h b/src/config.h
index 30e23d8..830adb2 100644
--- a/src/config.h
+++ b/src/config.h
@@ -19,7 +19,7 @@
#define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
#define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
#define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */
-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */
#define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */
#define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
#define DNSSEC_WORK 50 /* Max number of queries to validate one question */
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment