diff --git a/backport-CVE-2023-28450-Set-the-default-maximum-DNS-UDP-packet.patch b/backport-CVE-2023-28450-Set-the-default-maximum-DNS-UDP-packet.patch new file mode 100644 index 0000000000000000000000000000000000000000..420bc1ae624dad853e1b0b56d32cfcb9a4c20229 --- /dev/null +++ b/backport-CVE-2023-28450-Set-the-default-maximum-DNS-UDP-packet.patch @@ -0,0 +1,45 @@ +From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Tue, 7 Mar 2023 22:07:46 +0000 +Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232. + +http://www.dnsflagday.net/2020/ refers. + +Thanks to Xiang Li for the prompt. +Conflict:NA +Reference:https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f +--- + man/dnsmasq.8 | 3 ++- + src/config.h | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index 4a1107a..cf3c9f6 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -172,7 +172,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP. + .TP + .B \-P, --edns-packet-max= + Specify the largest EDNS.0 UDP packet which is supported by the DNS +-forwarder. Defaults to 4096, which is the RFC5625-recommended size. ++forwarder. Defaults to 1232, which is the recommended size following the ++DNS flag day in 2020. Only increase if you know what you are doing. + .TP + .B \-Q, --query-port= + Send outbound DNS queries from, and listen for their replies on, the +diff --git a/src/config.h b/src/config.h +index b8ca806..10c0b48 100644 +--- a/src/config.h ++++ b/src/config.h +@@ -19,7 +19,7 @@ + #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */ + #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ + #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ +-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */ ++#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ + #define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */ + #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ + #define DNSSEC_WORK 50 /* Max number of queries to validate one question */ +-- +2.23.0 + diff --git a/dnsmasq.spec b/dnsmasq.spec index 74d70a2ecd9d91d7e4af61f8d1620de9145b7078..1147acccb56fbf41fe965079f631e212225a65a0 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -1,6 +1,6 @@ Name: dnsmasq Version: 2.86 -Release: 3 +Release: 4 Summary: Dnsmasq provides network infrastructure for small networks License: GPLv2 or GPLv3 URL: http://www.thekelleys.org.uk/dnsmasq/ @@ -35,7 +35,7 @@ Patch24: backport-Fix-write-after-free-in-DHCPv6-code-CVE-2022-0934.patch Patch25: backport-Fix-parsing-of-IPv6-addresses-with-peer-from-netlink.patch Patch26: backport-Fix-bad-interaction-between-address-ip-and-ser.patch Patch27: backport-Fix-address-which-was-lost-in-2.86.patch - +Patch28: backport-CVE-2023-28450-Set-the-default-maximum-DNS-UDP-packet.patch BuildRequires: gcc BuildRequires: dbus-devel pkgconfig libidn2-devel nettle-devel systemd @@ -125,6 +125,12 @@ install -Dpm644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysusersdir}/dnsmasq.conf %{_mandir}/man8/dnsmasq* %changelog +* Sat Mar 18 2023 renmingshuai - 2.86-4 +- Type:CVE +- Id:CVE-2023-28450 +- SUG:NA +- DESC:fix CVE-2023-28450 + * Thu Oct 27 2022 renmingshuai - 2.86-3 - Type:bugfix - Id:NA