Dnsmasq 2.43rc3 (dns-spoofing)
-
Hello!
I think we need an update to dnsmasq 2.44:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q3/002203.htmlDnsmasq users:
There has been some confusion about the exact nature of the
newly-discovered DNS hole, and if dnsmasq is affected. I just talked to
Dan Kaminsky and can confirm that dnsmasq is potentially vulnerable. All
users should therefore upgrade. Ensure that the –query-port option
(which will disable query-port randomisation) is not used except on
tightly-controlled networks.Also note that version 2.43, which was rushed out to fix this hole, has
a crash bug in unrelated DHCP code. This is only triggered in rare
circumstances. Distribution authors may like to wait for version 2.44,
due next week, which fixes this problem.There is a test-release available at:
http://www.thekelleys.org.uk/dnsmasq/test-releases/version 2.44
Fix crash when unknown client attempts to renew a DHCP
lease, problem introduced in version 2.43. Thanks to
Carlos Carvalho for help chasing this down.Fix potential crash when a host which doesn't have a lease
does DHCPINFORM. Again introduced in 2.43. This bug has
never been reported in the wild.Change implementation of min_port to work even if min-port
as large. -
Hello support!
There is a new final release of dnsmasq - 2.45:
version 2.45
Fix total DNS failure in release 2.43 unless –min-port
specified. Thanks to Steven Barth and Grant Coady for
bugreport. Also reject out-of-range port spec, which could
break things too: suggestion from Gilles Espinasse.Is it possible to get this one for pfsense 1.2 instead of a 'release candiate 2.43rc3'?
http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.45.tar.gz
-
This will appear in 1.2.1 and 1.3 snapshots soon.
-
Maybe you can also add the dns-rebinding patch to resolve security issues on dns spoofing.
-
Hi!
Is it a big problem (because pfsense 1.2 is working good for me) to place an update of dnsmasq 2.45 for 1.2 on http://cvs.pfsense.org/~sullrich/ instead of the 2.43rc3 ;-)
I want to upgrade to 1.3 if this version is released!
regards
Netview -
1.2.1 snapshots also contain the newer dnsmasq.
-
ok - I have running dnsmasq 2.45 with pfsense 1.2!
extract dnsmasq and libc.so.7 from the actual 1.2.1 snapshot.
mv */libc.so.7 /lib
chmod 444 /lib/libc.so.7
killall dnsmasq
mv dnsmasq /root
mv */dnsmasq /usr/local/sbin
chmod +x /usr/local/sbin/dnsmasq
/usr/local/sbin/dnsmasq- the place where you have put the extracted modules (ftp …)
dnsmasq -v
Dnsmasq version 2.45 Copyright (C) 2000-2008 Simon Kelley
Compile time options IPv6 GNU-getopt BSD-bridge ISC-leasefile no-DBus no-I18N TFTPThis software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.That's it - TX for your support!
this is the main difference between 2.45 and 2.43-release-candidate-3: Don't attempt to change user or group or set capabilities if dnsmasq is run as a non-root user. Without this, the change from soft to hard errors when these fail causes problems for non-root daemons listening on high ports. Thanks to Patrick McLean for spotting this. Updated French translation. Thanks to Gildas Le Nadan. version 2.44 Fix crash when unknown client attempts to renew a DHCP lease, problem introduced in version 2.43\. Thanks to Carlos Carvalho for help chasing this down. Fix potential crash when a host which doesn't have a lease does DHCPINFORM. Again introduced in 2.43\. This bug has never been reported in the wild. Fix crash in netlink code introduced in 2.43\. Thanks to Jean Wolter for finding this. Change implementation of min_port to work even if min-port as large. Patch to enable compilation of latest Mac OS X. Thanks to David Gilman. Update Spanish translation. Thanks to Christopher Chatham. version 2.45 Fix total DNS failure in release 2.43 unless --min-port specified. Thanks to Steven Barth and Grant Coady for bugreport. Also reject out-of-range port spec, which could break things too: suggestion from Gilles Espinasse.