PfPorts: dnsmasq is a little old

  • G'day

    Don't know if this the best place to report this, or redmine:

    pfPorts contains DNSmasq 2.45 which dates back to 2008 - although, beyond some possibility to TFTP DoS vulnerability fixed with 2.50 (CVE: 2009-2957, CVE: 2009-2958) I haven't found security vulnerabilities in the current version inside pfSense. Any objections against an update?

  • Replying to myself since I looked at why potentially this is the current state - at least  initially - dnsmasq was kept on 2.45.

    The cause was the removal of the ISC dhscp lease monitoring code from dnsmasq.
    From my findings in redmine and git logs it seems this method has been replace now long time ago with an own dhcp lease parser.

    Would be interesting to hear if there were other causes. In the meanwhile I'm looking at the ports file in DNSmasq - maybe
    this could be synced to FreeBSD - and actually the current upstream Makefile seems to enable IPv6 by default as compared to back in 2008.

  • Rebel Alliance Developer Netgate

    If a current version works with all the features we use, then sure it can be updated.

    We actually use dnsmasq-no-isc-dhcp-parser pfPort now which is 2.55.

    The old port was kept in place in case we had to build new images based on pfSense 1.2.x for customers.

  • Thanks, I didn't realize this (still getting accustomed to the structure of pfsense-tools).

    So far, current versions after 2.55 contain a couple of IPv6/DHCPv6-related changes and improvements which might be of interest for pfSense 2.1

  • In the meantime: dnsmasq has been bumped to the latest version, feel free to check out snapshots.

Log in to reply