Dnsmasq 2.43rc3 (dns-spoofing)



  • Hello!

    I think we need an update to dnsmasq 2.44:
    http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q3/002203.html

    Dnsmasq users:

    There has been some confusion about the exact nature of the
    newly-discovered DNS hole, and if dnsmasq is affected. I just talked to
    Dan Kaminsky and can confirm that dnsmasq is potentially vulnerable. All
    users should therefore upgrade. Ensure that the –query-port option
    (which will disable query-port randomisation)  is not used except on
    tightly-controlled networks.

    Also note that version 2.43, which was rushed out to fix this hole, has
    a crash bug in unrelated DHCP code. This is only triggered in rare
    circumstances. Distribution authors may like to wait for version 2.44,
    due next week, which fixes this problem.

    There is a test-release available at:
    http://www.thekelleys.org.uk/dnsmasq/test-releases/

    version 2.44
                Fix  crash when unknown client attempts to renew a DHCP
                lease, problem introduced in version 2.43. Thanks to
                Carlos Carvalho for help chasing this down.

    Fix potential crash when a host which doesn't have a lease
        does DHCPINFORM. Again introduced in 2.43. This bug has
        never been reported in the wild.

    Change implementation of min_port to work even if min-port
        as large.



  • Hello support!

    There is a new final release of dnsmasq - 2.45:

    version 2.45
                Fix total DNS failure in release 2.43 unless –min-port
                specified. Thanks to Steven Barth and Grant Coady for
                bugreport. Also reject out-of-range port spec, which could
                break things too: suggestion from Gilles Espinasse.

    Is it possible to get this one for pfsense 1.2 instead of a 'release candiate 2.43rc3'?

    http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.45.tar.gz



  • This will appear in 1.2.1 and 1.3 snapshots soon.



  • Maybe you can also add the dns-rebinding patch to resolve security issues on dns spoofing.



  • Hi!

    Is it a big problem (because pfsense 1.2 is working good for me) to place an update of dnsmasq 2.45 for 1.2 on http://cvs.pfsense.org/~sullrich/ instead of the 2.43rc3 ;-)

    I want to upgrade to 1.3 if this version is released!

    regards
    Netview



  • 1.2.1 snapshots also contain the newer dnsmasq.



  • ok - I have running dnsmasq 2.45 with pfsense 1.2!

    extract dnsmasq and libc.so.7 from the actual 1.2.1 snapshot.
    mv */libc.so.7  /lib
    chmod 444 /lib/libc.so.7
    killall dnsmasq
    mv dnsmasq /root
    mv */dnsmasq  /usr/local/sbin
    chmod +x /usr/local/sbin/dnsmasq
    /usr/local/sbin/dnsmasq

    • the place where you have put the extracted modules (ftp …)

    dnsmasq -v

    Dnsmasq version 2.45  Copyright (C) 2000-2008 Simon Kelley
    Compile time options IPv6 GNU-getopt BSD-bridge ISC-leasefile no-DBus no-I18N TFTP

    This software comes with ABSOLUTELY NO WARRANTY.
    Dnsmasq is free software, and you are welcome to redistribute it
    under the terms of the GNU General Public License, version 2 or 3.

    That's it - TX for your support!

    this is the main difference between 2.45 and 2.43-release-candidate-3:
    
    	    Don't attempt to change user or group or set capabilities
    	    if dnsmasq is run as a non-root user. Without this, the
    	    change from soft to hard errors when these fail causes
    	    problems for non-root daemons listening on high
    	    ports. Thanks to Patrick McLean for spotting this.
    
    	    Updated French translation. Thanks to Gildas Le Nadan.
    
    version 2.44
                Fix  crash when unknown client attempts to renew a DHCP
                lease, problem introduced in version 2.43\. Thanks to
                Carlos Carvalho for help chasing this down.
    
    	    Fix potential crash when a host which doesn't have a lease
    	    does DHCPINFORM. Again introduced in 2.43\. This bug has
    	    never been reported in the wild.
    
                Fix crash in netlink code introduced in 2.43\. Thanks to
                Jean Wolter for finding this.
    
    	    Change implementation of min_port to work even if min-port
    	    as large.
    
    	    Patch to enable compilation of latest Mac OS X. Thanks to
    	    David Gilman.
    
    	    Update Spanish translation. Thanks to Christopher Chatham.
    
    version 2.45
                Fix total DNS failure in release 2.43 unless --min-port 
                specified. Thanks to Steven Barth and Grant Coady for
                bugreport. Also reject out-of-range port spec, which could
                break things too: suggestion from Gilles Espinasse.
    

Log in to reply