The logging "sed-patch" that was introduced for version 20190611 worked poorly:
it was too intrusive (breaking the --logfile option), and it didn't prevent
using in-store file for logging by default. The new logging patch (an actual
"diff-patch") is less intrusive: it just changes the default log file's
location to be the current directory instead of the executable's directory.
Fixes: CVE-2019-14834
A vulnerability was found in dnsmasq before version 2.81, where the
memory leak allows remote attackers to cause a denial of service
(memory consumption) via vectors involving DHCP response creation.
Changelog:
version 2.81
Improve cache behaviour for TCP connections. For ease of
implementaion, dnsmasq has always forked a new process to handle
each incoming TCP connection. A side-effect of this is that
any DNS queries answered from TCP connections are not cached:
when TCP connections were rare, this was not a problem.
With the coming of DNSSEC, it is now the case that some
DNSSEC queries have answers which spill to TCP, and if,
for instance, this applies to the keys for the root, then
those never get cached, and performance is very bad.
This fix passes cache entries back from the TCP child process to
the main server process, and fixes the problem.
Remove the NO_FORK compile-time option, and support for uclinux.
In an era where everything has an MMU, this looks like
an anachronism, and it adds to (Ok, multiplies!) the
combinatorial explosion of compile-time options. Thanks to
Kevin Darbyshire-Bryant for the patch.
Fix line-counting when reading /etc/hosts and friends; for
correct error messages. Thanks to Christian Rosentreter
for reporting this.
Fix bug in DNS non-terminal code, added in 2.80, which could
sometimes cause a NODATA rather than an NXDOMAIN reply.
Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski
for spotting and diagnosing the bug and providing patches.
Support TCP-fastopen (RFC-7413) on both incoming and
outgoing TCP connections, if supported and enabled in the OS.
Improve kernel-capability manipulation code under Linux. Dnsmasq
now fails early if a required capability is not available, and
tries not to request capabilities not required by its
configuration.
Add --shared-network config. This enables allocation of addresses
by the DHCP server in subnets where the server (or relay) does not
have an interface on the network in that subnet. Many thanks to
kamp.de for sponsoring this feature.
Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
validation check got borked in commit 2b38e382 and release 2.80.
Thanks to Tomasz Szajner for spotting this.
Fix compilation against nettle version 3.5 and later.
Fix spurious DNSSEC validation failures when the auth section
of a reply contains unsigned RRs from a signed zone,
with the exception that NSEC and NSEC3 RRs must always be signed.
Thanks to Tore Anderson for spotting and diagnosing the bug.
Add --dhcp-ignore-clid. This disables reading of DHCP client
identifier option (option 61), so clients are only identified by
MAC addresses.
Fix a bug which stopped --dhcp-name-match from working when a hostname
is supplied in --dhcp-host. Thanks to James Feeney for spotting this.
Fix bug which caused very rarely caused zero-length DHCPv6 packets.
Thanks to Dereck Higgins for spotting this.
Add --tftp-single-port option.
Enhance --conf-dir to load files in a deterministic order. Thanks to
Evgenii Seliavka for the suggestion and initial patch.
In the router advert code, handle case where we have two
different interfaces on the same IPv6 net, and we are doing
RA/DHCP service on only one of them. Thanks to NIIBE Yutaka
for spotting this case and making the initial patch.
Support prefixed ranges of ipv6 addresses in dhcp-host.
This eases problems chain-netbooting, where each link in the
chain requests an address using a different UID. With a single
address, only one gets the "static" address, but with this
fix, enough addresses can be reserved for all the stages of the
boot. Many thanks to Harald Jensås for his work on this idea and
earlier patches.
Add filtering by tag of --dhcp-host directives. Based on a patch
by Harald Jensås.
Allow empty server spec in --rev-server, to match --server.
Remove DSA signature verification from DNSSEC, as specified in
RFC 8624. Thanks to Loganaden Velvindron for the original patch.
Add --script-on-renewal option.
The package was marked as broken for 3 years, there were no
upstream updates for 8 years, and the program requires third
party services that don't provide APIs to work. I think it's
safe to say that this program is not going to work.
Dear all,
Babeld-1.9.2 is available from
https://www.irif.fr/~jch/software/files/babeld-1.9.2.tar.gzhttps://www.irif.fr/~jch/software/files/babeld-1.9.2.tar.gz.asc
For more information about the Babel routing protocol, please see
https://www.irif.fr/~jch/software/babel/
This is a bug fix release. It fixes two bugs where IPv4 prefixes could be
represented incorrectly, with a range of confusing symptoms ; many thanks
to Faban Bläse for diagnosing the issue. In addition, it fixes incorrect
parsing of unknown address encodings, thanks to Théo Bastian for the fix.
21 April 2020: babeld-1.9.2
* Fixed two issues that could cause IPv4 routes to be represented
incorrectly, with a range of confusing symptoms. Thanks to
Fabian Bläse.
* Fixed incorrect parsing of TLVs with an unknown Address Encoding.
Thanks to Théophile Bastian.
* Fixed access to mis-aligned data structure. Thanks to Antonin Décimo.
-- Juliusz Chroboczek
_______________________________________________
Babel-users mailing list
Babel-users@alioth-lists.debian.nethttps://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
Remove patches applied between 1.1.14 and 1.1.15 and switch to GitHub
source.
gtk-gnutella: several changes.
Disable internal malloc implementation.
Add @doronbehar as maintainer.
Comment about hardeningDisable regarding next release.
Format arguments and inputs.
Enable to disable GUI.
Hello,
New versions of all the skarnet.org packages are available.
This is mostly a bugfix release (there was an installation bug in
some circumstances with shared libraries) but some packages, notably
execline and s6, have new, useful features.
The new versions are the following:
skalibs-2.9.2.0
nsss-0.0.2.2
utmps-0.0.3.2
execline-2.6.0.0
s6-2.9.1.0
s6-rc-0.5.1.2
s6-linux-init-1.0.4.0
s6-dns-2.3.2.0
s6-networking-2.3.1.2
s6-portable-utils-2.2.2.2
s6-linux-utils-2.5.1.2
mdevd-0.1.1.2
bcnm-0.0.1.0
Here are details for the packages that have more than bugfixes:
* skalibs-2.9.2.0
---------------
- New header: skalibs/bigkv.h. It's a set of functions allowing
efficient lookups in a large set of strings (typically read from the
command line or the environment).
https://skarnet.org/software/skalibs/
git://git.skarnet.org/skalibs
* execline-2.6.0.0
----------------
- It's a major release because an API has been modified: dollarat.
Beforehand, dollarat's -0 option would always prevail over any -d
option. Now, dollarat has its conflicting -0 and -d options handled
in the conventional way, with rightmost priority.
- The runblock program now accepts a command line prefix, which is
given as runblock's own command line. This allows blocks to serve as
arguments to a new command, instead of having to be full command lines
by themselves.
- New binary: posix-umask.
- The former "cd" program is now named "execline-cd" and the former
"umask" program is named "execline-umask". When the=20
--enable-pedantic-posix
option is not given at configure time, "cd" and "umask" are symbolic
links created at installation time and pointing to execline-cd and
execline-umask respectively. When the --enable-pedantic-posix option is
given, the symbolic links point to posix-cd and posix-umask instead.
- With posix-cd and posix-umask (and the changes to wait done in the
previous version), execline is now fully POSIX-compliant when built with
the --enable-pedantic-posix option. This will certainly, without the
slightest hint of a doubt, change distributions' attitudes about it.
https://skarnet.org/software/execline/
git://git.skarnet.org/execline
* s6-2.9.1.0
----------
- A new '?' directive has been added to s6-log. It behaves exactly like
'!', except that it spawns the given processor with /bin/sh as an
interpreter instead of execlineb.
- execline support is now optional: it can be disabled by specifying
--disable-execline at configure time. Some functionality is unavailable
when execline support is disabled:
* s6-log's '!' directive
* s6-notifyoncheck's -c option
* s6-ipcserver-access's support for 'exec' directives in a ruleset
- A new -X option has been added to s6-svscan, to specify a descriptor
that will be passed as stderr to a service spawned by this s6-svscan and
named s6-svscan-log. This is used in the new s6-linux-init, to avoid
needing to hardcode the /dev/console name for the catch-all logger's
standard error.
- On systems that define SIGPWR and SIGWINCH, s6-svscan -s now diverts
those signals. This allows powerfail and kbrequest events to be handled
when s6-svscan runs as process 1.
https://skarnet.org/software/s6/
git://git.skarnet.org/s6
* s6-linux-init-1.0.4.0
---------------------
- New options have been added to s6-linux-init-maker: to support
running s6-linux-init without a catch-all logger, and to support running
it in a container.
- s6-linux-init-maker now adds a SIGPWR handler to the default image:
on receipt of a SIGPWR, the system's shutdown procedure is triggered.
- s6-linux-init now handles kbrequest, which triggers a SIGWINCH in
init when a special, configurable set of keys is pressed. By default,
no SIGWINCH handler is declared in the image, and no set of keys is
bound to kbrequest.
https://skarnet.org/software/s6-linux-init/
git://git.skarnet.org/s6-linux-init
* s6-dns-2.3.2.0
--------------
- New library: libdcache, implementing a clean cache structure
to contain DNS data. It's still not used at the moment.
https://skarnet.org/software/s6-dns/
git://git.skarnet.org/s6-dns
* bcnm-0.0.1.0
------------
- First numbered release, because the Ad=C3=A9lie Linux distribution,
which uses libwpactrl, needs an official release instead of pulling
from git.
- libwpactrl is a set of C functions helping control a wpa_supplicant
process.
- bcnm-waitif is a binary that waits for network interface state
events such as appearance/disappearance, up/down, running/not-running.
It is useful to avoid race conditions during a boot sequence, for
instance.
https://skarnet.org/software/bcnm/
git://git.skarnet.org/bcnm
Enjoy,
Bug-reports welcome.
--
Laurent