[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dnsmasq 2.71 for wheezy-backports

On Thu, 07 Aug 2014 15:15:29 +0200 Markus Kasten <debian@markuskasten.eu> wrote:
> I'd like to propose a backport of dnsmasq 2.71 (or >= 2.63) for
> wheezy-backports. The version thats shipped with Debian Wheezy
> (2.62-3) is pretty old and does not support the --bind-dynamic option.
> This also kind of conflicts with the current libvirt-bin backport,
> which needs dnsmasq >= 2.63 for assigning publicly routable IPv6
> addresses to guests. There are probably a bunch of other reasons for
> backporting it, but these are the arguments I came up with.

I would also like to see a newer dnsmasq in wheezy-backports, also
because of problems with libvirt.

As Markus is, I'm using libvirt-bin from backports in order to get IPv6
routes in network configurations, but when I have a network config with
<forward mode='route'/> and a public IPv4 address, libvirt refuses to
start the network due to the old dnsmasq with the following error
message:

| error: unsupported configuration: Publicly routable address [redacted]
| is prohibited. The version of dnsmasq on this host (2.62) doesn't
| support the bind-dynamic option or use SO_BINDTODEVICE on listening
| sockets, one of which is required for safe operation on a publicly
| routable subnet (see CVE-2012-3411). You must either upgrade dnsmasq, or
| use a private/local subnet range for this network (as described in
| RFC1918/RFC3484/RFC4193).

libvirt in wheezy doesn't have this restriction, but is also vulnerable
to being configured as an open DNS resolver when used without a default
deny firewall, as per
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683372 .

My problem could also be solved by #683372 being fixed by a 2.63 or
later dnsmasq being pushed into wheezy-updates.

> If there's no one responsible for dnsmasq backports, I'd be happy to
> create one (although I haven't done that before :).

I am not an experienced packager, but dnsmasq 2.71 from jessie works
fine for me when built on my wheezy machine with
apt-get -b source dnsmasq/jessie

-- 
Paul.
Reply to: