Ha! Excellent. Good enough 
I don't go into the release branches very often...always on (b)leading edge master for me!
Yeah, and it is too bad that we are still tinkering with the ancient June 2019 code of 19.07 branch. (There should have been 1-2 newer release branches by now. 19.07 is deviating too far from the master.)
Sorry, still confused. There isn't a download link there. Should I still wait for the bin to be made available in the download page?
EDIT: In the download page this version doesn't show there?
How thoroughly is this issue mitigated by configuration changes? Disabling the DNSMasq cache as indicated should be pretty solid, yes?
1 Like
You are looking at the firmware download page...
Dnsmasq is just a package.
Packages would be in
https://downloads.openwrt.org/releases/19.07.6/packages/
Once buildbot has compiled it for a target, the upgraded package can be found with opkg.
First you update package lists, then you can install the upgraded package. But it will take several hours before it has been compiled for all targets.
opkg update
opkg upgrade dnsmasq
The updated package versions are:
Master: 2.84test3
19.07: 2.80-16.3
1 Like
I didn't understand well. If I am using master and the have version 2.83-1 of dnsmasq, do I need to also limit to 50 connections and 0 cache?
The security advisory here:
https://openwrt.org/advisory/2021-01-19-1 says...
you need a minimum of dnsmasq - 2.83-1 - for master/snapshot...
it then advises...
If upgrading is not possible, it is possible to mitigate some of the issues through configuration changes
My understanding is you don't.
It may be best to use the following before upgrading the package:
opkg update
opkg list-upgradable
And if you want to upgrade all that are upgradable you can use:
opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade
Upgrading packages (via the CLI opkg upgrade command or the LuCI Upgrade... button) can result in major problems. It is generally highly discouraged, unless you know what you are doing or if there is specific instruction to do so.
4 Likes
Just finished building a snapshot for RPi4
base-files - 1400-r15598-1fb413e657
...
dnsmasq - 2.84~~test3-1
...
kernel - 5.4.91-1-f05cbd304f785527ffd7cb61864a0125
I will post any problems the next day
This advice seems counter-intuitive but the link for "discouraged" helps further the understanding. It does lead to another question that arose from the alerts regarding dnsmasq but not directly related. On doing an upgrade of all upgradable packages (just before the dnsmasq upgrade was released) the luci pkg was upgraded and the config/luci file drops use of single quotes and this could be seen because the new file is saved as luci.opkg and diff could be used to see that. If a sysupgrade is done preserving settings this change would be missed. It leaves me baffled as to the best upgrade path and seems to point to use of upgrade scripts which can be a lot of work to setup.
It's not the right place to discuss that (maybe open a new thread).
I just wanted to point out that the advice for the vulnerability is to upgrade a single package, and your instructions are to upgrade all packages, which as per the links, is discouraged (unless consequences are understood).
2 Likes
Simon (author of dnsmasq) released v2.84rc2 late last night. He intends to release v2.84 within 24 hours if no further issues arise.
The differences between v2.83 & v2.84rc2
-
The three commits it took to fix the DNS regression (socket related log warnings). (these have already been backported to v2.80 for openwrt 19.7, look for dnsmasq_2.80-16.3 for your architecture)
-
A couple of tidying/optimisation to the new 2.83 security fixes that were held back in the interests of keeping patchsets small for backporters. (not backported to openwrt 19.7 and not required)
-
Some administrivia. (Updating date on copyright notices!)
-
Vladislav's HAVE_NETTLEHASH->HAVECRYPTOHASH change, but modified for backward compatibilty with HAVE_NETTLEHASH. (this is administrivia as well really)
I have been running v2.84rc2 on master for 10+ hours and no mis-behaviour noted - I'd anticipate 2.84 being released today and openwrt master/snapshot shortly after, but both master & openwrt 19.07 dnsmasq package dnsmasq_2.80-16.3 have the 'log spam' fix.
So I can follow the steps in https://openwrt.org/docs/guide-developer/quickstart-build-images to build a new image and then flash with the sysupgrade one, right?
Sure you can, but just wait a few hours until buildbots have built the new package version, and then you can easily opkg install the new dnsmasq version.
No need to flash the whole firmware.
(mass upgrading all packages can lead into trouble, but upgrading just dnsmasq is easy and ok.)
1 Like
Thanks for your patience.
Just to make sure I understood it, the new dnsmask package should show at some point in time in the following list, correct? (list produced after doing opkg update)
root@OpenWrt:~# opkg list-upgradable
luci-app-opkg - git-21.018.57536-6ba9740-1 - git-21.022.31068-7129723-1
luci-lib-ip - git-21.018.57536-6ba9740-1 - git-21.022.31068-7129723-1
luci-mod-system - git-21.018.57536-6ba9740-1 - git-21.022.31068-7129723-1
luci-theme-bootstrap - git-21.018.57536-6ba9740-1 - git-21.022.31068-7129723-1
netifd - 2019-08-05-5e02f944-1 - 2021-01-09-753c351b-1
luci-mod-status - git-21.018.57536-6ba9740-1 - git-21.022.31068-7129723-1
luci-app-firewall - git-21.018.57536-6ba9740-1 - git-21.022.31068-7129723-1
odhcp6c - 2019-01-11-e199804b-16 - 2021-01-09-64e1b4e7-16
luci-compat - git-21.018.57536-6ba9740-1 - git-21.022.31068-7129723-1
luci-proto-ppp - git-21.018.57536-6ba9740-1 - git-21.022.31068-7129723-1
luci-mod-admin-full - git-21.018.57536-6ba9740-1 - git-21.022.31068-7129723-1
luci-base - git-21.018.57536-6ba9740-1 - git-21.022.31068-7129723-1
luci-proto-ipv6 - git-21.018.57536-6ba9740-1 - git-21.022.31068-7129723-1
luci-lib-nixio - git-21.018.57536-6ba9740-1 - git-21.022.31068-7129723-1
luci-lib-jsonc - git-21.018.57536-6ba9740-1 - git-21.022.31068-7129723-1
luci - git-21.018.57536-6ba9740-1 - git-21.022.31068-7129723-1
luci-mod-network - git-21.018.57536-6ba9740-1 - git-21.022.31068-7129723-1
EDIT: As of now, the package is available, so please disregard this post.
1 Like
Running a build using 'dnsmasq - 2.84~~test3-1' for 12 hours
No logged error messages, seems to work as before.
1 Like
Hi all! Also experiencing the issue since moving to 19.07.6.
I have to compile my own images because I need to add a kmod driver that isn't in the releases yet. If I want to complile 19.07.6 from source with dnsmasq_2.80-16.3 included - how do I do that?
Thanks!
Strictly speaking, you can't. 19.07.6 is a historical release with static sources.
But the fix has been backported to the 19.07 branch, so you can checkout the openwrt-19.07 branch, git pull the newest sources, and you are good to go. (And you will also get the other fixes since 19.07.6)
See the commit log
https://git.openwrt.org/?p=openwrt/openwrt.git;a=shortlog;h=refs/heads/openwrt-19.07
Ps.
It would be also possible to checkout 19.07.6 and then manually apply the dnsmasq patch. But then you would miss the minor kernel update plus the IPv6 security fixes.
2 Likes
dnsmasq doesn't depend on any kernel modules, so even with a custom self-compiled image you can install dnsmasq via opkg. No need to compile in the newer package directly.
1 Like