Topic: Security update to dnsmasq?

Will anyone be generating a new Whiterussian package for dnsmasq to bring it up to the most recent version 2.45 which includes fixes for the reported DNS vulnerabilities?  The most recent one available on the package repository is version 2.35.

Thanks

Re: Security update to dnsmasq?

Hi,

The X-WRT Project provides recent package versions for White Russian:

http://x-wrt.org/

Package Repository:

ftp://ftp.berlios.de/pub/xwrt/packages/


Kalle.

Re: Security update to dnsmasq?

Here is what I have done; maybe this is useful for someone.  My starting point was OpenWRT White Russian RC3, which has been running smoothly on my router for years.

1. Make /etc/ipkg.conf writeable:
cd /etc
cp ipkg.conf ipkg.conf.rw
rm ipkg.conf
mv ipkg.conf.rw ipkg.conf

2. Add to /etc/ipkg.conf:
src xwrt ftp://ftp.berlios.de/pub/xwrt/packages

3. ipkg update

4. ipkg install dnsmasq
This asks whether you want to install the new package's dnsmasq.conf or keep your own one.  Unlike dpkg, ipkg doesn't give the option to show the differences.  So you might like to think ahead and make a copy of your dnsmasq.conf first.  I kept my old file because it had some customisations and I don't know what differences, if any, there are in the new default.

5. Make sure you have something like this in /etc/dnsmasq.conf:
dhcp-leasefile=/tmp/dhcp.leases
(i think this location may have been the default in a previous version; the default in this version seems to be somewhere in /var, which doesn't exist.)

6. Check if you have ipcalc.sh somewhere (my guess is that it's in the base-files of newer versions of White Russian, but I don't seem to have it in my RC3).  Note that this isn't the same as ipcalc (without the .sh) which is part of busybox.  If not, modify /etc/init.d/S60dnsmasq so that it doesn't use it; for example, follow the file's advice to put all the configuration in /etc/dnsmasq.conf and replace the file with a simple call to dnsmasq.

6. Cross fingers and reboot.  (For some reason it didn't work for me until I power-cycled.)

7. Enjoy.


I hope that's useful to someone.  It's unfortunate that it's so complex though.

Re: Security update to dnsmasq?

So, "Whiterussian will continue to be the recommended release for production use, but will no longer be maintained apart from critical security patches" from
http://forum.openwrt.org/viewtopic.php?pid=42105#p42105 isn't true (anymore)?

I'm a little bit upset about this. Don't get me wrong, OpenWRT works great and I'm thankful for the work of the developers, but a little message about this situation would have been nice.

So i have to switch to x-wrt to get security updates, if i don't want to reconfigure my box with kamikaze?
Upgrade with ipkg is not a good choice for me, because my box has not much space left.

Thank you!
Mario