mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-02-02 09:55:18 +00:00
4b31da3478
This is yet another refinement to the fix for CVE-2012-3411: https://bugzilla.redhat.com/show_bug.cgi?id=833033 It turns out that it would be very intrusive to correctly backport the entire --bind-dynamic option to older dnsmasq versions (e.g. dnsmasq-2.48 that is used on RHEL6.x and CentOS 6.x), but very simple to patch those versions to just use SO_BINDTODEVICE on all their listening sockets (SO_BINDTODEVICE also has the desired effect of permitting only traffic that was received on the interface(s) where dnsmasq was set to listen.) This patch modifies the dnsmasq capabilities detection to detect the string: --bind-interfaces with SO_BINDTODEVICE in the output of "dnsmasq --version", and in that case realize that using the old --bind-interfaces option is just as safe as --bind-dynamic (and therefore *not* forbid creation of networks that use public IP address ranges). If -bind-dynamic is available, it is still preferred over --bind-interfaces. Note that this patch does no harm in upstream, or in any distro's downstream if it happens to end up there, but builds for distros that have a new enough dnsmasq to support --bind-dynamic do *NOT* need to specifically backport this patch; it's only required for distro releases that have dnsmasq too old to have --bind-dynamic (and those distros will need to add the SO_BINDTODEVICE patch to dnsmasq, *including the extra string in the --version output*, as well.
LibVirt : simple API for virtualization
Libvirt is a C toolkit to interact with the virtualization capabilities
of recent versions of Linux (and other OSes). It is free software
available under the GNU Lesser General Public License. Virtualization of
the Linux Operating System means the ability to run multiple instances of
Operating Systems concurrently on a single hardware system where the basic
resources are driven by a Linux instance. The library aim at providing
long term stable C API initially for the Xen paravirtualization but
should be able to integrate other virtualization mechanisms if needed.
Daniel Veillard <veillard@redhat.com>