From 7cbf497da4100ea0d1c1974b59f9503e15a0cf80 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 26 Sep 2018 18:03:10 +0100
Subject: [PATCH] Example config file fix for CERT Vulnerability VU#598349.

---
 CHANGELOG            | 4 ++++
 dnsmasq.conf.example | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/CHANGELOG b/CHANGELOG
index 9013977..f526acb 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -64,6 +64,10 @@ version 2.80
 	now always forward, and never answer from the cache. This
 	allows "dig +trace" command to work. 
 	
+	Include in the example config file a formulation which
+	stops DHCP clients from claiming the DNS name "wpad".
+	This is a fix for the CERT Vulnerability VU#598349.
+
 	
 version 2.79
 	Fix parsing of CNAME arguments, which are confused by extra spaces.
diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
index 008ddb7..bf19424 100644
--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example
@@ -672,3 +672,8 @@
 
 # Include all files in a directory which end in .conf
 #conf-dir=/etc/dnsmasq.d/,*.conf
+
+# If a DHCP client claims that its name is "wpad", ignore that.
+# This fixes a security hole. see CERT Vulnerability VU#598349
+#dhcp-name-match=set:wpad-ignore,wpad
+#dhcp-ignore-names=tag:wpad-ignore