dnsmasq: update to use alpine dnsmasq

[christoph-zededa]

Description

I just saw https://www.heise.de/en/news/Pi-hole-update-closes-dnsmasq-security-vulnerabilities-11291212.html - might be good to update dnsmasq ...

version 2.92rel2
2.92 point release incorporating fixes for
CVE-2026-2291
CVE-2026-4890
CVE-2026-4891
CVE-2026-4892
CVE-2026-4893
CVE-2026-5172
(https://thekelleys.org.uk/dnsmasq/CHANGELOG )

How to test and validate this PR

Check that dnsmasq in version 2.92rel2 is running on the system

Changelog notes

Upgrade dnsmasq to include security fixes

PR Backports

For all current LTS branches, please state explicitly if this PR should be
backported or not. This section is used by our scripts to track the backports,
so, please, do not omit it.

Here is the list of current LTS branches (it should be always up to date):

• 16.0-stable: yes
• 14.5-stable: yes
• 13.4-stable: yes

Also, to the PRs that should be backported into any stable branch, please
add a label stable.

Checklist

• I've provided a proper description
• I've added the proper documentation
• I've tested my PR on amd64 device
• I've tested my PR on arm64 device
• I've written the test verification instructions
• I've set the proper labels to this PR

And the last but not least:

• I've checked the boxes above, or I've provided a good reason why I didn't
  check them.

Please, check the boxes above after submitting the PR in interactive mode.

[christoph-zededa]

Warning: Failed to download action 'https://codeload.github.com/github/codeql-action/tar.gz/c10b8064de6f491fea524254123dbe5e09572f13'. Error: Response status code does not indicate success: 429 (Too Many Requests). 2C41:111B6C:56A840:62D238:6A0339BD
Warning: Back off 24.724 seconds before retry.

:-(

[christoph-zededa]

/rerun red

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 21.07%. Comparing base (241bcc1) to head (6b12e91).
⚠️ Report is 7 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5948      +/-   ##
==========================================
+ Coverage   20.65%   21.07%   +0.41%     
==========================================
  Files         489      499      +10     
  Lines       90373    92071    +1698     
==========================================
+ Hits        18665    19401     +736     
- Misses      70130    70913     +783     
- Partials     1578     1757     +179     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[eriknordmark]

Run tests

[rene]

LGTM

[rene]

@christoph-zededa , please, rebase on top of master....

[christoph-zededa]

@christoph-zededa , please, rebase on top of master....

done, but it does not help with yetus (https://github.com/lf-edge/eve/actions/runs/25807155223/job/75813016215?pr=5948 )

I think it struggles when removing a file.

[rene]

The original link doesn't seems to be very reliable (apparently it's a small server), it has failed to download on some runs, do we have any other official mirror to download from? In worst case, let's bring the binary back... sorry....

[christoph-zededa]

The original link doesn't seems to be very reliable (apparently it's a small server), it has failed to download on some runs, do we have any other official mirror to download from? In worst case, let's bring the binary back... sorry....

Unfortunately I did not find a mirror, even the github mirror is behind (https://github.com/imp/dnsmasq/commits/master/ )

It's okay.

[eriknordmark]

The original link doesn't seems to be very reliable (apparently it's a small server), it has failed to download on some runs, do we have any other official mirror to download from? In worst case, let's bring the binary back... sorry....

Would we get these patches if we just grab dnsmasq from Alpine 3.22?
The unique EVE-OS patches (around shorter or longer than /64 IPv6 prefixes) is not something we've needed for 4+ years - it was only needed for the LISP overlay network.

[christoph-zededa]

The original link doesn't seems to be very reliable (apparently it's a small server), it has failed to download on some runs, do we have any other official mirror to download from? In worst case, let's bring the binary back... sorry....

Would we get these patches if we just grab dnsmasq from Alpine 3.22? The unique EVE-OS patches (around shorter or longer than /64 IPv6 prefixes) is not something we've needed for 4+ years - it was only needed for the LISP overlay network.

I see for all the CVEs mentioned in this PR a patch in https://gitlab.alpinelinux.org/alpine/aports/-/tree/3.22-stable/main/dnsmasq?__goaway_challenge=cookie&__goaway_id=8c0acd18336881080decce87aa5ab5f9&__goaway_referer=https%3A%2F%2Fpkgs.alpinelinux.org%2F

I am checking if we can just get rid of pkg/dnsmasq then.

[christoph-zededa]

Now it is using the package from alpine.
Two things I want to mention:

1. Kept 1bf1104 so that I can cherry-pick it for the backports
2. I am allowing to overwrite packages in build-cache.sh: 1bf1104

[eriknordmark]

Are the files where the SPDX fails check things added/modified bt this PR, or are they copied from somehere else?

[christoph-zededa]

Are the files where the SPDX fails check things added/modified bt this PR, or are they copied from somehere else?

they have been moved within the repository; anyways I am fixing those ...

[christoph-zededa]

/rerun red

[christoph-zededa]

/rerun red

[eriknordmark]

I've tested this manually on two devices in the lab and it looks fine.

[eriknordmark]

LGTM

[eriknordmark]

@christoph-zededa a suggestion for the build failures:
Proposed fix unchanged: delete pkg/pillar/Dockerfile lines 213 and 220 of the
PR head. No other edits required.