Sync from SUSE:SLFO:Main unbound revision ae59cbc72d99ca268ce1f67684c94b4f

This commit is contained in:
Adrian Schröter 2024-08-21 17:42:58 +02:00
parent d866b2eb8c
commit 997b8cad5c
11 changed files with 1241 additions and 38 deletions

4
_multibuild Normal file
View File

@ -0,0 +1,4 @@
<multibuild>
<package>libunbound-devel-mini</package>
</multibuild>

View File

@ -1,3 +1,595 @@
-------------------------------------------------------------------
Thu Aug 15 09:24:29 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to 1.21.0:
Security Fixes:
* Merge #1073: fix null pointer dereference issue in function
ub_ctx_set_fwd.
[CVE-2024-43167, bsc#1229068]
Features:
* Fix #1071: [FR] Clear both in-memory and cachedb module cache
with `unbound-control flush*` commands.
* Fix #144: Port ipset to BSD pf tables.
* Add dnstap-sample-rate that logs only 1/N messages, for high
volume server environments. Thanks Dan Luther.
* Add root key 38696 from 2024 for DNSSEC validation. It is added
to the default root keys in unbound-anchor. The content can be
inspected with `unbound-anchor -l`.
* Merge #1090: Cookie secret file. Adds `cookie-secret-file:
"unbound_cookiesecrets.txt"` option to store cookie secrets for
EDNS COOKIE secret rollover. The remote control
add_cookie_secret, activate_cookie_secret and
drop_cookie_secret commands can be used for rollover, the
command print_cookie_secrets shows the values in use.
Bug Fixes:
* Fix CAMP issues with global quota. Thanks to Huayi
Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec
group, ETH Zurich.
* Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda
Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt
(Tel-Aviv University and Reichman University).
* Merge #1062: Fix potential overflow bug while parsing port in
function cfg_mark_ports.
* Fix for #1062: declaration before statement, avoid print of
null, and redundant check for array size.
* Fix to squelch udp connect errors in the log at low verbosity
about invalid argument for IPv6 link local addresses.
* Fix when the mesh jostle is exceeded that nameserver targets
are marked as resolved, so that the lookup is not stuck on the
requestlist.
* Add missing common functions to tdir tests.
* Merge #1070: Fix rtt assignement for low values of
infra-cache-max-rtt.
* Merge #1069: Fix unbound-control stdin commands for
multi-process Unbounds.
* Fix unbound-control commands that read stdin in multi-process
operation (local_zones_remove, local_zones, local_datas_remove,
local_datas, view_local_datas_remove, view_local_datas). They
will be properly distributed to all processes. dump_cache and
load_cache are no longer supported in multi-process operation.
* Remove testdata/remote-threaded.tdir.
testdata/09-unbound-control.tdir now checks both single and
multi process/thread operation.
* Fix to print a parse error when config is read with no name for
a forward-zone, stub-zone or view.
* Fix for parse end of forward-zone, stub-zone and view.
* Fix for #1064: Fix that cachedb expired messages are considered
insecure, and thus can be served to clients when dnssec is
enabled.
* Fix #1059: Intermittent DNS blocking failure with local-zone
and always_nxdomain. Addition of local_zones dynamically via
unbound-control was not finding the zone's parent correctly.
* Fix #1064: Unbound 1.20 Cachedb broken?
* Fix unused variable warning on compilation with no thread
support.
* unbound-control-setup: check openssl availability before doing
anything, patch from Michael Tokarev.
* Update patch to remove 'command' shell builtin and update error
text.
* Fix to enable that SERVFAIL is cached, for a short period, for
more cases. In the cases where limits are exceeded.
* Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
* Merge #1078: Only check old pid if no username.
* Fix #1079: tags from tagged rpz zones are no longer honored
after upgrade from 1.19.3 to 1.20.0.
* Fix for #1079: fix RPZ taglist in iterator callback that no
client info is like no taglist intersection.
* Fix to squelch connection reset by peer errors from log. And
fix that the tcp read errors are labeled as initial for the
first calls.
* Merge #1080: AddressSanitizer detection in tdir tests and
memory leak fixes.
* Fix memory leak when reload_keep_cache is used and num-threads
changes.
* Fix memory leak on exit for unbound-dnstap-socket; creates
false negatives during testing.
* Fix memory leak in setup of dsa sig.
* Fix typos for 'the the' in text.
* Fix validation for repeated use of a DNAME record.
* Add unit test for validation of repeated use of a DNAME record.
* Fix #1091: Build fails with OpenSSL >= 3.0 built with
OPENSSL_NO_DEPRECATED.
* Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0;
by adding helpful text for the Python interpreter version and
allowing the default pkg-config unavailability error message to
be shown.
* Fix pkg-config availability check in dnstap/dnstap.m4 and
systemd.m4.
* Explicitly set the RD bit for the mesh query flags when
prefetching. These queries have no waiting client but they need
to be treated as recursive.
* Fix ip-ratelimit-cookie setting, it was not applied.
* Fix to remove unused include from the readzone test program.
* Fix unused variable warning in do_cache_remove.
* Fix compile warning in worker pthread id printout.
* Add unit test skip files and bison and flex output to
gitignore.
* Fix to use modstack_init in zonemd unit test.
* Fix to remove unneeded linebreak in fptr_wlist.c.
* Fix compile warnings in fptr_wlist.c.
* Fix for repeated use of a DNAME record: first overallocate and
then move the exact size of the init value to avoid false
positive heap overflow reads from address sanitizers.
* Fix to print details about the failure to lookup a DNSKEY
record when validation fails due to the missing DNSKEY. Also
for key prime and DS lookups.
* Fix for neater printout for error for missing DS response.
* Fix neater printout.
* Fix #1099: Unbound core dump on SIGSEGV.
* Fix for #1099: Fix to check for deleted RRset when the contents
is updated and fetched after it is stored, and also check for a
changed RRset.
* Don't check for message TTL changes if the RRsets remain the
same.
* Fix that validation reason failure that uses string print uses
separate buffer that is passed, from the scratch validation
buffer.
* Fixup algo_needs_reason string buffer length.
* Fix shadowed error string variable in validator dnskey
handling.
* Update list of known EDE codes.
* For #773: In contrib/unbound.service.in set unbound to start
after network-online.target. Also for
contrib/unbound_portable.service.in.
* Fix #1103: unbound 1.20.0 segmentation fault with nghttp2.
* For #1103: fix to also drop mesh state reference when a h2
reply is dropped.
* Add RPZ tag tests in acl_interface.tdir.
* For #1102: clearer text for using interface-* options for the
loopback interface.
* For #1103: fix to also drop mesh state reference when the
discard limit is reached, when there is an error making a new
recursion state and when the connection is dropped with
is_drop.
* For #1103: Fix to drop mesh state reference for the http2
stream associated with the reply, not the currently active
stream. And it does not remove it twice on a mesh_send_reply
call. The reply h2_stream is NULL when not in use, for more
initialisation.
* Fix dnstap wakeup, a running wakeup timer is left to expire and
not increased, a timer is started when the dtio thread is
sleeping, the timer set disabled when the dtio thread goes to
sleep, and after sleep the thread checks to see if there are
messages to log immediately.
* Merge #1110: Make fallthrough explicit for libworker.c.
* For #1110: Test for fallthrough attribute in configure and add
fallthrough attribute annotations.
* Fix compile when the compiler does not support the noreturn
attribute.
* Fix to have empty definition when not supported for weak
attribute.
* Fix uninitialized variable warning in create_tcp_accept_sock.
* Fix link of dnstap without openssl.
* Fix link of unbound-dnstap-socket without openssl.
* Fix #1106: ratelimit-below-domain logs the wrong FROM address.
* Cleanup ede.tdir test.
* For #935 and #1104, clarify RPZ order and semantics.
* Fix to document parameters of auth_zone_verify_zonemd_with_key.
* Fix for #1114: Fix that cache fill for forward-host names is
performed, so that with nonzero target-fetch-policy it fetches
forwarder addresses and uses them from cache. Also updated that
delegation point cache fill routines use CDflag for AAAA
message lookups, so that its negative lookup stops a recursion
since the cache uses the bit for disambiguation for dns64 but
the recursion uses CDflag for the AAAA target lookups, so the
check correctly stops a useless recursion by its cache lookup.
* Fix dnstap test program, cleans up to have clean memory on
exit, for tap_data_free, does not delete NULL items. Also it
does not try to free the tail, specifically in the free of the
list since that picked up the next item in the list for its
loop causing invalid free. Added internal unit test to
unbound-dnstap-socket for that.
* Fix that the worker mem report with alloc stats does not
attempt to print memory use of forwards and hints if they have
been deleted already.
* Fix that alloc stats has strdup checks, it stops debuggers from
complaining about mismatch at free time.
* Fix testbound for alloc stats strdup in util/alloc.c.
* Fix that alloc stats for forwards and hints are printed, and
when alloc stats is enabled, the unit test for unbound control
waits for reloads to complete.
* Fix that for windows the module startup is called and sets up
the module-config.
* Fix spelling for the cache-min-negative-ttl entry in the
example.conf.
-------------------------------------------------------------------
Wed May 8 09:15:01 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to 1.20.0:
Features:
* The config for discard-timeout, wait-limit, wait-limit-cookie,
wait-limit-netblock and wait-limit-cookie-netblock was added,
for the fix to the DNSBomb issue.
* Merge GH#1027: Introduce 'cache-min-negative-ttl' option.
* Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support;
updates config.guess(2024-01-01) and config.sub(2024-01-01),
verified with upstream.
* Implement cachedb-check-when-serve-expired: yes option, default
is enabled. When serve expired is enabled with cachedb, it
first checks cachedb before serving the expired response.
* Fix GH#876: [FR] can unbound-checkconf be silenced when
configuration is valid?
Bug Fixes:
* Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to
Xiang Li from the Network and Information Security Lab of
Tsinghua University for reporting it.
* Update doc/unbound.doxygen with 'doxygen -u'. Fixes option
deprecation warnings and updates with newer defaults.
* Remove unused portion from iter_dname_ttl unit test.
* Fix validator classification of qtype DNAME for positive and
redirection answers, and fix validator signature routine for
dealing with the synthesized CNAME for a DNAME without
previously encountering it and also for when the qtype is
DNAME.
* Fix qname minimisation for reply with a DNAME for qtype CNAME
that answers it.
* Fix doc test so it ignores but outputs unsupported doxygen
options.
* Fix GH#1021 Inconsistent Behavior with Changing
rpz-cname-override and doing a unbound-control reload.
* Merge GH#1028: Clearer documentation for tcp-idle-timeout and
edns-tcp-keepalive-timeout.
* Fix GH#1029: rpz trigger clientip and action rpz-passthru not
working as expected.
* Fix rpz that the rpz override is taken in case of clientip
triggers. Fix that the clientip passthru action is logged. Fix
that the clientip localdata action is logged. Fix rpz override
action cname for the clientip trigger.
* Fix to unify codepath for local alias for rpz cname action
override.
* Fix rpz for cname override action after nsdname and nsip
triggers.
* Fix that addrinfo is not kept around but copied and freed, so
that log-destaddr uses a copy of the information, much like NSD
does.
* Merge GH#1030: Persist the openssl and expat directories for
repeated Windows builds.
* Fix that rpz CNAME content is limited to the max number of
cnames.
* Fix rpz, it follows iterator CNAMEs for nsip and nsdname and
sets the reply query_info values, that is better for debug
logging.
* Fix rpz that copies the cname override completely to the temp
region, so there are no references to the rpz region.
* Add rpz unit test for nsip action override.
* Fix rpz for qtype CNAME after nameserver trigger.
* Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix
that clientip and nsip can give a CNAME.
* Fix localdata and rpz localdata to match CNAME only if no
direct type match is available.
* Merge GH#831 from Pierre4012: Improve Windows NSIS installer
script (setup.nsi).
* For GH#831: Format text, use exclamation icon and explicit label
names.
* Fix name of unit test for subnet cache response.
* Fix GH#1032: The size of subnet_msg_cache calculation mistake
cause memory usage increased beyond expectations.
* Fix for GH#1032, add safeguard to make table space positive.
* Fix comment in lruhash space function.
* Fix to add unit test for lruhash space that exercises the
routines.
* Fix that when the server truncates the pidfile, it does not
follow symbolic links.
* Fix that the server does not chown the pidfile.
* Fix GH#1034: DoT forward-zone via unbound-control.
* Fix for crypto related failures to have a better error string.
* Fix GH#1035: Potential Bug while parsing port from the
"stub-host" string; also affected forward-zones and
remote-control host directives.
* Fix GH#369: dnstap showing extra responses; for client responses
right from the cache when replying with expired data or
prefetching.
* Fix GH#1040: fix heap-buffer-overflow issue in function
cfg_mark_ports of file util/config_file.c.
* For GH#1040: adjust error text and disallow negative ports in
other parts of cfg_mark_ports.
* Fix comment syntax for view function views_find_view.
* Fix GH#595: unbound-anchor cannot deal with full disk; it will
now first write out to a temp file before replacing the
original one, like Unbound already does for
auto-trust-anchor-file.
* Fixup compile without cachedb.
* Add test for cachedb serve expired.
* Extended test for cachedb serve expired.
* Fix makefile dependencies for fake_event.c.
* Fix cachedb for serve-expired with serve-expired-reply-ttl.
* Fix to not reply serve expired unless enabled for cachedb.
* Fix cachedb for serve-expired with
serve-expired-client-timeout.
* Fixup unit test for cachedb server expired client timeout with
a check if response if from upstream or from cachedb.
* Fixup cachedb to not refetch when serve-expired-client-timeout
is used.
* Merge GH#1049 from Petr Menšík: Py_NoSiteFlag is not needed since
Python 3.8
* Fix GH#1048: Update ax_pkg_swig.m4 and ax_pthread.m4.
* Fix configure, autoconf for GH#1048.
* Add checklock feature verbose_locking to trace locks and
unlocks.
* Fix edns subnet to sort rrset references when storing messages
in the cache. This fixes a race condition in the rrset locks.
* Merge GH#1053: Remove child delegations from cache when
grandchild delegations are returned from parent.
* Fix ci workflow for macos for moved install locations.
* Fix configure flto check error, by finding grep for it.
* Merge GH#1041: Stub and Forward unshare. This has one structure
for them and fixes GH#1038: fatal error: Could not initialize
thread / error: reading root hints.
* Fix to disable fragmentation on systems with IP_DONTFRAG, with
a nonzero value for the socket option argument.
* Fix doc unit test for out of directory build.
* Fix cachedb with serve-expired-client-timeout disabled. The
edns subnet module deletes global cache and cachedb cache when
it stores a result, and serve-expired is enabled, so that the
global reply, that is older than the ecs reply, does not return
after the ecs reply expires.
* Add unit tests for cachedb and subnet cache expired data.
* Man page entry for unbound-checkconf -q.
* Cleanup unnecessary strdup calls for EDE strings.
* Fix doxygen comment for errinf_to_str_bogus.
-------------------------------------------------------------------
Wed Mar 20 13:09:17 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to 1.19.3:
* Features:
- Merge PR #973: Use the origin (DNAME) TTL for synthesized
CNAMEs as per RFC 6672.
* Bug Fixes
- Fix unit test parse of origin syntax.
- Use 127.0.0.1 explicitly in tests to avoid delays and errors
on newer systems.
- Fix #964: config.h.in~ backup file in release tar balls.
- Merge #968: Replace the obsolescent fgrep with grep -F in
tests.
- Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
- Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
- Fix dnstap that assertion failed on logging other than UDP
and TCP traffic. It lists it as TCP traffic.
- Fix to sync the tests script file common.sh.
- iana portlist update.
- Updated IPv4 and IPv6 address for b.root-servers.net in root
hints.
- Update test script file common.sh.
- Fix tests to use new common.sh functions, wait_logfile and
kill_from_pidfile.
- Fix #974: doc: default number of outgoing ports without
libevent.
- Merge #975: Fixed some syntax errors in rpl files.
- Fix root_zonemd unit test, it checks that the root ZONEMD
verifies, now that the root has a valid ZONEMD.
- Update example.conf with cookie options.
- Merge #980: DoH: reject non-h2 early. To fix #979: Improve
errors for non-HTTP/2 DoH clients.
- Merge #985: Add DoH and DoT to dnstap message.
- Fix #983: Sha1 runtime insecure change was incomplete.
- Remove unneeded newlines and improve indentation in remote
control code.
- Merge #987: skip edns frag retry if advertised udp payload
size is not smaller.
- Fix unit test for #987 change in udp1xxx retry packet send.
- Merge #988: Fix NLnetLabs#981: dump_cache truncates large
records.
- Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
- Fix to link with libssp for libcrypto and getaddrinfo check
for only header. Also update crosscompile to remove ssp for
32bit.
- Merge #993: Update b.root-servers.net also in example config
file.
- Update workflow for ports to use newer openssl on windows
compile.
- Fix warning for windres on resource files due to
redefinition.
- Fix for #997: Print details for SSL certificate failure.
- Update error printout for duplicate trust anchors to include
the trust anchor name (relates to #920).
- Update message TTL when using cached RRSETs. It could result
in non-expired messages with expired RRSETs (non-usable
messages by Unbound).
- Merge #999: Search for protobuf-c with pkg-config.
- Fix #1006: Can't find protobuf-c package since #999.
- Fix documentation for access-control in the unbound.conf man
page.
- Merge #1010: Mention REFUSED has the TC bit set with
unmatched allow_cookie acl in the manpage. It also fixes the
code to match the documentation about clients with a valid
cookie that bypass the ratelimit regardless of the
allow_cookie acl.
- Document the suspend argument for process_ds_response().
- Move github workflows to use checkoutv4.
- Fix edns subnet replies for scope zero answers to not get
stored in the global cache, and in cachedb, when the upstream
replies without an EDNS record.
- Fix for #1022: Fix ede prohibited in access control refused
answers.
- Fix unbound-control-setup.cmd to use 3072 bits so that
certificates are long enough for newer OpenSSL versions.
- Fix TTL of synthesized CNAME when a DNAME is used from cache.
- Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
like unbound-control-setup.sh has.
-------------------------------------------------------------------
Fri Mar 8 10:15:41 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to 1.19.2:
* Bug Fixes:
- Fix CVE-2024-1931, Denial of service when trimming EDE text
on positive replies.
[bsc#1221164]
-------------------------------------------------------------------
Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Update to 1.19.1:
* Bug Fixes: [bsc#1219823, CVE-2023-50387][bsc#1219826, CVE-2023-50868]
- Fix CVE-2023-50387, DNSSEC verification complexity can be
exploited to exhaust CPU resources and stall DNS resolvers.
- Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
-------------------------------------------------------------------
Tue Feb 6 13:27:06 UTC 2024 - Stefan Seyfried <seife+obs@b1-systems.com>
- as we use --disable-explicit-port-randomisation, also disable
outgoing-port-permit and outgoing-port-avoid in config file to
suppress the related unbound-checkconf warnings on every start
-------------------------------------------------------------------
Fri Nov 17 09:50:18 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update to 1.19.0:
* Features:
- Fix #850: [FR] Ability to use specific database in Redis, with
new redis-logical-db configuration option.
- Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream
requests. This can be helpful for devices that cannot handle
DNSSEC information. But it should not be enabled otherwise, because
that would stop DNSSEC validation. The DNSSEC validation would not
work for Unbound itself, and also not for downstream users. Default
is no. The option is disable-edns-do: no
- Expose the script filename in the Python module environment 'mod_env'
instead of the config_file structure which includes the linked list
of scripts in a multi Python module setup; fixes #79.
- Expose the configured listening and outgoing interfaces, if any, as
a list of strings in the Python 'config_file' class instead of the
current Swig object proxy; fixes #79.
- Mailing list patches from Daniel Gröber for DNS64 fallback to plain
AAAA when no A record exists for synthesis, and minor DNS64 code
refactoring for better readability.
- Merge #951: Cachedb no store. The cachedb-no-store: yes option is
used to stop cachedb from writing messages to the backend storage.
It reads messages when data is available from the backend.
The default is no.
* Bug Fixes:
- Fix for version generation race condition that ignored changes.
- Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL.
- Fix for WKS call to getservbyname that creates allocation on exit in
unit test by testing numbers first and testing from the services list later.
- Fix autoconf 2.69 warnings in configure.
- Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1.
- Merge #931: Prevent warnings from -Wmissing-prototypes.
- Fix to scrub resource records of type A and AAAA that have an
inappropriate size. They are removed from responses.
- Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.
- Fix to add EDE text when RRs have been removed due to length.
- Fix to set ede match in unit test for rr length removal.
- Fix to print EDE text in readable form in output logs.
- Fix send of udp retries when ENOBUFS is returned. It stops looping
and also waits for the condition to go away. Reported by Florian Obser.
- Fix authority zone answers for obscured DNAMEs and delegations.
- Merge #936: Check for c99 with autoconf versions prior to 2.70.
- Fix to remove two c99 notations.
- Fix rpz tcp-only action with rpz triggers nsdname and nsip.
- Fix misplaced comment.
- Merge #881: Generalise the proxy protocol code.
- Fix #946: Forwarder returns servfail on upstream response noerror no data.
- Fix edns subnet so that queries with a source prefix of zero cause the
recursor send no edns subnet option to the upstream.
- Fix that printout of EDNS options shows the EDNS cookie option by name.
- Fix infinite loop when reading multiple lines of input on a broken remote
control socket. Addesses #947 and #948.
- Fix #949: "could not create control compt".
- Fix that cachedb does not warn when serve-expired is disabled about use
of serve-expired-reply-ttl and serve-expired-client-timeout.
- Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.
- Better fix for infinite loop when reading multiple lines of input on a
broken remote control socket, by treating a zero byte line the same as
transmission end. Addesses #947 and #948.
- For multi Python module setups, clean previously parsed module functions
in __main__'s dictionary, if any, so that only current module functions
are registered.
- Fix #954: Inconsistent RPZ handling for A record returned along with CNAME.
- Fixes for the DNS64 patches.
- Update the dns64_lookup.rpl test for the DNS64 fallback patch.
- Merge #955 from buevsan: fix ipset wrong behavior.
- Update testdata/ipset.tdir test for ipset fix.
- Fix to print detailed errors when an SSL IO routine fails via SSL_get_error.
- Clearer configure text for missing protobuf-c development libraries.
- autoconf.
- Merge #930 from Stuart Henderson: add void to log_ident_revert_to_default
declaration.
- Fix #941: dnscrypt doesn't work after upgrade to 1.18 with suggestion by
dukeartem to also fix the udp_ancil with dnscrypt.
- Fix SSL compile failure for definition in log_crypto_err_io_code_arg.
- Fix SSL compile failure for other missing definitions in log_crypto_err_io_code_arg.
- Fix compilation without openssl, remove unused function warning.
- Mention flex and bison in README.md when building from repository source.
-------------------------------------------------------------------
Thu Sep 7 08:03:33 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update to 1.18.0:
* Features:
- Аdd a metric about the maximum number of collisions in lrushah.
- Set max-udp-size default to 1232. This is the same default value
as the default value for edns-buffer-size. It restricts client
edns buffer size choices, and makes unbound behave similar to
other DNS resolvers.
- Add harden-unknown-additional option. It removes unknown records
from the authority section and additional section.
- Added new static zone type block_a to suppress all A queries for
specific zones.
- [FR] Ability to use Redis unix sockets.
- [FR] Ability to set the Redis password.
- Features/dropqueuedpackets, with sock-queue-timeout option that
drops packets that have been in the socket queue for too long.
Added statistics num.queries_timed_out and query.queue_time_us.max
that track the socket queue timeouts.
- 'eqvinox' Lamparter: NAT64 support.
- [FR] Use kernel timestamps for dnstap.
- Add cachedb hit stat. Introduces 'num.query.cachedb' as a new
statistical counter.
- Add SVCB dohpath support.
- Add validation EDEs to queries where the CD bit is set.
- Add prefetch support for subnet cache entries.
- Add EDE (RFC8914) caching.
- Add support for EDE caching in cachedb and subnetcache.
- Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server
cookies for clients that send client cookies. This needs to be explicitly
turned on in the config file with: `answer-cookie: yes`.
* Bug Fixes
- Response change to NODATA for some ANY queries since 1.12.
- Fix not following cleared RD flags potentially enables
amplification DDoS attacks.
- Set default for harden-unknown-additional to no. So that it
does not hamper future protocol developments.
- Fix to ignore entirely empty responses, and try at another authority.
This turns completely empty responses, a type of noerror/nodata into
a servfail, but they do not conform to RFC2308, and the retry can fetch
improved content.
- Allow TTL refresh of expired error responses.
- Fix: Unexpected behavior with client-subnet-always-forward and serve-expired
- Fix unbound-dnstap-socket test program to reply the finish frame over
a TLS connection correctly.
- Fix: reserved identifier violation
- Fix: Unencrypted query is sent when forward-tls-upstream: yes is used
without tls-cert-bundle
- Extra consistency check to make sure that when TLS is requested,
either we set up a TLS connection or we return an error.
- Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record.
- Fix: Bad interaction with 0 TTL records and serve-expired
- Fix RPZ IP responses with trigger rpz-drop on cache entries.
- Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
- Fix dereference of NULL variable warning in mesh_do_callback.
- Fix ip_ratelimit test to work with dig that enables DNS cookies.
- Fix for iter_dec_attempts that could cause a hang, part of capsforid
and qname minimisation, depending on the settings.
- Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
- Fix stat_values test to work with dig that enables DNS cookies.
- unbound.service: Main process exited, code=killed, status=11/SEGV.
Fixes cachedb configuration handling.
- Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply.
-------------------------------------------------------------------
Thu May 4 13:57:54 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
-------------------------------------------------------------------
Thu Feb 23 09:15:48 UTC 2023 - Pedro Monreal <pmonreal@suse.com>

View File

@ -1,7 +1,7 @@
#
# spec file for package libunbound-devel-mini
#
# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -22,7 +22,8 @@
%bcond_without hardened_build
#
Name: libunbound-devel-mini
Version: 1.17.1
Version: 1.21.0
#!BcntSyncTag: unbound
Release: 0
Summary: Just a devel package for build loops
License: BSD-3-Clause

BIN
unbound-1.17.1.tar.gz (Stored with Git LFS)

Binary file not shown.

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmO/wmUACgkQn28cLX4E
X40EBxAApOIAHQGYxRcnMWgqB+hN2YR+M/CcOz19UiQ/KrG8f+ji9mUfIUsUTQsa
Oat/TuWPqQ4gCXocX4Dc4+LE0bebHVJkg4TQniEIjYOWja/6uBOfav14GBfJsq+m
3A9IBdOGYTAR5mGfTs1cxJfWAbX3U+oroKwn5zPh+wCRR0CoY8sEumZu7Tzb4yUx
OPhlj1Qzz/NkSi+0RkwogJy2hHdXVvHYUtTDKheFye/GeGa+trRnu8mCKpuyw6N9
dnQ7oXlCds8JW7YgaBf4qh1pH6VO18CTo7KG3yKiEeRb+HRRmr7KKQUOlefjcct+
QKOFhSPnVYhfvaPYEQiqVQ92ae7/wBT6cQzOMXRbY+NQjr/QfeF3QWTMRFrz3kHn
ZccpvcsjOR3wRDGQkcaa8ta40soEkzD+XRPK4oxB9D/Z5FOVoR/WTX9DZVm7PJ5+
SGHFBGOddICBWao1h01KCSyQ7nxNi1lLIRndj+AKtQAW/kO8hKh4YYKHAlI0dRQD
MLitcrQOU1pJha+hhb/87BihtXlevUVO45ctCLLooSCrVG8cca8p3jwvJoPPwdCp
1MBVZv8STPAO//4XoZkAtTcgnaUle/ro/1DFmAK/IhDyU4KP6l3uvcUvsk3Xpk1O
AzazgiqVuIYXQ98cTh0QzAGUuFAWNFqWSF2mj+poNv0RnL/J14U=
=xZw4
-----END PGP SIGNATURE-----

BIN
unbound-1.21.0.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

16
unbound-1.21.0.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAma9sjoACgkQn28cLX4E
X43OQhAApRqRpVAILKhqBjf2ilKLqEFgCxyT4cXiMVBTMtlx9/bTxec/JeXVdO7h
nA4oFb7HwRPkOJnTfwk7kWk8SFBoGv+lb2YVdgSgaftqgFR3dmoyACIf9QqyFUuO
kLiIpNer6f1rRmGs850t+XE9YS+Adn3jPi6r5vnuXekoXjY8h18cSRSlWL42At2j
V7NpCbRUshwCP71PS1AVE1SHtHsxD5yCrCzuMDTZIroCiAPu4k0JkqKri7ie4cqf
rjvqsVN7fngXj3bLShJcjcnBRxMoEMJ5ubY7d9SZBm8kvREy1ILAmlwejhhcZzC7
Yc14v+wreaEYte1KmVwtgFDwvwbJqho2OwRJgPmUVVyJ8F15ESsl5ahgZJhZ893o
BCbapmEMJEPsIzITbvJg+WOwpFZQp6VZu+NQqd12WTanZuIwnp54Q/YQo0RqTfK4
qyMLKFmKXmaKNmgqtXcs2Bn6NVeDZpO/f0B1/fDkUot4xSGHWIEQGK/u5DHbemyS
/3DaTvUQVLke9E3pDDP6J5qvc7tRZK6qQ4GXwkc7FFocHzos54aCusyUQw22K7k4
MEOwlQBqcof5UeLRkGVhianOsxzFGIiNC/LNI4pJlKT13u20YiBpweNJBC+jMIJI
Ohz4vCE74OgT3M74I+dmKzEk6Xvor0id7eKsLpbiJuaof+j4oUQ=
=1ZET
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,619 @@
-------------------------------------------------------------------
Thu Aug 15 09:24:29 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to 1.21.0:
Security Fixes:
* Merge #1073: fix null pointer dereference issue in function
ub_ctx_set_fwd.
[CVE-2024-43167, bsc#1229068]
Features:
* Fix #1071: [FR] Clear both in-memory and cachedb module cache
with `unbound-control flush*` commands.
* Fix #144: Port ipset to BSD pf tables.
* Add dnstap-sample-rate that logs only 1/N messages, for high
volume server environments. Thanks Dan Luther.
* Add root key 38696 from 2024 for DNSSEC validation. It is added
to the default root keys in unbound-anchor. The content can be
inspected with `unbound-anchor -l`.
* Merge #1090: Cookie secret file. Adds `cookie-secret-file:
"unbound_cookiesecrets.txt"` option to store cookie secrets for
EDNS COOKIE secret rollover. The remote control
add_cookie_secret, activate_cookie_secret and
drop_cookie_secret commands can be used for rollover, the
command print_cookie_secrets shows the values in use.
Bug Fixes:
* Fix CAMP issues with global quota. Thanks to Huayi
Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec
group, ETH Zurich.
* Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda
Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt
(Tel-Aviv University and Reichman University).
* Merge #1062: Fix potential overflow bug while parsing port in
function cfg_mark_ports.
* Fix for #1062: declaration before statement, avoid print of
null, and redundant check for array size.
* Fix to squelch udp connect errors in the log at low verbosity
about invalid argument for IPv6 link local addresses.
* Fix when the mesh jostle is exceeded that nameserver targets
are marked as resolved, so that the lookup is not stuck on the
requestlist.
* Add missing common functions to tdir tests.
* Merge #1070: Fix rtt assignement for low values of
infra-cache-max-rtt.
* Merge #1069: Fix unbound-control stdin commands for
multi-process Unbounds.
* Fix unbound-control commands that read stdin in multi-process
operation (local_zones_remove, local_zones, local_datas_remove,
local_datas, view_local_datas_remove, view_local_datas). They
will be properly distributed to all processes. dump_cache and
load_cache are no longer supported in multi-process operation.
* Remove testdata/remote-threaded.tdir.
testdata/09-unbound-control.tdir now checks both single and
multi process/thread operation.
* Fix to print a parse error when config is read with no name for
a forward-zone, stub-zone or view.
* Fix for parse end of forward-zone, stub-zone and view.
* Fix for #1064: Fix that cachedb expired messages are considered
insecure, and thus can be served to clients when dnssec is
enabled.
* Fix #1059: Intermittent DNS blocking failure with local-zone
and always_nxdomain. Addition of local_zones dynamically via
unbound-control was not finding the zone's parent correctly.
* Fix #1064: Unbound 1.20 Cachedb broken?
* Fix unused variable warning on compilation with no thread
support.
* unbound-control-setup: check openssl availability before doing
anything, patch from Michael Tokarev.
* Update patch to remove 'command' shell builtin and update error
text.
* Fix to enable that SERVFAIL is cached, for a short period, for
more cases. In the cases where limits are exceeded.
* Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
* Merge #1078: Only check old pid if no username.
* Fix #1079: tags from tagged rpz zones are no longer honored
after upgrade from 1.19.3 to 1.20.0.
* Fix for #1079: fix RPZ taglist in iterator callback that no
client info is like no taglist intersection.
* Fix to squelch connection reset by peer errors from log. And
fix that the tcp read errors are labeled as initial for the
first calls.
* Merge #1080: AddressSanitizer detection in tdir tests and
memory leak fixes.
* Fix memory leak when reload_keep_cache is used and num-threads
changes.
* Fix memory leak on exit for unbound-dnstap-socket; creates
false negatives during testing.
* Fix memory leak in setup of dsa sig.
* Fix typos for 'the the' in text.
* Fix validation for repeated use of a DNAME record.
* Add unit test for validation of repeated use of a DNAME record.
* Fix #1091: Build fails with OpenSSL >= 3.0 built with
OPENSSL_NO_DEPRECATED.
* Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0;
by adding helpful text for the Python interpreter version and
allowing the default pkg-config unavailability error message to
be shown.
* Fix pkg-config availability check in dnstap/dnstap.m4 and
systemd.m4.
* Explicitly set the RD bit for the mesh query flags when
prefetching. These queries have no waiting client but they need
to be treated as recursive.
* Fix ip-ratelimit-cookie setting, it was not applied.
* Fix to remove unused include from the readzone test program.
* Fix unused variable warning in do_cache_remove.
* Fix compile warning in worker pthread id printout.
* Add unit test skip files and bison and flex output to
gitignore.
* Fix to use modstack_init in zonemd unit test.
* Fix to remove unneeded linebreak in fptr_wlist.c.
* Fix compile warnings in fptr_wlist.c.
* Fix for repeated use of a DNAME record: first overallocate and
then move the exact size of the init value to avoid false
positive heap overflow reads from address sanitizers.
* Fix to print details about the failure to lookup a DNSKEY
record when validation fails due to the missing DNSKEY. Also
for key prime and DS lookups.
* Fix for neater printout for error for missing DS response.
* Fix neater printout.
* Fix #1099: Unbound core dump on SIGSEGV.
* Fix for #1099: Fix to check for deleted RRset when the contents
is updated and fetched after it is stored, and also check for a
changed RRset.
* Don't check for message TTL changes if the RRsets remain the
same.
* Fix that validation reason failure that uses string print uses
separate buffer that is passed, from the scratch validation
buffer.
* Fixup algo_needs_reason string buffer length.
* Fix shadowed error string variable in validator dnskey
handling.
* Update list of known EDE codes.
* For #773: In contrib/unbound.service.in set unbound to start
after network-online.target. Also for
contrib/unbound_portable.service.in.
* Fix #1103: unbound 1.20.0 segmentation fault with nghttp2.
* For #1103: fix to also drop mesh state reference when a h2
reply is dropped.
* Add RPZ tag tests in acl_interface.tdir.
* For #1102: clearer text for using interface-* options for the
loopback interface.
* For #1103: fix to also drop mesh state reference when the
discard limit is reached, when there is an error making a new
recursion state and when the connection is dropped with
is_drop.
* For #1103: Fix to drop mesh state reference for the http2
stream associated with the reply, not the currently active
stream. And it does not remove it twice on a mesh_send_reply
call. The reply h2_stream is NULL when not in use, for more
initialisation.
* Fix dnstap wakeup, a running wakeup timer is left to expire and
not increased, a timer is started when the dtio thread is
sleeping, the timer set disabled when the dtio thread goes to
sleep, and after sleep the thread checks to see if there are
messages to log immediately.
* Merge #1110: Make fallthrough explicit for libworker.c.
* For #1110: Test for fallthrough attribute in configure and add
fallthrough attribute annotations.
* Fix compile when the compiler does not support the noreturn
attribute.
* Fix to have empty definition when not supported for weak
attribute.
* Fix uninitialized variable warning in create_tcp_accept_sock.
* Fix link of dnstap without openssl.
* Fix link of unbound-dnstap-socket without openssl.
* Fix #1106: ratelimit-below-domain logs the wrong FROM address.
* Cleanup ede.tdir test.
* For #935 and #1104, clarify RPZ order and semantics.
* Fix to document parameters of auth_zone_verify_zonemd_with_key.
* Fix for #1114: Fix that cache fill for forward-host names is
performed, so that with nonzero target-fetch-policy it fetches
forwarder addresses and uses them from cache. Also updated that
delegation point cache fill routines use CDflag for AAAA
message lookups, so that its negative lookup stops a recursion
since the cache uses the bit for disambiguation for dns64 but
the recursion uses CDflag for the AAAA target lookups, so the
check correctly stops a useless recursion by its cache lookup.
* Fix dnstap test program, cleans up to have clean memory on
exit, for tap_data_free, does not delete NULL items. Also it
does not try to free the tail, specifically in the free of the
list since that picked up the next item in the list for its
loop causing invalid free. Added internal unit test to
unbound-dnstap-socket for that.
* Fix that the worker mem report with alloc stats does not
attempt to print memory use of forwards and hints if they have
been deleted already.
* Fix that alloc stats has strdup checks, it stops debuggers from
complaining about mismatch at free time.
* Fix testbound for alloc stats strdup in util/alloc.c.
* Fix that alloc stats for forwards and hints are printed, and
when alloc stats is enabled, the unit test for unbound control
waits for reloads to complete.
* Fix that for windows the module startup is called and sets up
the module-config.
* Fix spelling for the cache-min-negative-ttl entry in the
example.conf.
-------------------------------------------------------------------
Wed May 8 09:15:01 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to 1.20.0:
Features:
* The config for discard-timeout, wait-limit, wait-limit-cookie,
wait-limit-netblock and wait-limit-cookie-netblock was added,
for the fix to the DNSBomb issue.
* Merge GH#1027: Introduce 'cache-min-negative-ttl' option.
* Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support;
updates config.guess(2024-01-01) and config.sub(2024-01-01),
verified with upstream.
* Implement cachedb-check-when-serve-expired: yes option, default
is enabled. When serve expired is enabled with cachedb, it
first checks cachedb before serving the expired response.
* Fix GH#876: [FR] can unbound-checkconf be silenced when
configuration is valid?
Bug Fixes:
* Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to
Xiang Li from the Network and Information Security Lab of
Tsinghua University for reporting it.
* Update doc/unbound.doxygen with 'doxygen -u'. Fixes option
deprecation warnings and updates with newer defaults.
* Remove unused portion from iter_dname_ttl unit test.
* Fix validator classification of qtype DNAME for positive and
redirection answers, and fix validator signature routine for
dealing with the synthesized CNAME for a DNAME without
previously encountering it and also for when the qtype is
DNAME.
* Fix qname minimisation for reply with a DNAME for qtype CNAME
that answers it.
* Fix doc test so it ignores but outputs unsupported doxygen
options.
* Fix GH#1021 Inconsistent Behavior with Changing
rpz-cname-override and doing a unbound-control reload.
* Merge GH#1028: Clearer documentation for tcp-idle-timeout and
edns-tcp-keepalive-timeout.
* Fix GH#1029: rpz trigger clientip and action rpz-passthru not
working as expected.
* Fix rpz that the rpz override is taken in case of clientip
triggers. Fix that the clientip passthru action is logged. Fix
that the clientip localdata action is logged. Fix rpz override
action cname for the clientip trigger.
* Fix to unify codepath for local alias for rpz cname action
override.
* Fix rpz for cname override action after nsdname and nsip
triggers.
* Fix that addrinfo is not kept around but copied and freed, so
that log-destaddr uses a copy of the information, much like NSD
does.
* Merge GH#1030: Persist the openssl and expat directories for
repeated Windows builds.
* Fix that rpz CNAME content is limited to the max number of
cnames.
* Fix rpz, it follows iterator CNAMEs for nsip and nsdname and
sets the reply query_info values, that is better for debug
logging.
* Fix rpz that copies the cname override completely to the temp
region, so there are no references to the rpz region.
* Add rpz unit test for nsip action override.
* Fix rpz for qtype CNAME after nameserver trigger.
* Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix
that clientip and nsip can give a CNAME.
* Fix localdata and rpz localdata to match CNAME only if no
direct type match is available.
* Merge GH#831 from Pierre4012: Improve Windows NSIS installer
script (setup.nsi).
* For GH#831: Format text, use exclamation icon and explicit label
names.
* Fix name of unit test for subnet cache response.
* Fix GH#1032: The size of subnet_msg_cache calculation mistake
cause memory usage increased beyond expectations.
* Fix for GH#1032, add safeguard to make table space positive.
* Fix comment in lruhash space function.
* Fix to add unit test for lruhash space that exercises the
routines.
* Fix that when the server truncates the pidfile, it does not
follow symbolic links.
* Fix that the server does not chown the pidfile.
* Fix GH#1034: DoT forward-zone via unbound-control.
* Fix for crypto related failures to have a better error string.
* Fix GH#1035: Potential Bug while parsing port from the
"stub-host" string; also affected forward-zones and
remote-control host directives.
* Fix GH#369: dnstap showing extra responses; for client responses
right from the cache when replying with expired data or
prefetching.
* Fix GH#1040: fix heap-buffer-overflow issue in function
cfg_mark_ports of file util/config_file.c.
* For GH#1040: adjust error text and disallow negative ports in
other parts of cfg_mark_ports.
* Fix comment syntax for view function views_find_view.
* Fix GH#595: unbound-anchor cannot deal with full disk; it will
now first write out to a temp file before replacing the
original one, like Unbound already does for
auto-trust-anchor-file.
* Fixup compile without cachedb.
* Add test for cachedb serve expired.
* Extended test for cachedb serve expired.
* Fix makefile dependencies for fake_event.c.
* Fix cachedb for serve-expired with serve-expired-reply-ttl.
* Fix to not reply serve expired unless enabled for cachedb.
* Fix cachedb for serve-expired with
serve-expired-client-timeout.
* Fixup unit test for cachedb server expired client timeout with
a check if response if from upstream or from cachedb.
* Fixup cachedb to not refetch when serve-expired-client-timeout
is used.
* Merge GH#1049 from Petr Menšík: Py_NoSiteFlag is not needed since
Python 3.8
* Fix GH#1048: Update ax_pkg_swig.m4 and ax_pthread.m4.
* Fix configure, autoconf for GH#1048.
* Add checklock feature verbose_locking to trace locks and
unlocks.
* Fix edns subnet to sort rrset references when storing messages
in the cache. This fixes a race condition in the rrset locks.
* Merge GH#1053: Remove child delegations from cache when
grandchild delegations are returned from parent.
* Fix ci workflow for macos for moved install locations.
* Fix configure flto check error, by finding grep for it.
* Merge GH#1041: Stub and Forward unshare. This has one structure
for them and fixes GH#1038: fatal error: Could not initialize
thread / error: reading root hints.
* Fix to disable fragmentation on systems with IP_DONTFRAG, with
a nonzero value for the socket option argument.
* Fix doc unit test for out of directory build.
* Fix cachedb with serve-expired-client-timeout disabled. The
edns subnet module deletes global cache and cachedb cache when
it stores a result, and serve-expired is enabled, so that the
global reply, that is older than the ecs reply, does not return
after the ecs reply expires.
* Add unit tests for cachedb and subnet cache expired data.
* Man page entry for unbound-checkconf -q.
* Cleanup unnecessary strdup calls for EDE strings.
* Fix doxygen comment for errinf_to_str_bogus.
-------------------------------------------------------------------
Wed Mar 20 13:09:17 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to 1.19.3:
* Features:
- Merge PR #973: Use the origin (DNAME) TTL for synthesized
CNAMEs as per RFC 6672.
* Bug Fixes
- Fix unit test parse of origin syntax.
- Use 127.0.0.1 explicitly in tests to avoid delays and errors
on newer systems.
- Fix #964: config.h.in~ backup file in release tar balls.
- Merge #968: Replace the obsolescent fgrep with grep -F in
tests.
- Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
- Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
- Fix dnstap that assertion failed on logging other than UDP
and TCP traffic. It lists it as TCP traffic.
- Fix to sync the tests script file common.sh.
- iana portlist update.
- Updated IPv4 and IPv6 address for b.root-servers.net in root
hints.
- Update test script file common.sh.
- Fix tests to use new common.sh functions, wait_logfile and
kill_from_pidfile.
- Fix #974: doc: default number of outgoing ports without
libevent.
- Merge #975: Fixed some syntax errors in rpl files.
- Fix root_zonemd unit test, it checks that the root ZONEMD
verifies, now that the root has a valid ZONEMD.
- Update example.conf with cookie options.
- Merge #980: DoH: reject non-h2 early. To fix #979: Improve
errors for non-HTTP/2 DoH clients.
- Merge #985: Add DoH and DoT to dnstap message.
- Fix #983: Sha1 runtime insecure change was incomplete.
- Remove unneeded newlines and improve indentation in remote
control code.
- Merge #987: skip edns frag retry if advertised udp payload
size is not smaller.
- Fix unit test for #987 change in udp1xxx retry packet send.
- Merge #988: Fix NLnetLabs#981: dump_cache truncates large
records.
- Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
- Fix to link with libssp for libcrypto and getaddrinfo check
for only header. Also update crosscompile to remove ssp for
32bit.
- Merge #993: Update b.root-servers.net also in example config
file.
- Update workflow for ports to use newer openssl on windows
compile.
- Fix warning for windres on resource files due to
redefinition.
- Fix for #997: Print details for SSL certificate failure.
- Update error printout for duplicate trust anchors to include
the trust anchor name (relates to #920).
- Update message TTL when using cached RRSETs. It could result
in non-expired messages with expired RRSETs (non-usable
messages by Unbound).
- Merge #999: Search for protobuf-c with pkg-config.
- Fix #1006: Can't find protobuf-c package since #999.
- Fix documentation for access-control in the unbound.conf man
page.
- Merge #1010: Mention REFUSED has the TC bit set with
unmatched allow_cookie acl in the manpage. It also fixes the
code to match the documentation about clients with a valid
cookie that bypass the ratelimit regardless of the
allow_cookie acl.
- Document the suspend argument for process_ds_response().
- Move github workflows to use checkoutv4.
- Fix edns subnet replies for scope zero answers to not get
stored in the global cache, and in cachedb, when the upstream
replies without an EDNS record.
- Fix for #1022: Fix ede prohibited in access control refused
answers.
- Fix unbound-control-setup.cmd to use 3072 bits so that
certificates are long enough for newer OpenSSL versions.
- Fix TTL of synthesized CNAME when a DNAME is used from cache.
- Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
like unbound-control-setup.sh has.
-------------------------------------------------------------------
Fri Mar 8 10:12:30 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to 1.19.2:
* Bug Fixes:
- Fix CVE-2024-1931, Denial of service when trimming EDE text
on positive replies.
[bsc#1221164]
-------------------------------------------------------------------
Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Update to 1.19.1:
* Bug Fixes: [bsc#1219823, CVE-2023-50387][bsc#1219826, CVE-2023-50868]
- Fix CVE-2023-50387, DNSSEC verification complexity can be
exploited to exhaust CPU resources and stall DNS resolvers.
- Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
-------------------------------------------------------------------
Tue Feb 6 13:27:06 UTC 2024 - Stefan Seyfried <seife+obs@b1-systems.com>
- as we use --disable-explicit-port-randomisation, also disable
outgoing-port-permit and outgoing-port-avoid in config file to
suppress the related unbound-checkconf warnings on every start
-------------------------------------------------------------------
Tue Jan 23 09:32:21 UTC 2024 - Jakob Lorenz <onlyjak0b@mailbox.org>
- Use prefixes instead of sudo in unbound.service (boo#1215628)
-------------------------------------------------------------------
Fri Nov 17 09:50:18 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update to 1.19.0:
* Features:
- Fix #850: [FR] Ability to use specific database in Redis, with
new redis-logical-db configuration option.
- Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream
requests. This can be helpful for devices that cannot handle
DNSSEC information. But it should not be enabled otherwise, because
that would stop DNSSEC validation. The DNSSEC validation would not
work for Unbound itself, and also not for downstream users. Default
is no. The option is disable-edns-do: no
- Expose the script filename in the Python module environment 'mod_env'
instead of the config_file structure which includes the linked list
of scripts in a multi Python module setup; fixes #79.
- Expose the configured listening and outgoing interfaces, if any, as
a list of strings in the Python 'config_file' class instead of the
current Swig object proxy; fixes #79.
- Mailing list patches from Daniel Gröber for DNS64 fallback to plain
AAAA when no A record exists for synthesis, and minor DNS64 code
refactoring for better readability.
- Merge #951: Cachedb no store. The cachedb-no-store: yes option is
used to stop cachedb from writing messages to the backend storage.
It reads messages when data is available from the backend.
The default is no.
* Bug Fixes:
- Fix for version generation race condition that ignored changes.
- Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL.
- Fix for WKS call to getservbyname that creates allocation on exit in
unit test by testing numbers first and testing from the services list later.
- Fix autoconf 2.69 warnings in configure.
- Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1.
- Merge #931: Prevent warnings from -Wmissing-prototypes.
- Fix to scrub resource records of type A and AAAA that have an
inappropriate size. They are removed from responses.
- Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.
- Fix to add EDE text when RRs have been removed due to length.
- Fix to set ede match in unit test for rr length removal.
- Fix to print EDE text in readable form in output logs.
- Fix send of udp retries when ENOBUFS is returned. It stops looping
and also waits for the condition to go away. Reported by Florian Obser.
- Fix authority zone answers for obscured DNAMEs and delegations.
- Merge #936: Check for c99 with autoconf versions prior to 2.70.
- Fix to remove two c99 notations.
- Fix rpz tcp-only action with rpz triggers nsdname and nsip.
- Fix misplaced comment.
- Merge #881: Generalise the proxy protocol code.
- Fix #946: Forwarder returns servfail on upstream response noerror no data.
- Fix edns subnet so that queries with a source prefix of zero cause the
recursor send no edns subnet option to the upstream.
- Fix that printout of EDNS options shows the EDNS cookie option by name.
- Fix infinite loop when reading multiple lines of input on a broken remote
control socket. Addesses #947 and #948.
- Fix #949: "could not create control compt".
- Fix that cachedb does not warn when serve-expired is disabled about use
of serve-expired-reply-ttl and serve-expired-client-timeout.
- Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.
- Better fix for infinite loop when reading multiple lines of input on a
broken remote control socket, by treating a zero byte line the same as
transmission end. Addesses #947 and #948.
- For multi Python module setups, clean previously parsed module functions
in __main__'s dictionary, if any, so that only current module functions
are registered.
- Fix #954: Inconsistent RPZ handling for A record returned along with CNAME.
- Fixes for the DNS64 patches.
- Update the dns64_lookup.rpl test for the DNS64 fallback patch.
- Merge #955 from buevsan: fix ipset wrong behavior.
- Update testdata/ipset.tdir test for ipset fix.
- Fix to print detailed errors when an SSL IO routine fails via SSL_get_error.
- Clearer configure text for missing protobuf-c development libraries.
- autoconf.
- Merge #930 from Stuart Henderson: add void to log_ident_revert_to_default
declaration.
- Fix #941: dnscrypt doesn't work after upgrade to 1.18 with suggestion by
dukeartem to also fix the udp_ancil with dnscrypt.
- Fix SSL compile failure for definition in log_crypto_err_io_code_arg.
- Fix SSL compile failure for other missing definitions in log_crypto_err_io_code_arg.
- Fix compilation without openssl, remove unused function warning.
- Mention flex and bison in README.md when building from repository source.
-------------------------------------------------------------------
Thu Sep 7 08:03:33 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update to 1.18.0:
* Features:
- Аdd a metric about the maximum number of collisions in lrushah.
- Set max-udp-size default to 1232. This is the same default value
as the default value for edns-buffer-size. It restricts client
edns buffer size choices, and makes unbound behave similar to
other DNS resolvers.
- Add harden-unknown-additional option. It removes unknown records
from the authority section and additional section.
- Added new static zone type block_a to suppress all A queries for
specific zones.
- [FR] Ability to use Redis unix sockets.
- [FR] Ability to set the Redis password.
- Features/dropqueuedpackets, with sock-queue-timeout option that
drops packets that have been in the socket queue for too long.
Added statistics num.queries_timed_out and query.queue_time_us.max
that track the socket queue timeouts.
- 'eqvinox' Lamparter: NAT64 support.
- [FR] Use kernel timestamps for dnstap.
- Add cachedb hit stat. Introduces 'num.query.cachedb' as a new
statistical counter.
- Add SVCB dohpath support.
- Add validation EDEs to queries where the CD bit is set.
- Add prefetch support for subnet cache entries.
- Add EDE (RFC8914) caching.
- Add support for EDE caching in cachedb and subnetcache.
- Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server
cookies for clients that send client cookies. This needs to be explicitly
turned on in the config file with: `answer-cookie: yes`.
* Bug Fixes
- Response change to NODATA for some ANY queries since 1.12.
- Fix not following cleared RD flags potentially enables
amplification DDoS attacks.
- Set default for harden-unknown-additional to no. So that it
does not hamper future protocol developments.
- Fix to ignore entirely empty responses, and try at another authority.
This turns completely empty responses, a type of noerror/nodata into
a servfail, but they do not conform to RFC2308, and the retry can fetch
improved content.
- Allow TTL refresh of expired error responses.
- Fix: Unexpected behavior with client-subnet-always-forward and serve-expired
- Fix unbound-dnstap-socket test program to reply the finish frame over
a TLS connection correctly.
- Fix: reserved identifier violation
- Fix: Unencrypted query is sent when forward-tls-upstream: yes is used
without tls-cert-bundle
- Extra consistency check to make sure that when TLS is requested,
either we set up a TLS connection or we return an error.
- Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record.
- Fix: Bad interaction with 0 TTL records and serve-expired
- Fix RPZ IP responses with trigger rpz-drop on cache entries.
- Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
- Fix dereference of NULL variable warning in mesh_do_callback.
- Fix ip_ratelimit test to work with dig that enables DNS cookies.
- Fix for iter_dec_attempts that could cause a hang, part of capsforid
and qname minimisation, depending on the settings.
- Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
- Fix stat_values test to work with dig that enables DNS cookies.
- unbound.service: Main process exited, code=killed, status=11/SEGV.
Fixes cachedb configuration handling.
- Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply.
-------------------------------------------------------------------
Thu Aug 24 10:07:02 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- openSUSE:Factory libunbound-devel-mini flavor is configured to
sync build counter with unbound package. This means it always
triggers a bootstrap no matter which of the packages got
initially triggered.
I am not sure if this is needed at all, if yes, please accept
this request and forward with an explenation.
If not, just decline it and we will remove the build counter
syncing in factory as well.
This adds the !BcntSyncTag: unbound to the mini spec file
Details:
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/6GUU6JUQE72WCWEZCSLQYJLVVTNHBVTE/
-------------------------------------------------------------------
Thu May 4 13:57:54 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
-------------------------------------------------------------------
Thu Feb 23 09:15:48 UTC 2023 - Pedro Monreal <pmonreal@suse.com>

View File

@ -70,19 +70,6 @@ server:
# port range that can be open simultaneously.
# outgoing-range: 4096
# permit unbound to use this port number or port range for
# making outgoing queries, using an outgoing interface.
# Only ephemeral ports are allowed by SElinux
outgoing-port-permit: 32768-65535
# deny unbound the use this of port number or port range for
# making outgoing queries, using an outgoing interface.
# Use this to make sure unbound does not grab a UDP port that some
# other server on this computer needs. The default is to avoid
# IANA-assigned port numbers.
# Our SElinux policy does not allow non-ephemeral ports to be used
outgoing-port-avoid: 0-32767
# number of outgoing simultaneous tcp buffers to hold per thread.
# outgoing-num-tcp: 10

View File

@ -9,11 +9,13 @@ Wants=nss-lookup.target
[Service]
Type=simple
User=unbound
Group=unbound
EnvironmentFile=-/etc/sysconfig/unbound
#ExecStartPre=/sbin/runuser --shell /bin/sh -c "/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem" unbound
ExecStartPre=/usr/bin/sudo -u unbound /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
ExecStartPre=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
ExecStartPre=/usr/sbin/unbound-checkconf
ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
ExecStart=!/usr/sbin/unbound -d $UNBOUND_OPTIONS
[Install]
WantedBy=multi-user.target

View File

@ -1,7 +1,7 @@
#
# spec file for package unbound
#
# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -33,7 +33,7 @@
%define piddir /run
Name: unbound
Version: 1.17.1
Version: 1.21.0
Release: 0
BuildRequires: flex
BuildRequires: ldns-devel >= %{ldns_version}
@ -174,6 +174,7 @@ This package holds the Python modules and extensions for unbound.
%build
%sysusers_generate_pre %{SOURCE19} anchor unbound.conf
export CFLAGS="%{optflags}"
export CXXFLAGS="%{optflags}"