Compare commits
5 Commits
997b8cad5c
...
1.1
| Author | SHA256 | Date | |
|---|---|---|---|
| 61d06c3aa6 | |||
| c2e755817e | |||
| 9a881e2dc4 | |||
| 6c630af305 | |||
| aa227bc216 |
@@ -1,3 +1,85 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 8 09:08:16 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
- Update to 1.22.0:
|
||||
Security Fixes:
|
||||
* Fix CVE-2024-8508, unbounded name compression could lead to
|
||||
denial of service.
|
||||
[CVE-2024-8508, bsc#1231284]
|
||||
|
||||
Features:
|
||||
* Add iter-scrub-ns, iter-scrub-cname and max-global-quota
|
||||
configuration options.
|
||||
* Merge patch to fix for glue that is outside of zone, with
|
||||
`harden-unverified-glue`, from Karthik Umashankar (Microsoft).
|
||||
Enabling this option protects the Unbound resolver against bad
|
||||
glue, that is unverified out of zone glue, by resolving them.
|
||||
It uses the records as last resort if there is no other working
|
||||
glue.
|
||||
* Add redis-command-timeout: 20 and redis-connect-timeout: 200,
|
||||
that can set the timeout separately for commands and the
|
||||
connection set up to the redis server. If they are not
|
||||
specified, the redis-timeout value is used.
|
||||
* Log timestamps in ISO8601 format with timezone. This adds the
|
||||
option `log-time-iso: yes` that logs in ISO8601 format.
|
||||
* DNS over QUIC. This adds `quic-port: 853` and `quic-size: 8m`
|
||||
that enable dnsoverquic, and the counters `num.query.quic` and
|
||||
`mem.quic` in the statistics output. The feature needs to be
|
||||
enabled by compiling with libngtcp2, with
|
||||
`--with-libngtcp2=path` and libngtcp2 needs openssl+quic, pass
|
||||
that with `--with-ssl=path` to compile unbound as well.
|
||||
|
||||
Bug Fixes:
|
||||
* unbound-control-setup hangs while testing for openssl presence
|
||||
starting from version 1.21.0.
|
||||
* Fix error: "memory exhausted" when defining more than 9994
|
||||
local-zones.
|
||||
* Fix documentation for cache_fill_missing function.
|
||||
* Fix Loads of logs: "validation failure: key for validation
|
||||
<domain>. is marked as invalid because of a previous" for
|
||||
non-DNSSEC signed zone.
|
||||
* Fix that when rpz is applied the message does not get picked up
|
||||
by the validator. That stops validation failures for the
|
||||
message.
|
||||
* Fix that stub-zone and forward-zone clauses do not exhaust
|
||||
memory for long content.
|
||||
* Fix to print port number in logs for auth zone transfer
|
||||
activities.
|
||||
* b.root renumbering.
|
||||
* Add new IANA trust anchor.
|
||||
* Fix config file read for dnstap-sample-rate.
|
||||
* Fix alloc-size and calloc-transposed-args compiler warnings.
|
||||
* Fix to limit NSEC and NSEC3 TTL when aggressive nsec is enabled
|
||||
(RFC9077).
|
||||
* Fix dns64 with prefetch that the prefetch is stored in cache.
|
||||
* Attempt to further fix doh_downstream_buffer_size.tdir
|
||||
flakiness.
|
||||
* More clear text for prefetch and minimal-responses in the
|
||||
unbound.conf man page.
|
||||
* Fix cache update when serve expired is used. Expired records
|
||||
are favored over resolution and validation failures when
|
||||
serve-expired is used.
|
||||
* Fix negative cache NSEC3 parameter compares for zero length
|
||||
NSEC3 salt.
|
||||
* Fix unbound-control-setup hangs sometimes depending on the
|
||||
openssl version.
|
||||
* Fix Cannot override tcp-upstream and tls-upstream with
|
||||
forward-tcp-upstream and forward-tls-upstream.
|
||||
* Fix to limit NSEC TTL for messages from cachedb. Fix to limit
|
||||
the prefetch ttl for messages after a CNAME with short TTL.
|
||||
* Fix to disable detection of quic configured ports when quic is
|
||||
not compiled in.
|
||||
* Fix harden-unverified-glue for AAAA cache_fill_missing lookups.
|
||||
* Fix contrib/aaaa-filter-iterator.patch for change in call
|
||||
signature for cache_fill_missing.
|
||||
* Fix to display warning if quic-port is set but dnsoverquic is
|
||||
not enabled when compiled.
|
||||
* Fix dnsoverquic to extend the number of streams when one is
|
||||
closed.
|
||||
* Fix for dnstap with dnscrypt and dnstap without dnsoverquic.
|
||||
* Fix for dnsoverquic and dnstap to use the correct dnstap
|
||||
environment.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 15 09:24:29 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
%bcond_without hardened_build
|
||||
#
|
||||
Name: libunbound-devel-mini
|
||||
Version: 1.21.0
|
||||
Version: 1.22.0
|
||||
#!BcntSyncTag: unbound
|
||||
Release: 0
|
||||
Summary: Just a devel package for build loops
|
||||
|
||||
BIN
unbound-1.21.0.tar.gz
(Stored with Git LFS)
BIN
unbound-1.21.0.tar.gz
(Stored with Git LFS)
Binary file not shown.
@@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAma9sjoACgkQn28cLX4E
|
||||
X43OQhAApRqRpVAILKhqBjf2ilKLqEFgCxyT4cXiMVBTMtlx9/bTxec/JeXVdO7h
|
||||
nA4oFb7HwRPkOJnTfwk7kWk8SFBoGv+lb2YVdgSgaftqgFR3dmoyACIf9QqyFUuO
|
||||
kLiIpNer6f1rRmGs850t+XE9YS+Adn3jPi6r5vnuXekoXjY8h18cSRSlWL42At2j
|
||||
V7NpCbRUshwCP71PS1AVE1SHtHsxD5yCrCzuMDTZIroCiAPu4k0JkqKri7ie4cqf
|
||||
rjvqsVN7fngXj3bLShJcjcnBRxMoEMJ5ubY7d9SZBm8kvREy1ILAmlwejhhcZzC7
|
||||
Yc14v+wreaEYte1KmVwtgFDwvwbJqho2OwRJgPmUVVyJ8F15ESsl5ahgZJhZ893o
|
||||
BCbapmEMJEPsIzITbvJg+WOwpFZQp6VZu+NQqd12WTanZuIwnp54Q/YQo0RqTfK4
|
||||
qyMLKFmKXmaKNmgqtXcs2Bn6NVeDZpO/f0B1/fDkUot4xSGHWIEQGK/u5DHbemyS
|
||||
/3DaTvUQVLke9E3pDDP6J5qvc7tRZK6qQ4GXwkc7FFocHzos54aCusyUQw22K7k4
|
||||
MEOwlQBqcof5UeLRkGVhianOsxzFGIiNC/LNI4pJlKT13u20YiBpweNJBC+jMIJI
|
||||
Ohz4vCE74OgT3M74I+dmKzEk6Xvor0id7eKsLpbiJuaof+j4oUQ=
|
||||
=1ZET
|
||||
-----END PGP SIGNATURE-----
|
||||
BIN
unbound-1.22.0.tar.gz
(Stored with Git LFS)
Normal file
BIN
unbound-1.22.0.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
unbound-1.22.0.tar.gz.asc
Normal file
16
unbound-1.22.0.tar.gz.asc
Normal file
@@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmcQu3AACgkQn28cLX4E
|
||||
X406WxAApGHTdne/RVrQq/v+lUz6CDkkm5r5AXFsmKBGvPJZm+CAEVECq4mKXa5E
|
||||
X1SqlZCQx/LCcqPqdffEVSlmFiI219rEo2z/wCNJzCJXqzx9B1/daW8vv8k+N2TZ
|
||||
La2NxlOG2zeyiitxoGCBb5Y3aZgyD9ZIEW/nB7kkt0V41Z60ssLA6zzXAlqxhxp5
|
||||
HIMRRzfvPwguDKkEFm390ob+oWiqDGIZTTBRyjJAaGa46o3WBLUYIz1yB51X+v+E
|
||||
TCpbVV29ZmC4V7G0B96zxg+tnqw2fpkL2DgHTnyKbKaWXwo7aGhxHMux2PuiZKxR
|
||||
eXeJ0Mz5Np/E0TgVPD33g3idbr6dHzsT+lZ9BuAG+RBJ49iMH/tSDGUTw3/GJvQb
|
||||
XPWJeRsWSn2MSMNX45n6FH2azBZJ4+VA9tWR2Q5zm2fLzzUVhvhtkwl3fYsmzsam
|
||||
Lccj9Okp9xFxGohFO4d9NxMP57Tvzi1ur5Fp4dsCH9rfGIzKJTQP1AWAEB1ga9+5
|
||||
g+himRGuzpRVoqCXeKp6MBf8kZJIhXxX/94vSyiiWuCTaJQYvMi0+p1dF3TcWEnH
|
||||
Tpce+9nj9gddrrOXnSs+2Mljt9pm0A8fWSsqsObf+SGt8QGbpHVkCX74HGbNY5Yz
|
||||
tun/VDN/tkbOhLX6ibivqAfjKsk8gjlfNme1HbCD3cPUmPrlG54=
|
||||
=5pYC
|
||||
-----END PGP SIGNATURE-----
|
||||
@@ -1,3 +1,85 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 8 09:07:53 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
- Update to 1.22.0:
|
||||
Security Fixes:
|
||||
* Fix CVE-2024-8508, unbounded name compression could lead to
|
||||
denial of service.
|
||||
[CVE-2024-8508, bsc#1231284]
|
||||
|
||||
Features:
|
||||
* Add iter-scrub-ns, iter-scrub-cname and max-global-quota
|
||||
configuration options.
|
||||
* Merge patch to fix for glue that is outside of zone, with
|
||||
`harden-unverified-glue`, from Karthik Umashankar (Microsoft).
|
||||
Enabling this option protects the Unbound resolver against bad
|
||||
glue, that is unverified out of zone glue, by resolving them.
|
||||
It uses the records as last resort if there is no other working
|
||||
glue.
|
||||
* Add redis-command-timeout: 20 and redis-connect-timeout: 200,
|
||||
that can set the timeout separately for commands and the
|
||||
connection set up to the redis server. If they are not
|
||||
specified, the redis-timeout value is used.
|
||||
* Log timestamps in ISO8601 format with timezone. This adds the
|
||||
option `log-time-iso: yes` that logs in ISO8601 format.
|
||||
* DNS over QUIC. This adds `quic-port: 853` and `quic-size: 8m`
|
||||
that enable dnsoverquic, and the counters `num.query.quic` and
|
||||
`mem.quic` in the statistics output. The feature needs to be
|
||||
enabled by compiling with libngtcp2, with
|
||||
`--with-libngtcp2=path` and libngtcp2 needs openssl+quic, pass
|
||||
that with `--with-ssl=path` to compile unbound as well.
|
||||
|
||||
Bug Fixes:
|
||||
* unbound-control-setup hangs while testing for openssl presence
|
||||
starting from version 1.21.0.
|
||||
* Fix error: "memory exhausted" when defining more than 9994
|
||||
local-zones.
|
||||
* Fix documentation for cache_fill_missing function.
|
||||
* Fix Loads of logs: "validation failure: key for validation
|
||||
<domain>. is marked as invalid because of a previous" for
|
||||
non-DNSSEC signed zone.
|
||||
* Fix that when rpz is applied the message does not get picked up
|
||||
by the validator. That stops validation failures for the
|
||||
message.
|
||||
* Fix that stub-zone and forward-zone clauses do not exhaust
|
||||
memory for long content.
|
||||
* Fix to print port number in logs for auth zone transfer
|
||||
activities.
|
||||
* b.root renumbering.
|
||||
* Add new IANA trust anchor.
|
||||
* Fix config file read for dnstap-sample-rate.
|
||||
* Fix alloc-size and calloc-transposed-args compiler warnings.
|
||||
* Fix to limit NSEC and NSEC3 TTL when aggressive nsec is enabled
|
||||
(RFC9077).
|
||||
* Fix dns64 with prefetch that the prefetch is stored in cache.
|
||||
* Attempt to further fix doh_downstream_buffer_size.tdir
|
||||
flakiness.
|
||||
* More clear text for prefetch and minimal-responses in the
|
||||
unbound.conf man page.
|
||||
* Fix cache update when serve expired is used. Expired records
|
||||
are favored over resolution and validation failures when
|
||||
serve-expired is used.
|
||||
* Fix negative cache NSEC3 parameter compares for zero length
|
||||
NSEC3 salt.
|
||||
* Fix unbound-control-setup hangs sometimes depending on the
|
||||
openssl version.
|
||||
* Fix Cannot override tcp-upstream and tls-upstream with
|
||||
forward-tcp-upstream and forward-tls-upstream.
|
||||
* Fix to limit NSEC TTL for messages from cachedb. Fix to limit
|
||||
the prefetch ttl for messages after a CNAME with short TTL.
|
||||
* Fix to disable detection of quic configured ports when quic is
|
||||
not compiled in.
|
||||
* Fix harden-unverified-glue for AAAA cache_fill_missing lookups.
|
||||
* Fix contrib/aaaa-filter-iterator.patch for change in call
|
||||
signature for cache_fill_missing.
|
||||
* Fix to display warning if quic-port is set but dnsoverquic is
|
||||
not enabled when compiled.
|
||||
* Fix dnsoverquic to extend the number of streams when one is
|
||||
closed.
|
||||
* Fix for dnstap with dnscrypt and dnstap without dnsoverquic.
|
||||
* Fix for dnsoverquic and dnstap to use the correct dnstap
|
||||
environment.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 15 09:24:29 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
|
||||
|
||||
|
||||
@@ -33,7 +33,7 @@
|
||||
%define piddir /run
|
||||
|
||||
Name: unbound
|
||||
Version: 1.21.0
|
||||
Version: 1.22.0
|
||||
Release: 0
|
||||
BuildRequires: flex
|
||||
BuildRequires: ldns-devel >= %{ldns_version}
|
||||
|
||||
Reference in New Issue
Block a user