- Update to 1.20.0:

OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=177

libunbound-devel-mini.changes

@@ -1,3 +1,140 @@
+-------------------------------------------------------------------
+Wed May  8 09:15:01 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to 1.20.0:
+  Features:
+  * The config for discard-timeout, wait-limit, wait-limit-cookie,
+    wait-limit-netblock and wait-limit-cookie-netblock was added,
+    for the fix to the DNSBomb issue.
+  * Merge GH#1027: Introduce 'cache-min-negative-ttl' option.
+  * Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support;
+    updates config.guess(2024-01-01) and config.sub(2024-01-01),
+    verified with upstream.
+  * Implement cachedb-check-when-serve-expired: yes option, default
+    is enabled. When serve expired is enabled with cachedb, it
+    first checks cachedb before serving the expired response.
+  * Fix GH#876: [FR] can unbound-checkconf be silenced when
+    configuration is valid?
+
+  Bug Fixes:
+  * Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to
+    Xiang Li from the Network and Information Security Lab of
+    Tsinghua University for reporting it.
+  * Update doc/unbound.doxygen with 'doxygen -u'. Fixes option
+    deprecation warnings and updates with newer defaults.
+  * Remove unused portion from iter_dname_ttl unit test.
+  * Fix validator classification of qtype DNAME for positive and
+    redirection answers, and fix validator signature routine for
+    dealing with the synthesized CNAME for a DNAME without
+    previously encountering it and also for when the qtype is
+    DNAME.
+  * Fix qname minimisation for reply with a DNAME for qtype CNAME
+    that answers it.
+  * Fix doc test so it ignores but outputs unsupported doxygen
+    options.
+  * Fix GH#1021 Inconsistent Behavior with Changing
+    rpz-cname-override and doing a unbound-control reload.
+  * Merge GH#1028: Clearer documentation for tcp-idle-timeout and
+    edns-tcp-keepalive-timeout.
+  * Fix GH#1029: rpz trigger clientip and action rpz-passthru not
+    working as expected.
+  * Fix rpz that the rpz override is taken in case of clientip
+    triggers. Fix that the clientip passthru action is logged. Fix
+    that the clientip localdata action is logged. Fix rpz override
+    action cname for the clientip trigger.
+  * Fix to unify codepath for local alias for rpz cname action
+    override.
+  * Fix rpz for cname override action after nsdname and nsip
+    triggers.
+  * Fix that addrinfo is not kept around but copied and freed, so
+    that log-destaddr uses a copy of the information, much like NSD
+    does.
+  * Merge GH#1030: Persist the openssl and expat directories for
+    repeated Windows builds.
+  * Fix that rpz CNAME content is limited to the max number of
+    cnames.
+  * Fix rpz, it follows iterator CNAMEs for nsip and nsdname and
+    sets the reply query_info values, that is better for debug
+    logging.
+  * Fix rpz that copies the cname override completely to the temp
+    region, so there are no references to the rpz region.
+  * Add rpz unit test for nsip action override.
+  * Fix rpz for qtype CNAME after nameserver trigger.
+  * Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix
+    that clientip and nsip can give a CNAME.
+  * Fix localdata and rpz localdata to match CNAME only if no
+    direct type match is available.
+  * Merge GH#831 from Pierre4012: Improve Windows NSIS installer
+    script (setup.nsi).
+  * For GH#831: Format text, use exclamation icon and explicit label
+    names.
+  * Fix name of unit test for subnet cache response.
+  * Fix GH#1032: The size of subnet_msg_cache calculation mistake
+    cause memory usage increased beyond expectations.
+  * Fix for GH#1032, add safeguard to make table space positive.
+  * Fix comment in lruhash space function.
+  * Fix to add unit test for lruhash space that exercises the
+    routines.
+  * Fix that when the server truncates the pidfile, it does not
+    follow symbolic links.
+  * Fix that the server does not chown the pidfile.
+  * Fix GH#1034: DoT forward-zone via unbound-control.
+  * Fix for crypto related failures to have a better error string.
+  * Fix GH#1035: Potential Bug while parsing port from the
+    "stub-host" string; also affected forward-zones and
+    remote-control host directives.
+  * Fix GH#369: dnstap showing extra responses; for client responses
+    right from the cache when replying with expired data or
+    prefetching.
+  * Fix GH#1040: fix heap-buffer-overflow issue in function
+    cfg_mark_ports of file util/config_file.c.
+  * For GH#1040: adjust error text and disallow negative ports in
+    other parts of cfg_mark_ports.
+  * Fix comment syntax for view function views_find_view.
+  * Fix GH#595: unbound-anchor cannot deal with full disk; it will
+    now first write out to a temp file before replacing the
+    original one, like Unbound already does for
+    auto-trust-anchor-file.
+  * Fixup compile without cachedb.
+  * Add test for cachedb serve expired.
+  * Extended test for cachedb serve expired.
+  * Fix makefile dependencies for fake_event.c.
+  * Fix cachedb for serve-expired with serve-expired-reply-ttl.
+  * Fix to not reply serve expired unless enabled for cachedb.
+  * Fix cachedb for serve-expired with
+    serve-expired-client-timeout.
+  * Fixup unit test for cachedb server expired client timeout with
+    a check if response if from upstream or from cachedb.
+  * Fixup cachedb to not refetch when serve-expired-client-timeout
+    is used.
+  * Merge GH#1049 from Petr Menšík: Py_NoSiteFlag is not needed since
+    Python 3.8
+  * Fix GH#1048: Update ax_pkg_swig.m4 and ax_pthread.m4.
+  * Fix configure, autoconf for GH#1048.
+  * Add checklock feature verbose_locking to trace locks and
+    unlocks.
+  * Fix edns subnet to sort rrset references when storing messages
+    in the cache. This fixes a race condition in the rrset locks.
+  * Merge GH#1053: Remove child delegations from cache when
+    grandchild delegations are returned from parent.
+  * Fix ci workflow for macos for moved install locations.
+  * Fix configure flto check error, by finding grep for it.
+  * Merge GH#1041: Stub and Forward unshare. This has one structure
+    for them and fixes GH#1038: fatal error: Could not initialize
+    thread / error: reading root hints.
+  * Fix to disable fragmentation on systems with IP_DONTFRAG, with
+    a nonzero value for the socket option argument.
+  * Fix doc unit test for out of directory build.
+  * Fix cachedb with serve-expired-client-timeout disabled. The
+    edns subnet module deletes global cache and cachedb cache when
+    it stores a result, and serve-expired is enabled, so that the
+    global reply, that is older than the ecs reply, does not return
+    after the ecs reply expires.
+  * Add unit tests for cachedb and subnet cache expired data.
+  * Man page entry for unbound-checkconf -q.
+  * Cleanup unnecessary strdup calls for EDE strings.
+  * Fix doxygen comment for errinf_to_str_bogus.
+
 -------------------------------------------------------------------
 Wed Mar 20 13:09:17 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
 

libunbound-devel-mini.spec

@@ -22,7 +22,7 @@
 %bcond_without hardened_build
 #
 Name:           libunbound-devel-mini
-Version:        1.19.3
+Version:        1.20.0
 #!BcntSyncTag: unbound
 Release:        0
 Summary:        Just a devel package for build loops

unbound-1.19.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3ae322be7dc2f831603e4b0391435533ad5861c2322e34a76006a9fb65eb56b9
-size 6338685

unbound-1.19.3.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmXysfMACgkQn28cLX4E
-X43UFA//SBjFacBm6r+CiHpUfegwu4I5NE9bde71TSPhGJnz7KBb7bLZxZozHxs+
-z1f0mYlnTg395gu8+JY0iU5HGwkRdaF4DJJz2++39PYtZMg+FG3Jqtz8IPW1JjfY
-frAVMDMQhWslnm8UfOR4mLxkXWk6EOOBek8ibN6bvLbuY8KNQM5G4fpATJ9aYUMi
-3TWOzuMpAz0yk6oIr1KaKPSgEdlzFQadGOMPOpdg1AYM9DftQMFiiCuhpKnkilm6
-IIwFg4IXszYpgaR6UieMMOrs1ppu+F/E1LBiSTRGo6ia28LQC7V+aXfHZQnqXQpl
-MOrnCTf9qCBy3cWi9KGJd22o2Ir7mkZ59908TfBVlqfmenSkLBv1pTtaJGANbtnJ
-B4cKRG/YMtEO4OWrDJtni1nwm/V066Yv1kzPBVE6XkjrjdZu0tjJYgE2Jzsnnvbv
-Q/XPxJFqIBIB3OsBnEKwSv+NudlOXzQoJMbQUWU8Noh55nY/hbULqSNbO/kR2PCh
-j3DsAgd8nI3BjljKc4Td7Iz9+tZE77cfwGD01UmgloA3BpWD767LriiDXkea5jy4
-mos62pqXD8Ndam9APUr6ugL3KUOXBR6bU2EPG3U9Dm3Qbky8jpwp9lTrR+0M13Dq
-whIt28Kc/h+W0wjI5wAJiTTfeitFeEoR0qtaZJpMZSGsuO/nLFQ=
-=Vz2k
------END PGP SIGNATURE-----

unbound-1.20.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:56b4ceed33639522000fd96775576ddf8782bb3617610715d7f1e777c5ec1dbf
+size 6550938

unbound-1.20.0.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmY7MtIACgkQn28cLX4E
+X43TZw//UOLWFXCT36DydXV2gi8vAB9xIFOGj7LbfOSIu8mg2gOvxaBFcC3qb8iB
+Wh4prktm+ANRyrmaDq5jlhG2JS0JGYCAGXntN8O09IZt8cx5s1N4UWOOOHp/XEcF
+spQpohJlJMnDl+WuIW0rGUnME4mytEBd/HwIM2Q4XyhXOEQj4hEW1tGlNF1qNq5b
+8KV5AbRa1OMPeaOaLUb3rg4Wll90twKnlVsdAga1GzYHYHIjbrvso8TbEAZQOzk1
+Vu20zwNV1mFNRQcBhhkRBSirmZQ3p73HDT3j3yZZ7D2VaZyi1TQSNxCKAkBpM7NX
+ZXBXHpYjf/9kei8vMeQBE4pIoXgcSAASyHh1FNZ8vzyklR8lP8grNtgn1R7ACryN
+U1W+0Mh4gjZLjK4sgfouunqpuDpKnpb7a/b19D4fqGBYen+V/BBwARbdxPABs2fK
+Y5kMnSIM3eZPZD2PnLEL8uqfuES1QZ9OkhGvEX9jhO3plYWzUDa7J/5eFqyUEpPc
+zkAlQvJySW1T18U7YWPLM7ipsVIZc7XPkvEHpit6cSj7f4wUPurJio2glOHwXafZ
++mmzb7nFahTE6tmvOF3dBbvxRpzYtHI6qa1tNTVR9EFJsc8Bm9a8dcI6Jd4e6M2i
+XWA32DOSppyEdLz3aEmpIQLT3VpSPRHuLB+slfi+xsBcwNJHL4w=
+=mEBa
+-----END PGP SIGNATURE-----

unbound.changes

@@ -1,3 +1,140 @@
+-------------------------------------------------------------------
+Wed May  8 09:15:01 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to 1.20.0:
+  Features:
+  * The config for discard-timeout, wait-limit, wait-limit-cookie,
+    wait-limit-netblock and wait-limit-cookie-netblock was added,
+    for the fix to the DNSBomb issue.
+  * Merge GH#1027: Introduce 'cache-min-negative-ttl' option.
+  * Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support;
+    updates config.guess(2024-01-01) and config.sub(2024-01-01),
+    verified with upstream.
+  * Implement cachedb-check-when-serve-expired: yes option, default
+    is enabled. When serve expired is enabled with cachedb, it
+    first checks cachedb before serving the expired response.
+  * Fix GH#876: [FR] can unbound-checkconf be silenced when
+    configuration is valid?
+
+  Bug Fixes:
+  * Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to
+    Xiang Li from the Network and Information Security Lab of
+    Tsinghua University for reporting it.
+  * Update doc/unbound.doxygen with 'doxygen -u'. Fixes option
+    deprecation warnings and updates with newer defaults.
+  * Remove unused portion from iter_dname_ttl unit test.
+  * Fix validator classification of qtype DNAME for positive and
+    redirection answers, and fix validator signature routine for
+    dealing with the synthesized CNAME for a DNAME without
+    previously encountering it and also for when the qtype is
+    DNAME.
+  * Fix qname minimisation for reply with a DNAME for qtype CNAME
+    that answers it.
+  * Fix doc test so it ignores but outputs unsupported doxygen
+    options.
+  * Fix GH#1021 Inconsistent Behavior with Changing
+    rpz-cname-override and doing a unbound-control reload.
+  * Merge GH#1028: Clearer documentation for tcp-idle-timeout and
+    edns-tcp-keepalive-timeout.
+  * Fix GH#1029: rpz trigger clientip and action rpz-passthru not
+    working as expected.
+  * Fix rpz that the rpz override is taken in case of clientip
+    triggers. Fix that the clientip passthru action is logged. Fix
+    that the clientip localdata action is logged. Fix rpz override
+    action cname for the clientip trigger.
+  * Fix to unify codepath for local alias for rpz cname action
+    override.
+  * Fix rpz for cname override action after nsdname and nsip
+    triggers.
+  * Fix that addrinfo is not kept around but copied and freed, so
+    that log-destaddr uses a copy of the information, much like NSD
+    does.
+  * Merge GH#1030: Persist the openssl and expat directories for
+    repeated Windows builds.
+  * Fix that rpz CNAME content is limited to the max number of
+    cnames.
+  * Fix rpz, it follows iterator CNAMEs for nsip and nsdname and
+    sets the reply query_info values, that is better for debug
+    logging.
+  * Fix rpz that copies the cname override completely to the temp
+    region, so there are no references to the rpz region.
+  * Add rpz unit test for nsip action override.
+  * Fix rpz for qtype CNAME after nameserver trigger.
+  * Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix
+    that clientip and nsip can give a CNAME.
+  * Fix localdata and rpz localdata to match CNAME only if no
+    direct type match is available.
+  * Merge GH#831 from Pierre4012: Improve Windows NSIS installer
+    script (setup.nsi).
+  * For GH#831: Format text, use exclamation icon and explicit label
+    names.
+  * Fix name of unit test for subnet cache response.
+  * Fix GH#1032: The size of subnet_msg_cache calculation mistake
+    cause memory usage increased beyond expectations.
+  * Fix for GH#1032, add safeguard to make table space positive.
+  * Fix comment in lruhash space function.
+  * Fix to add unit test for lruhash space that exercises the
+    routines.
+  * Fix that when the server truncates the pidfile, it does not
+    follow symbolic links.
+  * Fix that the server does not chown the pidfile.
+  * Fix GH#1034: DoT forward-zone via unbound-control.
+  * Fix for crypto related failures to have a better error string.
+  * Fix GH#1035: Potential Bug while parsing port from the
+    "stub-host" string; also affected forward-zones and
+    remote-control host directives.
+  * Fix GH#369: dnstap showing extra responses; for client responses
+    right from the cache when replying with expired data or
+    prefetching.
+  * Fix GH#1040: fix heap-buffer-overflow issue in function
+    cfg_mark_ports of file util/config_file.c.
+  * For GH#1040: adjust error text and disallow negative ports in
+    other parts of cfg_mark_ports.
+  * Fix comment syntax for view function views_find_view.
+  * Fix GH#595: unbound-anchor cannot deal with full disk; it will
+    now first write out to a temp file before replacing the
+    original one, like Unbound already does for
+    auto-trust-anchor-file.
+  * Fixup compile without cachedb.
+  * Add test for cachedb serve expired.
+  * Extended test for cachedb serve expired.
+  * Fix makefile dependencies for fake_event.c.
+  * Fix cachedb for serve-expired with serve-expired-reply-ttl.
+  * Fix to not reply serve expired unless enabled for cachedb.
+  * Fix cachedb for serve-expired with
+    serve-expired-client-timeout.
+  * Fixup unit test for cachedb server expired client timeout with
+    a check if response if from upstream or from cachedb.
+  * Fixup cachedb to not refetch when serve-expired-client-timeout
+    is used.
+  * Merge GH#1049 from Petr Menšík: Py_NoSiteFlag is not needed since
+    Python 3.8
+  * Fix GH#1048: Update ax_pkg_swig.m4 and ax_pthread.m4.
+  * Fix configure, autoconf for GH#1048.
+  * Add checklock feature verbose_locking to trace locks and
+    unlocks.
+  * Fix edns subnet to sort rrset references when storing messages
+    in the cache. This fixes a race condition in the rrset locks.
+  * Merge GH#1053: Remove child delegations from cache when
+    grandchild delegations are returned from parent.
+  * Fix ci workflow for macos for moved install locations.
+  * Fix configure flto check error, by finding grep for it.
+  * Merge GH#1041: Stub and Forward unshare. This has one structure
+    for them and fixes GH#1038: fatal error: Could not initialize
+    thread / error: reading root hints.
+  * Fix to disable fragmentation on systems with IP_DONTFRAG, with
+    a nonzero value for the socket option argument.
+  * Fix doc unit test for out of directory build.
+  * Fix cachedb with serve-expired-client-timeout disabled. The
+    edns subnet module deletes global cache and cachedb cache when
+    it stores a result, and serve-expired is enabled, so that the
+    global reply, that is older than the ecs reply, does not return
+    after the ecs reply expires.
+  * Add unit tests for cachedb and subnet cache expired data.
+  * Man page entry for unbound-checkconf -q.
+  * Cleanup unnecessary strdup calls for EDE strings.
+  * Fix doxygen comment for errinf_to_str_bogus.
+
 -------------------------------------------------------------------
 Wed Mar 20 13:09:17 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
 

unbound.spec

@@ -33,7 +33,7 @@
 %define piddir /run
 
 Name:           unbound
-Version:        1.19.3
+Version:        1.20.0
 Release:        0
 BuildRequires:  flex
 BuildRequires:  ldns-devel >= %{ldns_version}