Accepting request 980515 from home:stroeder:network

update to 1.16.0 OBS-URL: https://build.opensuse.org/request/show/980515 OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=147
2022-06-18 16:18:29 +00:00 · 2022-06-18 16:18:29 +00:00 · 5da47f4e27
commit 5da47f4e27
parent cdd3f40e20
6 changed files with 344 additions and 5 deletions
--- a/libunbound-devel-mini.changes
+++ b/libunbound-devel-mini.changes
@ -1,9 +1,178 @@
+-------------------------------------------------------------------
+Thu Jun  2 11:54:13 UTC 2022 - Michael Ströder <michael@stroeder.com>
+
+- update to 1.16.0
+  * Features
+    - Merge PR #604: Add basic support for EDE (RFC8914).
+  * Bug Fixes
+    - Fix #412: cache invalidation issue with CNAME+A.
+    - Fix that TCP interface does not use TLS when TLS is also configured.
+    - Fix #624: Unable to stop Unbound in Windows console (does not
+      respond to CTRL+C command).
+    - Fix #618: enabling interface-automatic disables DNS-over-TLS.
+      Adds the option to list interface-automatic-ports.
+    - Remove debug info from #618 fix.
+    - Fix #628: A rpz-passthru action is not ending RPZ zone processing.
+    - Fix for #628: fix rpz-passthru for qname trigger by localzone type.
+    - Fix that address not available is squelched from the logs for
+      udp connect failures. It is visible on verbosity 4 and more.
+    - Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
+      ERR_GET_REASON.
+    - Fix to detect that no IPv6 support means that IPv6 addresses are
+      useless for delegation point lookups.
+    - update Makefile dependencies.
+    - Fix check interface existence for support detection in remote lookup.
+    - Fix #633: Document unix domain socket support for unbound-control.
+    - Fix for #633: updated fix with new text.
+    - Fix edns client subnet to add the option based on the option list,
+      so that it is not state dependent, after the state fix of #605 for
+      double EDNS options.
+    - Fix for edns client subnet option add fix in removal code, from review.
+    - Fix #630: Unify the RPZ log messages.
+    - Merge #623 from rex4539: Fix typos.
+    - Fix pythonmod for change in iter_dp_is_useless function prototype.
+    - Fix compile warnings for printf ll format on mingw compile.
+    - Merge PR #632 from scottrw93: Match cnames in ipset.
+    - Various fixes for #632: variable initialisation, convert the qinfo
+      to str once, accept trailing dot in the local-zone ipset option.
+    - Fix #637: Integer Overflow in sldns_str2period function.
+    - Fix for #637: fix integer overflow checks in sldns_str2period.
+    - Fix configure for python to use sysutils, because distutils is
+      deprecated. It uses sysutils when available, distutils otherwise.
+    - Merge #644: Make `install-lib` make target install the pkg-config
+      file.
+    - Fix to ensure uniform handling of spaces and tabs when parsing RRs.
+    - Fix to describe auth-zone and other configuration at the local-zone
+      configuration option, to allow for more broadly view of the options.
+    - Merge PR #648 from eaglegai: fix -q doesn't work when use with
+      'unbound-control stats_shm'.
+    - Fix #651: [FR] Better logging for refused queries.
+    - Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
+    - Fix zonemd check to allow unsupported algorithms to load.
+      If there are only unsupported algorithms, or unsupported schemes,
+      and no failed or successful other ZONEMD records, or malformed
+      or bad ZONEMD records, the unsupported records allow the zone load.
+    - Fix zonemd unsupported algo check.
+    - Fix zonemd unsupported algo check reason to not copy to next record,
+      and check for success for debug printout.
+    - Fix zonemd unsupported algo check to print unsupported reason before
+      zeroing it.
+    - Fix zonemd unsupported algo check to set reason to NULL before the
+      check routine, but after malformed checks, to get the correct NULL
+      output when the digest matches.
+    - Fix #670: SERVFAIL problems with unbound 1.15.0 running on
+      OpenBSD 7.1.
+    - Fix Python build in non-source directory; based on patch by
+      Michael Tokarev.
+    - Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to
+      host.
+    - Merge #677: Allow using system certificates not only on Windows,
+      from pemensik.
+    - For #677: Added tls-system-cert to config parser and documentation.
+    - Fix #417: prefetch and ECS causing cache corruption when used
+      together.
+    - Fix #678: [FR] modify behaviour of unbound-control rpz_enable zone,
+      by updating unbound-control's documentation.
+    - Fix typos in config_set_option for the 'num-threads' and
+      'ede-serve-expired' options.
+    - Fix to silence test for ede error output to the console from the
+      test setup script.
+    - Fix ede test to not use default pidfile, and use local interface.
+    - Fix some lint type warnings.
+    - Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3
+      (and possibly other distributions)
+
 -------------------------------------------------------------------
 Tue Apr 19 15:46:25 UTC 2022 - Dirk Müller <dmueller@suse.com>

 - spec-cleaner
 - update to 1.15.0 

+-------------------------------------------------------------------
+Thu Feb 10 22:55:23 UTC 2022 - Michael Ströder <michael@stroeder.com>
+
+- update to 1.15.0
+
+Features
+- Fix #596: unset the RA bit when a query is blocked by an unbound
+  RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
+  signal that a domain is externally blocked to clients when it
+  is blocked with NXDOMAIN by unsetting RA.
+- Add rpz: for-downstream: yesno option, where the RPZ zone is
+  authoritatively answered for, so the RPZ zone contents can be
+  checked with DNS queries directed at the RPZ zone.
+- Merge PR #616: Update ratelimit logic. It also introduces
+  ratelimit-backoff and ip-ratelimit-backoff configuration options.
+- Change aggressive-nsec default to yes.
+
+Bug Fixes
+- Fix compile warning for if_nametoindex on windows 64bit.
+- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
+  warnings in rpz.
+- Fix validator debug output about DS support, print correct algorithm.
+- Add code similar to fix for ldns for tab between strings, for
+  consistency, the test case was not broken.
+- Allow local-data for classes other than IN to inherit a configured
+  local-zone's type if possible, instead of defaulting to type
+  transparent as per the implicit rule.
+- Fix to pick up other class local zone information before unlock.
+- Add missing configure flags for optional features in the
+  documentation.
+- Fix Unbound capitalization in the documentation.
+- Fix #591: Unbound-anchor manpage links to non-existent license file.
+- contrib/aaaa-filter-iterator.patch file renewed diff content to
+  apply cleanly to the current coderepo for the current code version.
+- Fix to add test for rpz-signal-nxdomain-ra.
+- Fix #596: only unset RA when NXDOMAIN is signalled.
+- Fix that RPZ does not set RD flag on replies, it should be copied
+  from the query.
+- Fix for #596: fix that rpz return message is returned and not just
+  the rcode from the iterator return path. This fixes signal unset RA
+  after a CNAME.
+- Fix unit tests for rpz now that the AA flag returns successfully from
+  the iterator loop.
+- Fix for #596: add unit test for nsdname trigger and signal unset RA.
+- Fix for #596: add unit test for nsip trigger and signal unset RA.
+- Fix #598: Fix unbound-checkconf fatal error: module conf
+  'respip dns64 validator iterator' is not known to work.
+- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
+  triggered operation.
+- Merge #600 from pemensik: Change file mode before changing file
+  owner.
+- Fix prematurely terminated TCP queries when a reply has the same ID.
+- For #602: Allow the module-config "subnetcache validator cachedb
+  iterator".
+- Fix EDNS to upstream where the same option could be attached
+  more than once.
+- Add a region to serviced_query for allocations.
+- For dnstap, do not wakeupnow right there. Instead zero the timer to
+  force the wakeup callback asap.
+- Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
+- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
+  serviced_udp_callback.
+- Merge PR #612: TCP race condition.
+- Test for NSID in SERVFAIL response due to DNSSEC bogus.
+- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
+  document.
+- Fix tls-* and ssl-* documented alternate syntax to also be available
+  through remote-control and unbound-checkconf.
+- Better cleanup on failed DoT/DoH listening socket creation.
+- iana portlist update.
+- Fix review comment for use-after-free when failing to send UDP out.
+- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
+  internals.
+- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
+- Merge PR #617: Update stub/forward-host notation to accept port and
+  tls-auth-name.
+- Update stream_ssl.tdir test to also use the new forward-host
+  notation.
+- Fix header comment for doxygen for authextstrtoaddr.
+- please clang analyzer for loop in test code.
+- Fix docker splint test to use more portable uname.
+- Update contrib/aaaa-filter-iterator.patch with diff for current
+  software version.
+- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
+
 -------------------------------------------------------------------
 Thu Dec  9 11:14:33 UTC 2021 - Michael Ströder <michael@stroeder.com>

--- a/libunbound-devel-mini.spec
+++ b/libunbound-devel-mini.spec
@ -22,7 +22,7 @@
 %bcond_without hardened_build
 #
 Name:           libunbound-devel-mini
-Version:        1.15.0
+Version:        1.16.0
 Release:        0
 Summary:        Just a devel package for build loops
 License:        BSD-3-Clause
@ -104,5 +104,6 @@ rm -rf %{buildroot}%{_mandir} %{buildroot}%{_libdir}/*.la
 %{_includedir}/unbound.h
 %{_includedir}/unbound-event.h
 %{_libdir}/libunbound.so
+%{_libdir}/pkgconfig/libunbound.pc

 %changelog
--- a/unbound-1.15.0.tar.gz
+++ b/unbound-1.15.0.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a480dc6c8937447b98d161fe911ffc76cfaffa2da18788781314e81339f1126f
-size 6163470
--- a/unbound-1.16.0.tar.gz
+++ b/unbound-1.16.0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6701534c938eb019626601191edc6d012fc534c09d2418d5b92827db0cbe48a5
+size 6188349
--- a/unbound.changes
+++ b/unbound.changes
@ -1,3 +1,87 @@
+-------------------------------------------------------------------
+Thu Jun  2 11:54:13 UTC 2022 - Michael Ströder <michael@stroeder.com>
+
+- update to 1.16.0
+  * Features
+    - Merge PR #604: Add basic support for EDE (RFC8914).
+  * Bug Fixes
+    - Fix #412: cache invalidation issue with CNAME+A.
+    - Fix that TCP interface does not use TLS when TLS is also configured.
+    - Fix #624: Unable to stop Unbound in Windows console (does not
+      respond to CTRL+C command).
+    - Fix #618: enabling interface-automatic disables DNS-over-TLS.
+      Adds the option to list interface-automatic-ports.
+    - Remove debug info from #618 fix.
+    - Fix #628: A rpz-passthru action is not ending RPZ zone processing.
+    - Fix for #628: fix rpz-passthru for qname trigger by localzone type.
+    - Fix that address not available is squelched from the logs for
+      udp connect failures. It is visible on verbosity 4 and more.
+    - Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
+      ERR_GET_REASON.
+    - Fix to detect that no IPv6 support means that IPv6 addresses are
+      useless for delegation point lookups.
+    - update Makefile dependencies.
+    - Fix check interface existence for support detection in remote lookup.
+    - Fix #633: Document unix domain socket support for unbound-control.
+    - Fix for #633: updated fix with new text.
+    - Fix edns client subnet to add the option based on the option list,
+      so that it is not state dependent, after the state fix of #605 for
+      double EDNS options.
+    - Fix for edns client subnet option add fix in removal code, from review.
+    - Fix #630: Unify the RPZ log messages.
+    - Merge #623 from rex4539: Fix typos.
+    - Fix pythonmod for change in iter_dp_is_useless function prototype.
+    - Fix compile warnings for printf ll format on mingw compile.
+    - Merge PR #632 from scottrw93: Match cnames in ipset.
+    - Various fixes for #632: variable initialisation, convert the qinfo
+      to str once, accept trailing dot in the local-zone ipset option.
+    - Fix #637: Integer Overflow in sldns_str2period function.
+    - Fix for #637: fix integer overflow checks in sldns_str2period.
+    - Fix configure for python to use sysutils, because distutils is
+      deprecated. It uses sysutils when available, distutils otherwise.
+    - Merge #644: Make `install-lib` make target install the pkg-config
+      file.
+    - Fix to ensure uniform handling of spaces and tabs when parsing RRs.
+    - Fix to describe auth-zone and other configuration at the local-zone
+      configuration option, to allow for more broadly view of the options.
+    - Merge PR #648 from eaglegai: fix -q doesn't work when use with
+      'unbound-control stats_shm'.
+    - Fix #651: [FR] Better logging for refused queries.
+    - Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
+    - Fix zonemd check to allow unsupported algorithms to load.
+      If there are only unsupported algorithms, or unsupported schemes,
+      and no failed or successful other ZONEMD records, or malformed
+      or bad ZONEMD records, the unsupported records allow the zone load.
+    - Fix zonemd unsupported algo check.
+    - Fix zonemd unsupported algo check reason to not copy to next record,
+      and check for success for debug printout.
+    - Fix zonemd unsupported algo check to print unsupported reason before
+      zeroing it.
+    - Fix zonemd unsupported algo check to set reason to NULL before the
+      check routine, but after malformed checks, to get the correct NULL
+      output when the digest matches.
+    - Fix #670: SERVFAIL problems with unbound 1.15.0 running on
+      OpenBSD 7.1.
+    - Fix Python build in non-source directory; based on patch by
+      Michael Tokarev.
+    - Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to
+      host.
+    - Merge #677: Allow using system certificates not only on Windows,
+      from pemensik.
+    - For #677: Added tls-system-cert to config parser and documentation.
+    - Fix #417: prefetch and ECS causing cache corruption when used
+      together.
+    - Fix #678: [FR] modify behaviour of unbound-control rpz_enable zone,
+      by updating unbound-control's documentation.
+    - Fix typos in config_set_option for the 'num-threads' and
+      'ede-serve-expired' options.
+    - Fix to silence test for ede error output to the console from the
+      test setup script.
+    - Fix ede test to not use default pidfile, and use local interface.
+    - Fix some lint type warnings.
+    - Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3
+      (and possibly other distributions)
+
 -------------------------------------------------------------------
 Tue Apr 19 15:41:37 UTC 2022 - Dirk Müller <dmueller@suse.com>

@ -98,6 +182,91 @@ Tue Apr 19 15:41:37 UTC 2022 - Dirk Müller <dmueller@suse.com>
    software version.
  - Fix for #611: Integer overflow in sldns_wire2str_pkt_scan. 

+-------------------------------------------------------------------
+Thu Feb 10 22:55:23 UTC 2022 - Michael Ströder <michael@stroeder.com>
+
+- update to 1.15.0
+
+Features
+- Fix #596: unset the RA bit when a query is blocked by an unbound
+  RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
+  signal that a domain is externally blocked to clients when it
+  is blocked with NXDOMAIN by unsetting RA.
+- Add rpz: for-downstream: yesno option, where the RPZ zone is
+  authoritatively answered for, so the RPZ zone contents can be
+  checked with DNS queries directed at the RPZ zone.
+- Merge PR #616: Update ratelimit logic. It also introduces
+  ratelimit-backoff and ip-ratelimit-backoff configuration options.
+- Change aggressive-nsec default to yes.
+
+Bug Fixes
+- Fix compile warning for if_nametoindex on windows 64bit.
+- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
+  warnings in rpz.
+- Fix validator debug output about DS support, print correct algorithm.
+- Add code similar to fix for ldns for tab between strings, for
+  consistency, the test case was not broken.
+- Allow local-data for classes other than IN to inherit a configured
+  local-zone's type if possible, instead of defaulting to type
+  transparent as per the implicit rule.
+- Fix to pick up other class local zone information before unlock.
+- Add missing configure flags for optional features in the
+  documentation.
+- Fix Unbound capitalization in the documentation.
+- Fix #591: Unbound-anchor manpage links to non-existent license file.
+- contrib/aaaa-filter-iterator.patch file renewed diff content to
+  apply cleanly to the current coderepo for the current code version.
+- Fix to add test for rpz-signal-nxdomain-ra.
+- Fix #596: only unset RA when NXDOMAIN is signalled.
+- Fix that RPZ does not set RD flag on replies, it should be copied
+  from the query.
+- Fix for #596: fix that rpz return message is returned and not just
+  the rcode from the iterator return path. This fixes signal unset RA
+  after a CNAME.
+- Fix unit tests for rpz now that the AA flag returns successfully from
+  the iterator loop.
+- Fix for #596: add unit test for nsdname trigger and signal unset RA.
+- Fix for #596: add unit test for nsip trigger and signal unset RA.
+- Fix #598: Fix unbound-checkconf fatal error: module conf
+  'respip dns64 validator iterator' is not known to work.
+- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
+  triggered operation.
+- Merge #600 from pemensik: Change file mode before changing file
+  owner.
+- Fix prematurely terminated TCP queries when a reply has the same ID.
+- For #602: Allow the module-config "subnetcache validator cachedb
+  iterator".
+- Fix EDNS to upstream where the same option could be attached
+  more than once.
+- Add a region to serviced_query for allocations.
+- For dnstap, do not wakeupnow right there. Instead zero the timer to
+  force the wakeup callback asap.
+- Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
+- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
+  serviced_udp_callback.
+- Merge PR #612: TCP race condition.
+- Test for NSID in SERVFAIL response due to DNSSEC bogus.
+- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
+  document.
+- Fix tls-* and ssl-* documented alternate syntax to also be available
+  through remote-control and unbound-checkconf.
+- Better cleanup on failed DoT/DoH listening socket creation.
+- iana portlist update.
+- Fix review comment for use-after-free when failing to send UDP out.
+- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
+  internals.
+- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
+- Merge PR #617: Update stub/forward-host notation to accept port and
+  tls-auth-name.
+- Update stream_ssl.tdir test to also use the new forward-host
+  notation.
+- Fix header comment for doxygen for authextstrtoaddr.
+- please clang analyzer for loop in test code.
+- Fix docker splint test to use more portable uname.
+- Update contrib/aaaa-filter-iterator.patch with diff for current
+  software version.
+- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
+
 -------------------------------------------------------------------
 Fri Dec 31 23:18:09 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>

--- a/unbound.spec
+++ b/unbound.spec
@ -33,7 +33,7 @@
 %define piddir /run

 Name:           unbound
-Version:        1.15.0
+Version:        1.16.0
 Release:        0
 BuildRequires:  flex
 BuildRequires:  ldns-devel >= %{ldns_version}