Accepting request 1144618 from home:seife:branches:server:dns

disable outgoing-port-permit and outgoing-port-avoid in config file to suppress the related unbound-checkconf warnings on every start OBS-URL: https://build.opensuse.org/request/show/1144618 OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=172
2024-03-05 15:13:11 +00:00 · 2024-03-05 15:13:11 +00:00 · afb03e5f7f
commit afb03e5f7f
parent 2fa50e9f92
4 changed files with 15 additions and 13 deletions
--- a/libunbound-devel-mini.changes
+++ b/libunbound-devel-mini.changes
@ -7,6 +7,13 @@ Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
      exploited to exhaust CPU resources and stall DNS resolvers.
    - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.

+-------------------------------------------------------------------
+Tue Feb  6 13:27:06 UTC 2024 - Stefan Seyfried <seife+obs@b1-systems.com>
+
+- as we use --disable-explicit-port-randomisation, also disable
+  outgoing-port-permit and outgoing-port-avoid in config file to
+  suppress the related unbound-checkconf warnings on every start
+
 -------------------------------------------------------------------
 Fri Nov 17 09:50:18 UTC 2023 - Pedro Monreal <pmonreal@suse.com>

--- a/unbound.changes
+++ b/unbound.changes
@ -7,6 +7,13 @@ Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
      exploited to exhaust CPU resources and stall DNS resolvers.
    - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.

+-------------------------------------------------------------------
+Tue Feb  6 13:27:06 UTC 2024 - Stefan Seyfried <seife+obs@b1-systems.com>
+
+- as we use --disable-explicit-port-randomisation, also disable
+  outgoing-port-permit and outgoing-port-avoid in config file to
+  suppress the related unbound-checkconf warnings on every start
+
 -------------------------------------------------------------------
 Tue Jan 23 09:32:21 UTC 2024 - Jakob Lorenz <onlyjak0b@mailbox.org>

--- a/unbound.conf
+++ b/unbound.conf
@ -70,19 +70,6 @@ server:
 	# port range that can be open simultaneously.
 	# outgoing-range: 4096

-	# permit unbound to use this port number or port range for
-	# making outgoing queries, using an outgoing interface.
-	# Only ephemeral ports are allowed by SElinux
-	outgoing-port-permit: 32768-65535
-
-	# deny unbound the use this of port number or port range for
-	# making outgoing queries, using an outgoing interface.
-	# Use this to make sure unbound does not grab a UDP port that some
-	# other server on this computer needs. The default is to avoid
-	# IANA-assigned port numbers.
-	# Our SElinux policy does not allow non-ephemeral ports to be used
-	outgoing-port-avoid: 0-32767
-
 	# number of outgoing simultaneous tcp buffers to hold per thread.
 	# outgoing-num-tcp: 10

--- a/unbound.spec
+++ b/unbound.spec
@ -174,6 +174,7 @@ This package holds the Python modules and extensions for unbound.

 %build
 %sysusers_generate_pre %{SOURCE19} anchor unbound.conf
+
 export CFLAGS="%{optflags}"
 export CXXFLAGS="%{optflags}"