Accepting request 1156332 from server:dns

- Update to 1.19.2 [bsc#1221164, CVE-2024-1931]
- as we use --disable-explicit-port-randomisation, also disable
  outgoing-port-permit and outgoing-port-avoid in config file to
  suppress the related unbound-checkconf warnings on every start
- Use prefixes instead of sudo in unbound.service (boo#1215628)

OBS-URL: https://build.opensuse.org/request/show/1156332
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/unbound?expand=0&rev=65

libunbound-devel-mini.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Fri Mar  8 10:15:41 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to 1.19.2:
+  * Bug Fixes:
+    - Fix CVE-2024-1931, Denial of service when trimming EDE text
+      on positive replies.
+      [bsc#1221164]
+
 -------------------------------------------------------------------
 Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
 
@@ -7,6 +16,13 @@ Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
       exploited to exhaust CPU resources and stall DNS resolvers.
     - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
 
+-------------------------------------------------------------------
+Tue Feb  6 13:27:06 UTC 2024 - Stefan Seyfried <seife+obs@b1-systems.com>
+
+- as we use --disable-explicit-port-randomisation, also disable
+  outgoing-port-permit and outgoing-port-avoid in config file to
+  suppress the related unbound-checkconf warnings on every start
+
 -------------------------------------------------------------------
 Fri Nov 17 09:50:18 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
 

libunbound-devel-mini.spec

@@ -22,7 +22,7 @@
 %bcond_without hardened_build
 #
 Name:           libunbound-devel-mini
-Version:        1.19.1
+Version:        1.19.2
 #!BcntSyncTag: unbound
 Release:        0
 Summary:        Just a devel package for build loops

unbound-1.19.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:bc1d576f3dd846a0739adc41ffaa702404c6767d2b6082deb9f2f97cbb24a3a9
-size 6340435

unbound-1.19.1.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmXLWyEACgkQn28cLX4E
-X42koxAAnHtiFXYUs7DVzxRd3ZtIxTbhedtJvBzQCT3BkbwfweWNongKOirJU6zP
-tMNnBX6xi73cJes6pjgNVnKvSHWA5GxdlYpK3k41o9r4IgOkr1xomAT1HUb0BuVY
-bULbObWpImlA4U75z+EQBBh7YqkXiZRwlzQp2TEXc96CTED2y9pRhPjDcCV7PbKJ
-NqXcNrvBgaMPEdEbhKRojxdvjd42erte6HbLbXJESRaZWd+w363qbshdVYk5KFON
-beivZtLquLuaxYwC/oblyJglKxUmPtp1Ts/wbqoW2qAaCEXlRs3YzMQUkqrndpsk
-c97EC6WReoyvKmtWwKA13/nBjSAbfwSEOTj3qTWadbkX3F82oFVmiZcI+70Jg/Zs
-VI7jdmLxZ/5UVL6vTy2nQHvA43Sn4XB/HosqC7x/XKgZE42Xw6J4ou9ibuNfHKJM
-IAU+HTSmRI4sS7Kxqgc6a213eJ7l8qmAW0US9WxO4k8uzIozek263I9obO2+BnVV
-brOIcJkGHMNnqA92Hzd8pXJStMYP6aHMfdTmIk0YyrHGC1oxANuYWbafoiIAetOG
-H/atC2Z84+TeNl5uSFRdjiANwf3lA3tApfVUw/lm1+lzZ7TnYg9MBDCB+/0iwx+9
-4vXE8SD+v1nzAYIJYUtwxc16E2Su7mJ4qIq0cZ8VOm2sw5CgmmI=
-=nFuI
------END PGP SIGNATURE-----

unbound-1.19.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cc560d345734226c1b39e71a769797e7fdde2265cbb77ebce542704bba489e55
+size 6340281

unbound-1.19.2.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmXpd8QACgkQn28cLX4E
+X42QJg//ebCixy+Ccth8Kh3o7f3ADZH3SP78aHhMVsQ2P+X/y5vWMrUUuaCnn4Kp
+PVMgI+BGB/imZ9SBrhhGOgjL6/AVFTHWqGBQrCqEholC2mLoxu6pUVRCa6WMkB2M
+z+xHVnacRd6tQ2Am6i+9pGXmu4Ztpz3tQK+GuMuwHoiR5Gy/QAoanjZaGRgtCpVs
+sqxDZUjWL2/jQedDjAqNYhZITYrxFXa6pxPnDpmRoX2sRD0Uc0XFT9Rvx8mnaLzO
+9eeDLfF6zcq70A4I0jrpG9ro7RJ7k71/7FcuTdfvbhlOsP9cRINspNcx9hfAkfV3
+qYCBgR1Nvx8rSRSJp4xCoBSzVLMMNDKfWQw+/APqhWQ/yIm5xfjFv+vvksY7PQjd
+H89JS3YAkUTtgDI/vNb+gnBX2ma4c9AYjiuK9raoL85h2rv0MXIcaC5cCR8DQOIg
+h9poHosfpvLyKNDDc/epYYQ1IfRX4oydH4rXhT8STapahsbDPtt0HlXsD0icCfFC
+YHbLpZ1qXhjSqR+/gSvTDJ8WiB389LbSPTlkMY6Euv/Im3UdHDFMJgnwD9eQ4i0V
+fa+6Bh35gxPz50UKwOkcLYUs+bEX3QzQK8/hYzxkJi5VoQH1ZlmEEk5eZEMv0ASj
+0/zHQAlWyicNK5Y+0OkVdw14r3x/794K2DRJcF2iW9ZS2Q7YP2s=
+=mNud
+-----END PGP SIGNATURE-----

unbound.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Fri Mar  8 10:12:30 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to 1.19.2:
+  * Bug Fixes:
+    - Fix CVE-2024-1931, Denial of service when trimming EDE text
+      on positive replies.
+      [bsc#1221164]
+
 -------------------------------------------------------------------
 Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
 
@@ -7,6 +16,18 @@ Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
       exploited to exhaust CPU resources and stall DNS resolvers.
     - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
 
+-------------------------------------------------------------------
+Tue Feb  6 13:27:06 UTC 2024 - Stefan Seyfried <seife+obs@b1-systems.com>
+
+- as we use --disable-explicit-port-randomisation, also disable
+  outgoing-port-permit and outgoing-port-avoid in config file to
+  suppress the related unbound-checkconf warnings on every start
+
+-------------------------------------------------------------------
+Tue Jan 23 09:32:21 UTC 2024 - Jakob Lorenz <onlyjak0b@mailbox.org>
+
+- Use prefixes instead of sudo in unbound.service (boo#1215628)
+
 -------------------------------------------------------------------
 Fri Nov 17 09:50:18 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
 

unbound.conf

@@ -70,19 +70,6 @@ server:
 	# port range that can be open simultaneously.
 	# outgoing-range: 4096
 
-	# permit unbound to use this port number or port range for
-	# making outgoing queries, using an outgoing interface.
-	# Only ephemeral ports are allowed by SElinux
-	outgoing-port-permit: 32768-65535
-
-	# deny unbound the use this of port number or port range for
-	# making outgoing queries, using an outgoing interface.
-	# Use this to make sure unbound does not grab a UDP port that some
-	# other server on this computer needs. The default is to avoid
-	# IANA-assigned port numbers.
-	# Our SElinux policy does not allow non-ephemeral ports to be used
-	outgoing-port-avoid: 0-32767
-
 	# number of outgoing simultaneous tcp buffers to hold per thread.
 	# outgoing-num-tcp: 10
 

unbound.service

@@ -9,11 +9,13 @@ Wants=nss-lookup.target
 
 [Service]
 Type=simple
+User=unbound
+Group=unbound
 EnvironmentFile=-/etc/sysconfig/unbound
 #ExecStartPre=/sbin/runuser --shell /bin/sh -c "/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem" unbound
-ExecStartPre=/usr/bin/sudo -u unbound /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
+ExecStartPre=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
 ExecStartPre=/usr/sbin/unbound-checkconf
-ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
+ExecStart=!/usr/sbin/unbound -d $UNBOUND_OPTIONS
 
 [Install]
 WantedBy=multi-user.target

unbound.spec

@@ -33,7 +33,7 @@
 %define piddir /run
 
 Name:           unbound
-Version:        1.19.1
+Version:        1.19.2
 Release:        0
 BuildRequires:  flex
 BuildRequires:  ldns-devel >= %{ldns_version}
@@ -174,6 +174,7 @@ This package holds the Python modules and extensions for unbound.
 
 %build
 %sysusers_generate_pre %{SOURCE19} anchor unbound.conf
+
 export CFLAGS="%{optflags}"
 export CXXFLAGS="%{optflags}"