diff --git a/libunbound-devel-mini.changes b/libunbound-devel-mini.changes index 1a74815..63e7f8b 100644 --- a/libunbound-devel-mini.changes +++ b/libunbound-devel-mini.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Fri Mar 8 10:15:41 UTC 2024 - Jorik Cronenberg + +- Update to 1.19.2: + * Bug Fixes: + - Fix CVE-2024-1931, Denial of service when trimming EDE text + on positive replies. + [bsc#1221164] + ------------------------------------------------------------------- Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal @@ -7,6 +16,13 @@ Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal exploited to exhaust CPU resources and stall DNS resolvers. - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU. +------------------------------------------------------------------- +Tue Feb 6 13:27:06 UTC 2024 - Stefan Seyfried + +- as we use --disable-explicit-port-randomisation, also disable + outgoing-port-permit and outgoing-port-avoid in config file to + suppress the related unbound-checkconf warnings on every start + ------------------------------------------------------------------- Fri Nov 17 09:50:18 UTC 2023 - Pedro Monreal diff --git a/libunbound-devel-mini.spec b/libunbound-devel-mini.spec index 12289f8..92a6e2c 100644 --- a/libunbound-devel-mini.spec +++ b/libunbound-devel-mini.spec @@ -22,7 +22,7 @@ %bcond_without hardened_build # Name: libunbound-devel-mini -Version: 1.19.1 +Version: 1.19.2 #!BcntSyncTag: unbound Release: 0 Summary: Just a devel package for build loops diff --git a/unbound-1.19.1.tar.gz b/unbound-1.19.1.tar.gz deleted file mode 100644 index d815e0f..0000000 --- a/unbound-1.19.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bc1d576f3dd846a0739adc41ffaa702404c6767d2b6082deb9f2f97cbb24a3a9 -size 6340435 diff --git a/unbound-1.19.1.tar.gz.asc b/unbound-1.19.1.tar.gz.asc deleted file mode 100644 index 10637a5..0000000 --- a/unbound-1.19.1.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmXLWyEACgkQn28cLX4E -X42koxAAnHtiFXYUs7DVzxRd3ZtIxTbhedtJvBzQCT3BkbwfweWNongKOirJU6zP -tMNnBX6xi73cJes6pjgNVnKvSHWA5GxdlYpK3k41o9r4IgOkr1xomAT1HUb0BuVY -bULbObWpImlA4U75z+EQBBh7YqkXiZRwlzQp2TEXc96CTED2y9pRhPjDcCV7PbKJ -NqXcNrvBgaMPEdEbhKRojxdvjd42erte6HbLbXJESRaZWd+w363qbshdVYk5KFON -beivZtLquLuaxYwC/oblyJglKxUmPtp1Ts/wbqoW2qAaCEXlRs3YzMQUkqrndpsk -c97EC6WReoyvKmtWwKA13/nBjSAbfwSEOTj3qTWadbkX3F82oFVmiZcI+70Jg/Zs -VI7jdmLxZ/5UVL6vTy2nQHvA43Sn4XB/HosqC7x/XKgZE42Xw6J4ou9ibuNfHKJM -IAU+HTSmRI4sS7Kxqgc6a213eJ7l8qmAW0US9WxO4k8uzIozek263I9obO2+BnVV -brOIcJkGHMNnqA92Hzd8pXJStMYP6aHMfdTmIk0YyrHGC1oxANuYWbafoiIAetOG -H/atC2Z84+TeNl5uSFRdjiANwf3lA3tApfVUw/lm1+lzZ7TnYg9MBDCB+/0iwx+9 -4vXE8SD+v1nzAYIJYUtwxc16E2Su7mJ4qIq0cZ8VOm2sw5CgmmI= -=nFuI ------END PGP SIGNATURE----- diff --git a/unbound-1.19.2.tar.gz b/unbound-1.19.2.tar.gz new file mode 100644 index 0000000..f680bd1 --- /dev/null +++ b/unbound-1.19.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cc560d345734226c1b39e71a769797e7fdde2265cbb77ebce542704bba489e55 +size 6340281 diff --git a/unbound-1.19.2.tar.gz.asc b/unbound-1.19.2.tar.gz.asc new file mode 100644 index 0000000..d86b0ec --- /dev/null +++ b/unbound-1.19.2.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmXpd8QACgkQn28cLX4E +X42QJg//ebCixy+Ccth8Kh3o7f3ADZH3SP78aHhMVsQ2P+X/y5vWMrUUuaCnn4Kp +PVMgI+BGB/imZ9SBrhhGOgjL6/AVFTHWqGBQrCqEholC2mLoxu6pUVRCa6WMkB2M +z+xHVnacRd6tQ2Am6i+9pGXmu4Ztpz3tQK+GuMuwHoiR5Gy/QAoanjZaGRgtCpVs +sqxDZUjWL2/jQedDjAqNYhZITYrxFXa6pxPnDpmRoX2sRD0Uc0XFT9Rvx8mnaLzO +9eeDLfF6zcq70A4I0jrpG9ro7RJ7k71/7FcuTdfvbhlOsP9cRINspNcx9hfAkfV3 +qYCBgR1Nvx8rSRSJp4xCoBSzVLMMNDKfWQw+/APqhWQ/yIm5xfjFv+vvksY7PQjd +H89JS3YAkUTtgDI/vNb+gnBX2ma4c9AYjiuK9raoL85h2rv0MXIcaC5cCR8DQOIg +h9poHosfpvLyKNDDc/epYYQ1IfRX4oydH4rXhT8STapahsbDPtt0HlXsD0icCfFC +YHbLpZ1qXhjSqR+/gSvTDJ8WiB389LbSPTlkMY6Euv/Im3UdHDFMJgnwD9eQ4i0V +fa+6Bh35gxPz50UKwOkcLYUs+bEX3QzQK8/hYzxkJi5VoQH1ZlmEEk5eZEMv0ASj +0/zHQAlWyicNK5Y+0OkVdw14r3x/794K2DRJcF2iW9ZS2Q7YP2s= +=mNud +-----END PGP SIGNATURE----- diff --git a/unbound.changes b/unbound.changes index 8bfbe54..905f966 100644 --- a/unbound.changes +++ b/unbound.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Fri Mar 8 10:12:30 UTC 2024 - Jorik Cronenberg + +- Update to 1.19.2: + * Bug Fixes: + - Fix CVE-2024-1931, Denial of service when trimming EDE text + on positive replies. + [bsc#1221164] + ------------------------------------------------------------------- Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal @@ -7,6 +16,18 @@ Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal exploited to exhaust CPU resources and stall DNS resolvers. - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU. +------------------------------------------------------------------- +Tue Feb 6 13:27:06 UTC 2024 - Stefan Seyfried + +- as we use --disable-explicit-port-randomisation, also disable + outgoing-port-permit and outgoing-port-avoid in config file to + suppress the related unbound-checkconf warnings on every start + +------------------------------------------------------------------- +Tue Jan 23 09:32:21 UTC 2024 - Jakob Lorenz + +- Use prefixes instead of sudo in unbound.service (boo#1215628) + ------------------------------------------------------------------- Fri Nov 17 09:50:18 UTC 2023 - Pedro Monreal diff --git a/unbound.conf b/unbound.conf index 89e3829..1579a1c 100644 --- a/unbound.conf +++ b/unbound.conf @@ -70,19 +70,6 @@ server: # port range that can be open simultaneously. # outgoing-range: 4096 - # permit unbound to use this port number or port range for - # making outgoing queries, using an outgoing interface. - # Only ephemeral ports are allowed by SElinux - outgoing-port-permit: 32768-65535 - - # deny unbound the use this of port number or port range for - # making outgoing queries, using an outgoing interface. - # Use this to make sure unbound does not grab a UDP port that some - # other server on this computer needs. The default is to avoid - # IANA-assigned port numbers. - # Our SElinux policy does not allow non-ephemeral ports to be used - outgoing-port-avoid: 0-32767 - # number of outgoing simultaneous tcp buffers to hold per thread. # outgoing-num-tcp: 10 diff --git a/unbound.service b/unbound.service index 8ccb407..00b6c9c 100644 --- a/unbound.service +++ b/unbound.service @@ -9,11 +9,13 @@ Wants=nss-lookup.target [Service] Type=simple +User=unbound +Group=unbound EnvironmentFile=-/etc/sysconfig/unbound #ExecStartPre=/sbin/runuser --shell /bin/sh -c "/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem" unbound -ExecStartPre=/usr/bin/sudo -u unbound /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem +ExecStartPre=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem ExecStartPre=/usr/sbin/unbound-checkconf -ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS +ExecStart=!/usr/sbin/unbound -d $UNBOUND_OPTIONS [Install] WantedBy=multi-user.target diff --git a/unbound.spec b/unbound.spec index adcca8f..53bb848 100644 --- a/unbound.spec +++ b/unbound.spec @@ -33,7 +33,7 @@ %define piddir /run Name: unbound -Version: 1.19.1 +Version: 1.19.2 Release: 0 BuildRequires: flex BuildRequires: ldns-devel >= %{ldns_version} @@ -174,6 +174,7 @@ This package holds the Python modules and extensions for unbound. %build %sysusers_generate_pre %{SOURCE19} anchor unbound.conf + export CFLAGS="%{optflags}" export CXXFLAGS="%{optflags}"