Accepting request 1156332 from server:dns

- Update to 1.19.2 [bsc#1221164, CVE-2024-1931] - as we use --disable-explicit-port-randomisation, also disable outgoing-port-permit and outgoing-port-avoid in config file to suppress the related unbound-checkconf warnings on every start - Use prefixes instead of sudo in unbound.service (boo#1215628) OBS-URL: https://build.opensuse.org/request/show/1156332 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/unbound?expand=0&rev=65
2024-03-09 19:54:05 +00:00 · 2024-03-09 19:54:05 +00:00 · ba05719e58
commit ba05719e58
parent f69fd35857 5383ccbf4a
10 changed files with 63 additions and 36 deletions
--- a/libunbound-devel-mini.changes
+++ b/libunbound-devel-mini.changes
@ -1,3 +1,12 @@
 -------------------------------------------------------------------
 Fri Mar  8 10:15:41 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
 - Update to 1.19.2:
  * Bug Fixes:
    - Fix CVE-2024-1931, Denial of service when trimming EDE text
      on positive replies.
      [bsc#1221164]
 -------------------------------------------------------------------
 Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
@ -7,6 +16,13 @@ Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
      exploited to exhaust CPU resources and stall DNS resolvers.
    - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
 -------------------------------------------------------------------
 Tue Feb  6 13:27:06 UTC 2024 - Stefan Seyfried <seife+obs@b1-systems.com>
 - as we use --disable-explicit-port-randomisation, also disable
  outgoing-port-permit and outgoing-port-avoid in config file to
  suppress the related unbound-checkconf warnings on every start
 -------------------------------------------------------------------
 Fri Nov 17 09:50:18 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
--- a/libunbound-devel-mini.spec
+++ b/libunbound-devel-mini.spec
@ -22,7 +22,7 @@
 %bcond_without hardened_build
 #
 Name:           libunbound-devel-mini
-Version:        1.19.1
+Version:        1.19.2
 #!BcntSyncTag: unbound
 Release:        0
 Summary:        Just a devel package for build loops
--- a/unbound-1.19.1.tar.gz
+++ b/unbound-1.19.1.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:bc1d576f3dd846a0739adc41ffaa702404c6767d2b6082deb9f2f97cbb24a3a9
 size 6340435
--- a/unbound-1.19.1.tar.gz.asc
+++ b/unbound-1.19.1.tar.gz.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmXLWyEACgkQn28cLX4E
 X42koxAAnHtiFXYUs7DVzxRd3ZtIxTbhedtJvBzQCT3BkbwfweWNongKOirJU6zP
 tMNnBX6xi73cJes6pjgNVnKvSHWA5GxdlYpK3k41o9r4IgOkr1xomAT1HUb0BuVY
 bULbObWpImlA4U75z+EQBBh7YqkXiZRwlzQp2TEXc96CTED2y9pRhPjDcCV7PbKJ
 NqXcNrvBgaMPEdEbhKRojxdvjd42erte6HbLbXJESRaZWd+w363qbshdVYk5KFON
 beivZtLquLuaxYwC/oblyJglKxUmPtp1Ts/wbqoW2qAaCEXlRs3YzMQUkqrndpsk
 c97EC6WReoyvKmtWwKA13/nBjSAbfwSEOTj3qTWadbkX3F82oFVmiZcI+70Jg/Zs
 VI7jdmLxZ/5UVL6vTy2nQHvA43Sn4XB/HosqC7x/XKgZE42Xw6J4ou9ibuNfHKJM
 IAU+HTSmRI4sS7Kxqgc6a213eJ7l8qmAW0US9WxO4k8uzIozek263I9obO2+BnVV
 brOIcJkGHMNnqA92Hzd8pXJStMYP6aHMfdTmIk0YyrHGC1oxANuYWbafoiIAetOG
 H/atC2Z84+TeNl5uSFRdjiANwf3lA3tApfVUw/lm1+lzZ7TnYg9MBDCB+/0iwx+9
 4vXE8SD+v1nzAYIJYUtwxc16E2Su7mJ4qIq0cZ8VOm2sw5CgmmI=
 =nFuI
 -----END PGP SIGNATURE-----
--- a/unbound-1.19.2.tar.gz
+++ b/unbound-1.19.2.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:cc560d345734226c1b39e71a769797e7fdde2265cbb77ebce542704bba489e55
 size 6340281
--- a/unbound-1.19.2.tar.gz.asc
+++ b/unbound-1.19.2.tar.gz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmXpd8QACgkQn28cLX4E
 X42QJg//ebCixy+Ccth8Kh3o7f3ADZH3SP78aHhMVsQ2P+X/y5vWMrUUuaCnn4Kp
 PVMgI+BGB/imZ9SBrhhGOgjL6/AVFTHWqGBQrCqEholC2mLoxu6pUVRCa6WMkB2M
 z+xHVnacRd6tQ2Am6i+9pGXmu4Ztpz3tQK+GuMuwHoiR5Gy/QAoanjZaGRgtCpVs
 sqxDZUjWL2/jQedDjAqNYhZITYrxFXa6pxPnDpmRoX2sRD0Uc0XFT9Rvx8mnaLzO
 9eeDLfF6zcq70A4I0jrpG9ro7RJ7k71/7FcuTdfvbhlOsP9cRINspNcx9hfAkfV3
 qYCBgR1Nvx8rSRSJp4xCoBSzVLMMNDKfWQw+/APqhWQ/yIm5xfjFv+vvksY7PQjd
 H89JS3YAkUTtgDI/vNb+gnBX2ma4c9AYjiuK9raoL85h2rv0MXIcaC5cCR8DQOIg
 h9poHosfpvLyKNDDc/epYYQ1IfRX4oydH4rXhT8STapahsbDPtt0HlXsD0icCfFC
 YHbLpZ1qXhjSqR+/gSvTDJ8WiB389LbSPTlkMY6Euv/Im3UdHDFMJgnwD9eQ4i0V
 fa+6Bh35gxPz50UKwOkcLYUs+bEX3QzQK8/hYzxkJi5VoQH1ZlmEEk5eZEMv0ASj
 0/zHQAlWyicNK5Y+0OkVdw14r3x/794K2DRJcF2iW9ZS2Q7YP2s=
 =mNud
 -----END PGP SIGNATURE-----
--- a/unbound.changes
+++ b/unbound.changes
@ -1,3 +1,12 @@
 -------------------------------------------------------------------
 Fri Mar  8 10:12:30 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
 - Update to 1.19.2:
  * Bug Fixes:
    - Fix CVE-2024-1931, Denial of service when trimming EDE text
      on positive replies.
      [bsc#1221164]
 -------------------------------------------------------------------
 Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
@ -7,6 +16,18 @@ Wed Feb 28 13:35:31 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
      exploited to exhaust CPU resources and stall DNS resolvers.
    - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
 -------------------------------------------------------------------
 Tue Feb  6 13:27:06 UTC 2024 - Stefan Seyfried <seife+obs@b1-systems.com>
 - as we use --disable-explicit-port-randomisation, also disable
  outgoing-port-permit and outgoing-port-avoid in config file to
  suppress the related unbound-checkconf warnings on every start
 -------------------------------------------------------------------
 Tue Jan 23 09:32:21 UTC 2024 - Jakob Lorenz <onlyjak0b@mailbox.org>
 - Use prefixes instead of sudo in unbound.service (boo#1215628)
 -------------------------------------------------------------------
 Fri Nov 17 09:50:18 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
--- a/unbound.conf
+++ b/unbound.conf
@ -70,19 +70,6 @@ server:
 	# port range that can be open simultaneously.
 	# outgoing-range: 4096
 	# permit unbound to use this port number or port range for
 	# making outgoing queries, using an outgoing interface.
 	# Only ephemeral ports are allowed by SElinux
 	outgoing-port-permit: 32768-65535
 	# deny unbound the use this of port number or port range for
 	# making outgoing queries, using an outgoing interface.
 	# Use this to make sure unbound does not grab a UDP port that some
 	# other server on this computer needs. The default is to avoid
 	# IANA-assigned port numbers.
 	# Our SElinux policy does not allow non-ephemeral ports to be used
 	outgoing-port-avoid: 0-32767
 	# number of outgoing simultaneous tcp buffers to hold per thread.
 	# outgoing-num-tcp: 10
--- a/unbound.service
+++ b/unbound.service
@ -9,11 +9,13 @@ Wants=nss-lookup.target
 [Service]
 Type=simple
 User=unbound
 Group=unbound
 EnvironmentFile=-/etc/sysconfig/unbound
 #ExecStartPre=/sbin/runuser --shell /bin/sh -c "/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem" unbound
-ExecStartPre=/usr/bin/sudo -u unbound /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
+ExecStartPre=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
 ExecStartPre=/usr/sbin/unbound-checkconf
-ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
+ExecStart=!/usr/sbin/unbound -d $UNBOUND_OPTIONS
 [Install]
 WantedBy=multi-user.target
--- a/unbound.spec
+++ b/unbound.spec
@ -33,7 +33,7 @@
 %define piddir /run
 Name:           unbound
-Version:        1.19.1
+Version:        1.19.2
 Release:        0
 BuildRequires:  flex
 BuildRequires:  ldns-devel >= %{ldns_version}
@ -174,6 +174,7 @@ This package holds the Python modules and extensions for unbound.
 %build
 %sysusers_generate_pre %{SOURCE19} anchor unbound.conf
 export CFLAGS="%{optflags}"
 export CXXFLAGS="%{optflags}"