Accepting request 315669 from home:stroeder:branches:server:dns

Update to upstream release 1.5.4. Successfully tested on Tumbleweed x86_64.

OBS-URL: https://build.opensuse.org/request/show/315669
OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=21

unbound-1.5.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:76bdc875ed4d1d3f8e4cfe960e6df78ee5c6c7c18abac11331cf93a7ae129eca
-size 4821300

unbound-1.5.4.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a1e1c1a578cf8447cb51f6033714035736a0f04444854a983123c094cc6fb137
+size 4844273

unbound.changes

@@ -1,3 +1,93 @@
+-------------------------------------------------------------------
+Thu Jul  9 10:16:32 UTC 2015 - michael@stroeder.com
+
+- update to 1.5.4
+
+Features
+  - [bugzilla: 644 ] harden-algo-downgrade option, if turned off,
+    fixes the reported excessive validation failure when multiple
+    algorithms are present. If set to 'no', it allows the weakest
+    algorithm to validate the zone.
+  - stats reports tcp usage, of incoming-num-tcp buffers.
+  - contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal
+    scripts. Contributed by Yuri Voinov.
+  - Add ip-transparent config option for bind to non-local addresses.
+  - Synthesize ANY responses from cache. Does not search exhaustively,
+    but MX,A,AAAA,SOA,NS also CNAME.
+  - unbound-control list_insecure command shows the negative trust
+    anchors currently configured, patch from Jelte Jansen.
+  - ratelimit feature, ratelimit: 1000, can be used to turn it on. It
+    ratelimits recursion effort per zone. For particular names you can
+    configure exceptions in unbound.conf.
+  - Ratelimit does not apply to prefetched queries, and
+    ratelimit-factor is default 10. Repeated normal queries get resolved
+    and with prefetch stay in the cache.
+  - unbound-control ratelimit_list lists high rate domains.
+  - caps-whitelist in unbound.conf allows whitelist of loadbalancers
+    that cannot work with caps-for-id or its fallback.
+  - RFC 7553 RR type URI support, is now enabled by default.
+  - cache-max-negative-ttl config option, default 3600.
+  - Add local-zone type inform_deny, that logs query and drops answer.
+
+Bug Fixes
+  - Unbound exits with a fatal error when the auto-trust-anchor-file
+    fails to be writable. This is seconds after startup. You can load a
+    readonly auto-trust-anchor-file with trust-anchor-file. The file has
+    to be writable to notice the trust anchor change, without it, a trust
+    anchor change will be unnoticed and the system will then become
+    inoperable.
+  - DLV is going to be decommissioned. Advice to stop using it, and
+    put text in the example configuration and man page to that effect.
+  - Patch from Brad Smith that syncs compat/getentropy_linux with
+    OpenBSD's version (2015-03-04).
+  - 0x20 fallback improved: servfail responses do not count as missing
+    comparisons (except if all responses are errors), inability to find
+    nameservers does not fail equality comparisons, many nameservers does
+    not try to compare more than max-sent-count, parse failures start 0x20
+    fallback procedure.
+  - store caps_response with best response in case downgrade response
+    happens to be the last one.
+  - Document that incoming-num-tcp increase is good for large servers.
+  - Fix lintian warning in unbound-checkconf man page (from Andreas
+    Schulze).
+  - Updated default keylength in unbound-control-setup to 3k.
+  - Fixup compile on cygwin, more portable openssl thread id.
+  - Use reallocarray for integer overflow protection, patch submitted
+    by Loganaden Velvindron.
+  - Fixed to add integer overflow checks on allocation (defense in depth).
+  - Fix segfault on user not found at startup (from Maciej Soltysiak).
+  - [bugzilla: 657 ] Fix that libunbound(3) recommends deprecated
+    CRYPTO_set_id_callback.
+  - If unknown trust anchor algorithm, and libressl is used, error
+    message encourages upgrade of the libressl package.
+  - rename ldns subdirectory to sldns to avoid name collision.
+  - [bugzilla: 660 ] Fix interface-automatic broken in the presence of
+    asymmetric routing.
+  - Libunbound skips dos-line-endings from etc/hosts.
+  - Fix crash in dnstap: Do not try to log TCP responses after timeout.
+  - Fix that get_option for cache-sizes does not print double newline.
+  - [bugzilla: 663 ] Fix that ssl handshake fails when using unix
+    socket because dh size is too small.
+  - [bugzilla: 664 ] libunbound python3 related fixes (from Tomas
+    Hozza); Use print_function also for Python2. libunbound examples:
+    produce sorted output. libunbound-Python: libldns is not used anymore.
+    Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns.
+  - Fix leaked dns64prefix configuration string.
+  - Removed contrib/unbound_unixsock.diff, because it has been
+    integrated, use control-interface: /path in unbound.conf.
+  - Change syntax of particular validator error to be easier for
+    machine parse, swap rrset and ip adres info so it looks like:
+    validation failure <www.example.nl. TXT IN>: signature crypto failed
+    from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN>
+  - Fix that unparseable error responses are ratelimited.
+  - SOA negative TTL is capped at minimumttl in its rdata section.
+  - [bugzilla: 674 ] Do not free pointers given by getenv.
+  - [bugzilla: 677 ] Fix CNAME corresponding to a DNAME was checked
+    incorrectly and was therefore always synthesized (thanks to Valentin
+    Dietrich). And fix DNAME responses from cache that failed internal
+    chain test.
+  - iana portlist update.
+
 -------------------------------------------------------------------
 Fri Apr 24 13:53:53 UTC 2015 - michael@stroeder.com
 

unbound.spec

@@ -47,7 +47,7 @@
 %endif
 
 Name:           unbound
-Version:        1.5.3
+Version:        1.5.4
 Release:        0
 #
 #