diff --git a/unbound-1.5.3.tar.gz b/unbound-1.5.3.tar.gz deleted file mode 100644 index 0692f1d..0000000 --- a/unbound-1.5.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:76bdc875ed4d1d3f8e4cfe960e6df78ee5c6c7c18abac11331cf93a7ae129eca -size 4821300 diff --git a/unbound-1.5.4.tar.gz b/unbound-1.5.4.tar.gz new file mode 100644 index 0000000..89c2ec2 --- /dev/null +++ b/unbound-1.5.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a1e1c1a578cf8447cb51f6033714035736a0f04444854a983123c094cc6fb137 +size 4844273 diff --git a/unbound.changes b/unbound.changes index 5530ddd..b4469ea 100644 --- a/unbound.changes +++ b/unbound.changes @@ -1,3 +1,93 @@ +------------------------------------------------------------------- +Thu Jul 9 10:16:32 UTC 2015 - michael@stroeder.com + +- update to 1.5.4 + +Features + - [bugzilla: 644 ] harden-algo-downgrade option, if turned off, + fixes the reported excessive validation failure when multiple + algorithms are present. If set to 'no', it allows the weakest + algorithm to validate the zone. + - stats reports tcp usage, of incoming-num-tcp buffers. + - contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal + scripts. Contributed by Yuri Voinov. + - Add ip-transparent config option for bind to non-local addresses. + - Synthesize ANY responses from cache. Does not search exhaustively, + but MX,A,AAAA,SOA,NS also CNAME. + - unbound-control list_insecure command shows the negative trust + anchors currently configured, patch from Jelte Jansen. + - ratelimit feature, ratelimit: 1000, can be used to turn it on. It + ratelimits recursion effort per zone. For particular names you can + configure exceptions in unbound.conf. + - Ratelimit does not apply to prefetched queries, and + ratelimit-factor is default 10. Repeated normal queries get resolved + and with prefetch stay in the cache. + - unbound-control ratelimit_list lists high rate domains. + - caps-whitelist in unbound.conf allows whitelist of loadbalancers + that cannot work with caps-for-id or its fallback. + - RFC 7553 RR type URI support, is now enabled by default. + - cache-max-negative-ttl config option, default 3600. + - Add local-zone type inform_deny, that logs query and drops answer. + +Bug Fixes + - Unbound exits with a fatal error when the auto-trust-anchor-file + fails to be writable. This is seconds after startup. You can load a + readonly auto-trust-anchor-file with trust-anchor-file. The file has + to be writable to notice the trust anchor change, without it, a trust + anchor change will be unnoticed and the system will then become + inoperable. + - DLV is going to be decommissioned. Advice to stop using it, and + put text in the example configuration and man page to that effect. + - Patch from Brad Smith that syncs compat/getentropy_linux with + OpenBSD's version (2015-03-04). + - 0x20 fallback improved: servfail responses do not count as missing + comparisons (except if all responses are errors), inability to find + nameservers does not fail equality comparisons, many nameservers does + not try to compare more than max-sent-count, parse failures start 0x20 + fallback procedure. + - store caps_response with best response in case downgrade response + happens to be the last one. + - Document that incoming-num-tcp increase is good for large servers. + - Fix lintian warning in unbound-checkconf man page (from Andreas + Schulze). + - Updated default keylength in unbound-control-setup to 3k. + - Fixup compile on cygwin, more portable openssl thread id. + - Use reallocarray for integer overflow protection, patch submitted + by Loganaden Velvindron. + - Fixed to add integer overflow checks on allocation (defense in depth). + - Fix segfault on user not found at startup (from Maciej Soltysiak). + - [bugzilla: 657 ] Fix that libunbound(3) recommends deprecated + CRYPTO_set_id_callback. + - If unknown trust anchor algorithm, and libressl is used, error + message encourages upgrade of the libressl package. + - rename ldns subdirectory to sldns to avoid name collision. + - [bugzilla: 660 ] Fix interface-automatic broken in the presence of + asymmetric routing. + - Libunbound skips dos-line-endings from etc/hosts. + - Fix crash in dnstap: Do not try to log TCP responses after timeout. + - Fix that get_option for cache-sizes does not print double newline. + - [bugzilla: 663 ] Fix that ssl handshake fails when using unix + socket because dh size is too small. + - [bugzilla: 664 ] libunbound python3 related fixes (from Tomas + Hozza); Use print_function also for Python2. libunbound examples: + produce sorted output. libunbound-Python: libldns is not used anymore. + Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns. + - Fix leaked dns64prefix configuration string. + - Removed contrib/unbound_unixsock.diff, because it has been + integrated, use control-interface: /path in unbound.conf. + - Change syntax of particular validator error to be easier for + machine parse, swap rrset and ip adres info so it looks like: + validation failure : signature crypto failed + from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN> + - Fix that unparseable error responses are ratelimited. + - SOA negative TTL is capped at minimumttl in its rdata section. + - [bugzilla: 674 ] Do not free pointers given by getenv. + - [bugzilla: 677 ] Fix CNAME corresponding to a DNAME was checked + incorrectly and was therefore always synthesized (thanks to Valentin + Dietrich). And fix DNAME responses from cache that failed internal + chain test. + - iana portlist update. + ------------------------------------------------------------------- Fri Apr 24 13:53:53 UTC 2015 - michael@stroeder.com diff --git a/unbound.spec b/unbound.spec index efe4c4b..220e41f 100644 --- a/unbound.spec +++ b/unbound.spec @@ -47,7 +47,7 @@ %endif Name: unbound -Version: 1.5.3 +Version: 1.5.4 Release: 0 # #