From 0424ed4c536e93c98cb9fa00501592d91581be53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Thu, 5 Sep 2024 11:26:20 +0200 Subject: [PATCH] Adding patchinfo patchinfo.20240816122306649398.269002615871826 --- .../_patchinfo | 757 ++++++++++++++++++ 1 file changed, 757 insertions(+) create mode 100644 patchinfo.20240816122306649398.269002615871826/_patchinfo diff --git a/patchinfo.20240816122306649398.269002615871826/_patchinfo b/patchinfo.20240816122306649398.269002615871826/_patchinfo new file mode 100644 index 0000000..ca2c939 --- /dev/null +++ b/patchinfo.20240816122306649398.269002615871826/_patchinfo @@ -0,0 +1,757 @@ + + + unbound fails to start under openSUSE MicroOS + VUL-0: CVE-2023-50387 : unbound, pdns, bind, dnsmasq: Denial Of Service while trying to validate specially crafted DNSSEC responses + VUL-0: CVE-2023-50868: unbound, bind, pdns, dnsmasq: Denial Of Service while trying to validate specially crafted DNSSEC responses + VUL-0: CVE-2024-1931: unbound: Infinite loop due to improper EDE message size check + + + + + jcronenberg + important + security + Security update for unbound + This update for unbound fixes the following issues: + +- Update to 1.20.0: + Features: + * The config for discard-timeout, wait-limit, wait-limit-cookie, + wait-limit-netblock and wait-limit-cookie-netblock was added, + for the fix to the DNSBomb issue. + * Merge GH#1027: Introduce 'cache-min-negative-ttl' option. + * Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support; + updates config.guess(2024-01-01) and config.sub(2024-01-01), + verified with upstream. + * Implement cachedb-check-when-serve-expired: yes option, default + is enabled. When serve expired is enabled with cachedb, it + first checks cachedb before serving the expired response. + * Fix GH#876: [FR] can unbound-checkconf be silenced when + configuration is valid? + + Bug Fixes: + * Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to + Xiang Li from the Network and Information Security Lab of + Tsinghua University for reporting it. + * Update doc/unbound.doxygen with 'doxygen -u'. Fixes option + deprecation warnings and updates with newer defaults. + * Remove unused portion from iter_dname_ttl unit test. + * Fix validator classification of qtype DNAME for positive and + redirection answers, and fix validator signature routine for + dealing with the synthesized CNAME for a DNAME without + previously encountering it and also for when the qtype is + DNAME. + * Fix qname minimisation for reply with a DNAME for qtype CNAME + that answers it. + * Fix doc test so it ignores but outputs unsupported doxygen + options. + * Fix GH#1021 Inconsistent Behavior with Changing + rpz-cname-override and doing a unbound-control reload. + * Merge GH#1028: Clearer documentation for tcp-idle-timeout and + edns-tcp-keepalive-timeout. + * Fix GH#1029: rpz trigger clientip and action rpz-passthru not + working as expected. + * Fix rpz that the rpz override is taken in case of clientip + triggers. Fix that the clientip passthru action is logged. Fix + that the clientip localdata action is logged. Fix rpz override + action cname for the clientip trigger. + * Fix to unify codepath for local alias for rpz cname action + override. + * Fix rpz for cname override action after nsdname and nsip + triggers. + * Fix that addrinfo is not kept around but copied and freed, so + that log-destaddr uses a copy of the information, much like NSD + does. + * Merge GH#1030: Persist the openssl and expat directories for + repeated Windows builds. + * Fix that rpz CNAME content is limited to the max number of + cnames. + * Fix rpz, it follows iterator CNAMEs for nsip and nsdname and + sets the reply query_info values, that is better for debug + logging. + * Fix rpz that copies the cname override completely to the temp + region, so there are no references to the rpz region. + * Add rpz unit test for nsip action override. + * Fix rpz for qtype CNAME after nameserver trigger. + * Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix + that clientip and nsip can give a CNAME. + * Fix localdata and rpz localdata to match CNAME only if no + direct type match is available. + * Merge GH#831 from Pierre4012: Improve Windows NSIS installer + script (setup.nsi). + * For GH#831: Format text, use exclamation icon and explicit label + names. + * Fix name of unit test for subnet cache response. + * Fix GH#1032: The size of subnet_msg_cache calculation mistake + cause memory usage increased beyond expectations. + * Fix for GH#1032, add safeguard to make table space positive. + * Fix comment in lruhash space function. + * Fix to add unit test for lruhash space that exercises the + routines. + * Fix that when the server truncates the pidfile, it does not + follow symbolic links. + * Fix that the server does not chown the pidfile. + * Fix GH#1034: DoT forward-zone via unbound-control. + * Fix for crypto related failures to have a better error string. + * Fix GH#1035: Potential Bug while parsing port from the + "stub-host" string; also affected forward-zones and + remote-control host directives. + * Fix GH#369: dnstap showing extra responses; for client responses + right from the cache when replying with expired data or + prefetching. + * Fix GH#1040: fix heap-buffer-overflow issue in function + cfg_mark_ports of file util/config_file.c. + * For GH#1040: adjust error text and disallow negative ports in + other parts of cfg_mark_ports. + * Fix comment syntax for view function views_find_view. + * Fix GH#595: unbound-anchor cannot deal with full disk; it will + now first write out to a temp file before replacing the + original one, like Unbound already does for + auto-trust-anchor-file. + * Fixup compile without cachedb. + * Add test for cachedb serve expired. + * Extended test for cachedb serve expired. + * Fix makefile dependencies for fake_event.c. + * Fix cachedb for serve-expired with serve-expired-reply-ttl. + * Fix to not reply serve expired unless enabled for cachedb. + * Fix cachedb for serve-expired with + serve-expired-client-timeout. + * Fixup unit test for cachedb server expired client timeout with + a check if response if from upstream or from cachedb. + * Fixup cachedb to not refetch when serve-expired-client-timeout + is used. + * Merge GH#1049 from Petr Menšík: Py_NoSiteFlag is not needed since + Python 3.8 + * Fix GH#1048: Update ax_pkg_swig.m4 and ax_pthread.m4. + * Fix configure, autoconf for GH#1048. + * Add checklock feature verbose_locking to trace locks and + unlocks. + * Fix edns subnet to sort rrset references when storing messages + in the cache. This fixes a race condition in the rrset locks. + * Merge GH#1053: Remove child delegations from cache when + grandchild delegations are returned from parent. + * Fix ci workflow for macos for moved install locations. + * Fix configure flto check error, by finding grep for it. + * Merge GH#1041: Stub and Forward unshare. This has one structure + for them and fixes GH#1038: fatal error: Could not initialize + thread / error: reading root hints. + * Fix to disable fragmentation on systems with IP_DONTFRAG, with + a nonzero value for the socket option argument. + * Fix doc unit test for out of directory build. + * Fix cachedb with serve-expired-client-timeout disabled. The + edns subnet module deletes global cache and cachedb cache when + it stores a result, and serve-expired is enabled, so that the + global reply, that is older than the ecs reply, does not return + after the ecs reply expires. + * Add unit tests for cachedb and subnet cache expired data. + * Man page entry for unbound-checkconf -q. + * Cleanup unnecessary strdup calls for EDE strings. + * Fix doxygen comment for errinf_to_str_bogus. + +- Update to 1.19.3: + * Features: + - Merge PR #973: Use the origin (DNAME) TTL for synthesized + CNAMEs as per RFC 6672. + * Bug Fixes + - Fix unit test parse of origin syntax. + - Use 127.0.0.1 explicitly in tests to avoid delays and errors + on newer systems. + - Fix #964: config.h.in~ backup file in release tar balls. + - Merge #968: Replace the obsolescent fgrep with grep -F in + tests. + - Merge #971: fix 'WARNING: Message has 41 extra bytes at end'. + - Fix #969: [FR] distinguish Do53, DoT and DoH in the logs. + - Fix dnstap that assertion failed on logging other than UDP + and TCP traffic. It lists it as TCP traffic. + - Fix to sync the tests script file common.sh. + - iana portlist update. + - Updated IPv4 and IPv6 address for b.root-servers.net in root + hints. + - Update test script file common.sh. + - Fix tests to use new common.sh functions, wait_logfile and + kill_from_pidfile. + - Fix #974: doc: default number of outgoing ports without + libevent. + - Merge #975: Fixed some syntax errors in rpl files. + - Fix root_zonemd unit test, it checks that the root ZONEMD + verifies, now that the root has a valid ZONEMD. + - Update example.conf with cookie options. + - Merge #980: DoH: reject non-h2 early. To fix #979: Improve + errors for non-HTTP/2 DoH clients. + - Merge #985: Add DoH and DoT to dnstap message. + - Fix #983: Sha1 runtime insecure change was incomplete. + - Remove unneeded newlines and improve indentation in remote + control code. + - Merge #987: skip edns frag retry if advertised udp payload + size is not smaller. + - Fix unit test for #987 change in udp1xxx retry packet send. + - Merge #988: Fix NLnetLabs#981: dump_cache truncates large + records. + - Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows. + - Fix to link with libssp for libcrypto and getaddrinfo check + for only header. Also update crosscompile to remove ssp for + 32bit. + - Merge #993: Update b.root-servers.net also in example config + file. + - Update workflow for ports to use newer openssl on windows + compile. + - Fix warning for windres on resource files due to + redefinition. + - Fix for #997: Print details for SSL certificate failure. + - Update error printout for duplicate trust anchors to include + the trust anchor name (relates to #920). + - Update message TTL when using cached RRSETs. It could result + in non-expired messages with expired RRSETs (non-usable + messages by Unbound). + - Merge #999: Search for protobuf-c with pkg-config. + - Fix #1006: Can't find protobuf-c package since #999. + - Fix documentation for access-control in the unbound.conf man + page. + - Merge #1010: Mention REFUSED has the TC bit set with + unmatched allow_cookie acl in the manpage. It also fixes the + code to match the documentation about clients with a valid + cookie that bypass the ratelimit regardless of the + allow_cookie acl. + - Document the suspend argument for process_ds_response(). + - Move github workflows to use checkoutv4. + - Fix edns subnet replies for scope zero answers to not get + stored in the global cache, and in cachedb, when the upstream + replies without an EDNS record. + - Fix for #1022: Fix ede prohibited in access control refused + answers. + - Fix unbound-control-setup.cmd to use 3072 bits so that + certificates are long enough for newer OpenSSL versions. + - Fix TTL of synthesized CNAME when a DNAME is used from cache. + - Fix unbound-control-setup.cmd to have CA v3 basicConstraints, + like unbound-control-setup.sh has. + +- Update to 1.19.2: + * Bug Fixes: + - Fix CVE-2024-1931, Denial of service when trimming EDE text + on positive replies. + [bsc#1221164] + +- Update to 1.19.1: + * Bug Fixes: [bsc#1219823, CVE-2023-50387][bsc#1219826, CVE-2023-50868] + - Fix CVE-2023-50387, DNSSEC verification complexity can be + exploited to exhaust CPU resources and stall DNS resolvers. + - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU. + +- as we use --disable-explicit-port-randomisation, also disable + outgoing-port-permit and outgoing-port-avoid in config file to + suppress the related unbound-checkconf warnings on every start + +- Update to 1.19.0: + * Features: + - Fix #850: [FR] Ability to use specific database in Redis, with + new redis-logical-db configuration option. + - Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream + requests. This can be helpful for devices that cannot handle + DNSSEC information. But it should not be enabled otherwise, because + that would stop DNSSEC validation. The DNSSEC validation would not + work for Unbound itself, and also not for downstream users. Default + is no. The option is disable-edns-do: no + - Expose the script filename in the Python module environment 'mod_env' + instead of the config_file structure which includes the linked list + of scripts in a multi Python module setup; fixes #79. + - Expose the configured listening and outgoing interfaces, if any, as + a list of strings in the Python 'config_file' class instead of the + current Swig object proxy; fixes #79. + - Mailing list patches from Daniel Gröber for DNS64 fallback to plain + AAAA when no A record exists for synthesis, and minor DNS64 code + refactoring for better readability. + - Merge #951: Cachedb no store. The cachedb-no-store: yes option is + used to stop cachedb from writing messages to the backend storage. + It reads messages when data is available from the backend. + The default is no. + * Bug Fixes: + - Fix for version generation race condition that ignored changes. + - Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL. + - Fix for WKS call to getservbyname that creates allocation on exit in + unit test by testing numbers first and testing from the services list later. + - Fix autoconf 2.69 warnings in configure. + - Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1. + - Merge #931: Prevent warnings from -Wmissing-prototypes. + - Fix to scrub resource records of type A and AAAA that have an + inappropriate size. They are removed from responses. + - Fix to move msgparse_rrset_remove_rr code to util/msgparse.c. + - Fix to add EDE text when RRs have been removed due to length. + - Fix to set ede match in unit test for rr length removal. + - Fix to print EDE text in readable form in output logs. + - Fix send of udp retries when ENOBUFS is returned. It stops looping + and also waits for the condition to go away. Reported by Florian Obser. + - Fix authority zone answers for obscured DNAMEs and delegations. + - Merge #936: Check for c99 with autoconf versions prior to 2.70. + - Fix to remove two c99 notations. + - Fix rpz tcp-only action with rpz triggers nsdname and nsip. + - Fix misplaced comment. + - Merge #881: Generalise the proxy protocol code. + - Fix #946: Forwarder returns servfail on upstream response noerror no data. + - Fix edns subnet so that queries with a source prefix of zero cause the + recursor send no edns subnet option to the upstream. + - Fix that printout of EDNS options shows the EDNS cookie option by name. + - Fix infinite loop when reading multiple lines of input on a broken remote + control socket. Addesses #947 and #948. + - Fix #949: "could not create control compt". + - Fix that cachedb does not warn when serve-expired is disabled about use + of serve-expired-reply-ttl and serve-expired-client-timeout. + - Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x. + - Better fix for infinite loop when reading multiple lines of input on a + broken remote control socket, by treating a zero byte line the same as + transmission end. Addesses #947 and #948. + - For multi Python module setups, clean previously parsed module functions + in __main__'s dictionary, if any, so that only current module functions + are registered. + - Fix #954: Inconsistent RPZ handling for A record returned along with CNAME. + - Fixes for the DNS64 patches. + - Update the dns64_lookup.rpl test for the DNS64 fallback patch. + - Merge #955 from buevsan: fix ipset wrong behavior. + - Update testdata/ipset.tdir test for ipset fix. + - Fix to print detailed errors when an SSL IO routine fails via SSL_get_error. + - Clearer configure text for missing protobuf-c development libraries. + - autoconf. + - Merge #930 from Stuart Henderson: add void to log_ident_revert_to_default + declaration. + - Fix #941: dnscrypt doesn't work after upgrade to 1.18 with suggestion by + dukeartem to also fix the udp_ancil with dnscrypt. + - Fix SSL compile failure for definition in log_crypto_err_io_code_arg. + - Fix SSL compile failure for other missing definitions in log_crypto_err_io_code_arg. + - Fix compilation without openssl, remove unused function warning. + - Mention flex and bison in README.md when building from repository source. + +- Update to 1.18.0: + * Features: + - Аdd a metric about the maximum number of collisions in lrushah. + - Set max-udp-size default to 1232. This is the same default value + as the default value for edns-buffer-size. It restricts client + edns buffer size choices, and makes unbound behave similar to + other DNS resolvers. + - Add harden-unknown-additional option. It removes unknown records + from the authority section and additional section. + - Added new static zone type block_a to suppress all A queries for + specific zones. + - [FR] Ability to use Redis unix sockets. + - [FR] Ability to set the Redis password. + - Features/dropqueuedpackets, with sock-queue-timeout option that + drops packets that have been in the socket queue for too long. + Added statistics num.queries_timed_out and query.queue_time_us.max + that track the socket queue timeouts. + - 'eqvinox' Lamparter: NAT64 support. + - [FR] Use kernel timestamps for dnstap. + - Add cachedb hit stat. Introduces 'num.query.cachedb' as a new + statistical counter. + - Add SVCB dohpath support. + - Add validation EDEs to queries where the CD bit is set. + - Add prefetch support for subnet cache entries. + - Add EDE (RFC8914) caching. + - Add support for EDE caching in cachedb and subnetcache. + - Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server + cookies for clients that send client cookies. This needs to be explicitly + turned on in the config file with: `answer-cookie: yes`. + * Bug Fixes + - Response change to NODATA for some ANY queries since 1.12. + - Fix not following cleared RD flags potentially enables + amplification DDoS attacks. + - Set default for harden-unknown-additional to no. So that it + does not hamper future protocol developments. + - Fix to ignore entirely empty responses, and try at another authority. + This turns completely empty responses, a type of noerror/nodata into + a servfail, but they do not conform to RFC2308, and the retry can fetch + improved content. + - Allow TTL refresh of expired error responses. + - Fix: Unexpected behavior with client-subnet-always-forward and serve-expired + - Fix unbound-dnstap-socket test program to reply the finish frame over + a TLS connection correctly. + - Fix: reserved identifier violation + - Fix: Unencrypted query is sent when forward-tls-upstream: yes is used + without tls-cert-bundle + - Extra consistency check to make sure that when TLS is requested, + either we set up a TLS connection or we return an error. + - Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record. + - Fix: Bad interaction with 0 TTL records and serve-expired + - Fix RPZ IP responses with trigger rpz-drop on cache entries. + - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR. + - Fix dereference of NULL variable warning in mesh_do_callback. + - Fix ip_ratelimit test to work with dig that enables DNS cookies. + - Fix for iter_dec_attempts that could cause a hang, part of capsforid + and qname minimisation, depending on the settings. + - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg. + - Fix stat_values test to work with dig that enables DNS cookies. + - unbound.service: Main process exited, code=killed, status=11/SEGV. + Fixes cachedb configuration handling. + - Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply. + +- Update to 1.20.0: + Features: + * The config for discard-timeout, wait-limit, wait-limit-cookie, + wait-limit-netblock and wait-limit-cookie-netblock was added, + for the fix to the DNSBomb issue. + * Merge GH#1027: Introduce 'cache-min-negative-ttl' option. + * Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support; + updates config.guess(2024-01-01) and config.sub(2024-01-01), + verified with upstream. + * Implement cachedb-check-when-serve-expired: yes option, default + is enabled. When serve expired is enabled with cachedb, it + first checks cachedb before serving the expired response. + * Fix GH#876: [FR] can unbound-checkconf be silenced when + configuration is valid? + + Bug Fixes: + * Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to + Xiang Li from the Network and Information Security Lab of + Tsinghua University for reporting it. + * Update doc/unbound.doxygen with 'doxygen -u'. Fixes option + deprecation warnings and updates with newer defaults. + * Remove unused portion from iter_dname_ttl unit test. + * Fix validator classification of qtype DNAME for positive and + redirection answers, and fix validator signature routine for + dealing with the synthesized CNAME for a DNAME without + previously encountering it and also for when the qtype is + DNAME. + * Fix qname minimisation for reply with a DNAME for qtype CNAME + that answers it. + * Fix doc test so it ignores but outputs unsupported doxygen + options. + * Fix GH#1021 Inconsistent Behavior with Changing + rpz-cname-override and doing a unbound-control reload. + * Merge GH#1028: Clearer documentation for tcp-idle-timeout and + edns-tcp-keepalive-timeout. + * Fix GH#1029: rpz trigger clientip and action rpz-passthru not + working as expected. + * Fix rpz that the rpz override is taken in case of clientip + triggers. Fix that the clientip passthru action is logged. Fix + that the clientip localdata action is logged. Fix rpz override + action cname for the clientip trigger. + * Fix to unify codepath for local alias for rpz cname action + override. + * Fix rpz for cname override action after nsdname and nsip + triggers. + * Fix that addrinfo is not kept around but copied and freed, so + that log-destaddr uses a copy of the information, much like NSD + does. + * Merge GH#1030: Persist the openssl and expat directories for + repeated Windows builds. + * Fix that rpz CNAME content is limited to the max number of + cnames. + * Fix rpz, it follows iterator CNAMEs for nsip and nsdname and + sets the reply query_info values, that is better for debug + logging. + * Fix rpz that copies the cname override completely to the temp + region, so there are no references to the rpz region. + * Add rpz unit test for nsip action override. + * Fix rpz for qtype CNAME after nameserver trigger. + * Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix + that clientip and nsip can give a CNAME. + * Fix localdata and rpz localdata to match CNAME only if no + direct type match is available. + * Merge GH#831 from Pierre4012: Improve Windows NSIS installer + script (setup.nsi). + * For GH#831: Format text, use exclamation icon and explicit label + names. + * Fix name of unit test for subnet cache response. + * Fix GH#1032: The size of subnet_msg_cache calculation mistake + cause memory usage increased beyond expectations. + * Fix for GH#1032, add safeguard to make table space positive. + * Fix comment in lruhash space function. + * Fix to add unit test for lruhash space that exercises the + routines. + * Fix that when the server truncates the pidfile, it does not + follow symbolic links. + * Fix that the server does not chown the pidfile. + * Fix GH#1034: DoT forward-zone via unbound-control. + * Fix for crypto related failures to have a better error string. + * Fix GH#1035: Potential Bug while parsing port from the + "stub-host" string; also affected forward-zones and + remote-control host directives. + * Fix GH#369: dnstap showing extra responses; for client responses + right from the cache when replying with expired data or + prefetching. + * Fix GH#1040: fix heap-buffer-overflow issue in function + cfg_mark_ports of file util/config_file.c. + * For GH#1040: adjust error text and disallow negative ports in + other parts of cfg_mark_ports. + * Fix comment syntax for view function views_find_view. + * Fix GH#595: unbound-anchor cannot deal with full disk; it will + now first write out to a temp file before replacing the + original one, like Unbound already does for + auto-trust-anchor-file. + * Fixup compile without cachedb. + * Add test for cachedb serve expired. + * Extended test for cachedb serve expired. + * Fix makefile dependencies for fake_event.c. + * Fix cachedb for serve-expired with serve-expired-reply-ttl. + * Fix to not reply serve expired unless enabled for cachedb. + * Fix cachedb for serve-expired with + serve-expired-client-timeout. + * Fixup unit test for cachedb server expired client timeout with + a check if response if from upstream or from cachedb. + * Fixup cachedb to not refetch when serve-expired-client-timeout + is used. + * Merge GH#1049 from Petr Menšík: Py_NoSiteFlag is not needed since + Python 3.8 + * Fix GH#1048: Update ax_pkg_swig.m4 and ax_pthread.m4. + * Fix configure, autoconf for GH#1048. + * Add checklock feature verbose_locking to trace locks and + unlocks. + * Fix edns subnet to sort rrset references when storing messages + in the cache. This fixes a race condition in the rrset locks. + * Merge GH#1053: Remove child delegations from cache when + grandchild delegations are returned from parent. + * Fix ci workflow for macos for moved install locations. + * Fix configure flto check error, by finding grep for it. + * Merge GH#1041: Stub and Forward unshare. This has one structure + for them and fixes GH#1038: fatal error: Could not initialize + thread / error: reading root hints. + * Fix to disable fragmentation on systems with IP_DONTFRAG, with + a nonzero value for the socket option argument. + * Fix doc unit test for out of directory build. + * Fix cachedb with serve-expired-client-timeout disabled. The + edns subnet module deletes global cache and cachedb cache when + it stores a result, and serve-expired is enabled, so that the + global reply, that is older than the ecs reply, does not return + after the ecs reply expires. + * Add unit tests for cachedb and subnet cache expired data. + * Man page entry for unbound-checkconf -q. + * Cleanup unnecessary strdup calls for EDE strings. + * Fix doxygen comment for errinf_to_str_bogus. + +- Update to 1.19.3: + * Features: + - Merge PR #973: Use the origin (DNAME) TTL for synthesized + CNAMEs as per RFC 6672. + * Bug Fixes + - Fix unit test parse of origin syntax. + - Use 127.0.0.1 explicitly in tests to avoid delays and errors + on newer systems. + - Fix #964: config.h.in~ backup file in release tar balls. + - Merge #968: Replace the obsolescent fgrep with grep -F in + tests. + - Merge #971: fix 'WARNING: Message has 41 extra bytes at end'. + - Fix #969: [FR] distinguish Do53, DoT and DoH in the logs. + - Fix dnstap that assertion failed on logging other than UDP + and TCP traffic. It lists it as TCP traffic. + - Fix to sync the tests script file common.sh. + - iana portlist update. + - Updated IPv4 and IPv6 address for b.root-servers.net in root + hints. + - Update test script file common.sh. + - Fix tests to use new common.sh functions, wait_logfile and + kill_from_pidfile. + - Fix #974: doc: default number of outgoing ports without + libevent. + - Merge #975: Fixed some syntax errors in rpl files. + - Fix root_zonemd unit test, it checks that the root ZONEMD + verifies, now that the root has a valid ZONEMD. + - Update example.conf with cookie options. + - Merge #980: DoH: reject non-h2 early. To fix #979: Improve + errors for non-HTTP/2 DoH clients. + - Merge #985: Add DoH and DoT to dnstap message. + - Fix #983: Sha1 runtime insecure change was incomplete. + - Remove unneeded newlines and improve indentation in remote + control code. + - Merge #987: skip edns frag retry if advertised udp payload + size is not smaller. + - Fix unit test for #987 change in udp1xxx retry packet send. + - Merge #988: Fix NLnetLabs#981: dump_cache truncates large + records. + - Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows. + - Fix to link with libssp for libcrypto and getaddrinfo check + for only header. Also update crosscompile to remove ssp for + 32bit. + - Merge #993: Update b.root-servers.net also in example config + file. + - Update workflow for ports to use newer openssl on windows + compile. + - Fix warning for windres on resource files due to + redefinition. + - Fix for #997: Print details for SSL certificate failure. + - Update error printout for duplicate trust anchors to include + the trust anchor name (relates to #920). + - Update message TTL when using cached RRSETs. It could result + in non-expired messages with expired RRSETs (non-usable + messages by Unbound). + - Merge #999: Search for protobuf-c with pkg-config. + - Fix #1006: Can't find protobuf-c package since #999. + - Fix documentation for access-control in the unbound.conf man + page. + - Merge #1010: Mention REFUSED has the TC bit set with + unmatched allow_cookie acl in the manpage. It also fixes the + code to match the documentation about clients with a valid + cookie that bypass the ratelimit regardless of the + allow_cookie acl. + - Document the suspend argument for process_ds_response(). + - Move github workflows to use checkoutv4. + - Fix edns subnet replies for scope zero answers to not get + stored in the global cache, and in cachedb, when the upstream + replies without an EDNS record. + - Fix for #1022: Fix ede prohibited in access control refused + answers. + - Fix unbound-control-setup.cmd to use 3072 bits so that + certificates are long enough for newer OpenSSL versions. + - Fix TTL of synthesized CNAME when a DNAME is used from cache. + - Fix unbound-control-setup.cmd to have CA v3 basicConstraints, + like unbound-control-setup.sh has. + +- Update to 1.19.2: + * Bug Fixes: + - Fix CVE-2024-1931, Denial of service when trimming EDE text + on positive replies. + [bsc#1221164] + +- Update to 1.19.1: + * Bug Fixes: [bsc#1219823, CVE-2023-50387][bsc#1219826, CVE-2023-50868] + - Fix CVE-2023-50387, DNSSEC verification complexity can be + exploited to exhaust CPU resources and stall DNS resolvers. + - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU. + +- as we use --disable-explicit-port-randomisation, also disable + outgoing-port-permit and outgoing-port-avoid in config file to + suppress the related unbound-checkconf warnings on every start + +- Use prefixes instead of sudo in unbound.service (bsc#1215628) + +- Update to 1.19.0: + * Features: + - Fix #850: [FR] Ability to use specific database in Redis, with + new redis-logical-db configuration option. + - Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream + requests. This can be helpful for devices that cannot handle + DNSSEC information. But it should not be enabled otherwise, because + that would stop DNSSEC validation. The DNSSEC validation would not + work for Unbound itself, and also not for downstream users. Default + is no. The option is disable-edns-do: no + - Expose the script filename in the Python module environment 'mod_env' + instead of the config_file structure which includes the linked list + of scripts in a multi Python module setup; fixes #79. + - Expose the configured listening and outgoing interfaces, if any, as + a list of strings in the Python 'config_file' class instead of the + current Swig object proxy; fixes #79. + - Mailing list patches from Daniel Gröber for DNS64 fallback to plain + AAAA when no A record exists for synthesis, and minor DNS64 code + refactoring for better readability. + - Merge #951: Cachedb no store. The cachedb-no-store: yes option is + used to stop cachedb from writing messages to the backend storage. + It reads messages when data is available from the backend. + The default is no. + * Bug Fixes: + - Fix for version generation race condition that ignored changes. + - Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL. + - Fix for WKS call to getservbyname that creates allocation on exit in + unit test by testing numbers first and testing from the services list later. + - Fix autoconf 2.69 warnings in configure. + - Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1. + - Merge #931: Prevent warnings from -Wmissing-prototypes. + - Fix to scrub resource records of type A and AAAA that have an + inappropriate size. They are removed from responses. + - Fix to move msgparse_rrset_remove_rr code to util/msgparse.c. + - Fix to add EDE text when RRs have been removed due to length. + - Fix to set ede match in unit test for rr length removal. + - Fix to print EDE text in readable form in output logs. + - Fix send of udp retries when ENOBUFS is returned. It stops looping + and also waits for the condition to go away. Reported by Florian Obser. + - Fix authority zone answers for obscured DNAMEs and delegations. + - Merge #936: Check for c99 with autoconf versions prior to 2.70. + - Fix to remove two c99 notations. + - Fix rpz tcp-only action with rpz triggers nsdname and nsip. + - Fix misplaced comment. + - Merge #881: Generalise the proxy protocol code. + - Fix #946: Forwarder returns servfail on upstream response noerror no data. + - Fix edns subnet so that queries with a source prefix of zero cause the + recursor send no edns subnet option to the upstream. + - Fix that printout of EDNS options shows the EDNS cookie option by name. + - Fix infinite loop when reading multiple lines of input on a broken remote + control socket. Addesses #947 and #948. + - Fix #949: "could not create control compt". + - Fix that cachedb does not warn when serve-expired is disabled about use + of serve-expired-reply-ttl and serve-expired-client-timeout. + - Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x. + - Better fix for infinite loop when reading multiple lines of input on a + broken remote control socket, by treating a zero byte line the same as + transmission end. Addesses #947 and #948. + - For multi Python module setups, clean previously parsed module functions + in __main__'s dictionary, if any, so that only current module functions + are registered. + - Fix #954: Inconsistent RPZ handling for A record returned along with CNAME. + - Fixes for the DNS64 patches. + - Update the dns64_lookup.rpl test for the DNS64 fallback patch. + - Merge #955 from buevsan: fix ipset wrong behavior. + - Update testdata/ipset.tdir test for ipset fix. + - Fix to print detailed errors when an SSL IO routine fails via SSL_get_error. + - Clearer configure text for missing protobuf-c development libraries. + - autoconf. + - Merge #930 from Stuart Henderson: add void to log_ident_revert_to_default + declaration. + - Fix #941: dnscrypt doesn't work after upgrade to 1.18 with suggestion by + dukeartem to also fix the udp_ancil with dnscrypt. + - Fix SSL compile failure for definition in log_crypto_err_io_code_arg. + - Fix SSL compile failure for other missing definitions in log_crypto_err_io_code_arg. + - Fix compilation without openssl, remove unused function warning. + - Mention flex and bison in README.md when building from repository source. + +- Update to 1.18.0: + * Features: + - Аdd a metric about the maximum number of collisions in lrushah. + - Set max-udp-size default to 1232. This is the same default value + as the default value for edns-buffer-size. It restricts client + edns buffer size choices, and makes unbound behave similar to + other DNS resolvers. + - Add harden-unknown-additional option. It removes unknown records + from the authority section and additional section. + - Added new static zone type block_a to suppress all A queries for + specific zones. + - [FR] Ability to use Redis unix sockets. + - [FR] Ability to set the Redis password. + - Features/dropqueuedpackets, with sock-queue-timeout option that + drops packets that have been in the socket queue for too long. + Added statistics num.queries_timed_out and query.queue_time_us.max + that track the socket queue timeouts. + - 'eqvinox' Lamparter: NAT64 support. + - [FR] Use kernel timestamps for dnstap. + - Add cachedb hit stat. Introduces 'num.query.cachedb' as a new + statistical counter. + - Add SVCB dohpath support. + - Add validation EDEs to queries where the CD bit is set. + - Add prefetch support for subnet cache entries. + - Add EDE (RFC8914) caching. + - Add support for EDE caching in cachedb and subnetcache. + - Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server + cookies for clients that send client cookies. This needs to be explicitly + turned on in the config file with: `answer-cookie: yes`. + * Bug Fixes + - Response change to NODATA for some ANY queries since 1.12. + - Fix not following cleared RD flags potentially enables + amplification DDoS attacks. + - Set default for harden-unknown-additional to no. So that it + does not hamper future protocol developments. + - Fix to ignore entirely empty responses, and try at another authority. + This turns completely empty responses, a type of noerror/nodata into + a servfail, but they do not conform to RFC2308, and the retry can fetch + improved content. + - Allow TTL refresh of expired error responses. + - Fix: Unexpected behavior with client-subnet-always-forward and serve-expired + - Fix unbound-dnstap-socket test program to reply the finish frame over + a TLS connection correctly. + - Fix: reserved identifier violation + - Fix: Unencrypted query is sent when forward-tls-upstream: yes is used + without tls-cert-bundle + - Extra consistency check to make sure that when TLS is requested, + either we set up a TLS connection or we return an error. + - Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record. + - Fix: Bad interaction with 0 TTL records and serve-expired + - Fix RPZ IP responses with trigger rpz-drop on cache entries. + - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR. + - Fix dereference of NULL variable warning in mesh_do_callback. + - Fix ip_ratelimit test to work with dig that enables DNS cookies. + - Fix for iter_dec_attempts that could cause a hang, part of capsforid + and qname minimisation, depending on the settings. + - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg. + - Fix stat_values test to work with dig that enables DNS cookies. + - unbound.service: Main process exited, code=killed, status=11/SEGV. + Fixes cachedb configuration handling. + - Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply. + + + unbound + unbound:libunbound-devel-mini + +