From 81ab75b9bda82dc1ba3ff5803a67d65f71ea7139 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= <adrian@suse.de>
Date: Thu, 13 Feb 2025 13:03:47 +0100
Subject: [PATCH] Adding patchinfo
 patchinfo.20241021113820522552.255638743075857

---
 .../_patchinfo                                | 93 +++++++++++++++++++
 1 file changed, 93 insertions(+)
 create mode 100644 patchinfo.20241021113820522552.255638743075857/_patchinfo

diff --git a/patchinfo.20241021113820522552.255638743075857/_patchinfo b/patchinfo.20241021113820522552.255638743075857/_patchinfo
new file mode 100644
index 0000000..4458af5
--- /dev/null
+++ b/patchinfo.20241021113820522552.255638743075857/_patchinfo
@@ -0,0 +1,93 @@
+<patchinfo>
+  <!-- generated from request(s) 349214 -->
+  <issue tracker="bnc" id="1231284">VUL-0: CVE-2024-8508: unbound: handling of upstream responses with very large RRsets and where name compression is needed for downstream replies leads to degraded performance and, eventually, denial of service</issue>
+  <issue tracker="cve" id="2024-8508"/>
+  <packager>jcronenberg</packager>
+  <rating>moderate</rating>
+  <category>security</category>
+  <summary>Security update for unbound</summary>
+  <description>This update for unbound fixes the following issues:
+
+- Update to 1.22.0:
+  Features:
+  * Add iter-scrub-ns, iter-scrub-cname and max-global-quota
+    configuration options.
+  * Merge patch to fix for glue that is outside of zone, with
+    `harden-unverified-glue`, from Karthik Umashankar (Microsoft).
+    Enabling this option protects the Unbound resolver against bad
+    glue, that is unverified out of zone glue, by resolving them.
+    It uses the records as last resort if there is no other working
+    glue.
+  * Add redis-command-timeout: 20 and redis-connect-timeout: 200,
+    that can set the timeout separately for commands and the
+    connection set up to the redis server. If they are not
+    specified, the redis-timeout value is used.
+  * Log timestamps in ISO8601 format with timezone. This adds the
+    option `log-time-iso: yes` that logs in ISO8601 format.
+  * DNS over QUIC. This adds `quic-port: 853` and `quic-size: 8m`
+    that enable dnsoverquic, and the counters `num.query.quic` and
+    `mem.quic` in the statistics output. The feature needs to be
+    enabled by compiling with libngtcp2, with
+    `--with-libngtcp2=path` and libngtcp2 needs openssl+quic, pass
+    that with `--with-ssl=path` to compile unbound as well.
+
+  Bug Fixes:
+  * unbound-control-setup hangs while testing for openssl presence
+    starting from version 1.21.0.
+  * Fix error: "memory exhausted" when defining more than 9994
+    local-zones.
+  * Fix documentation for cache_fill_missing function.
+  * Fix Loads of logs: "validation failure: key for validation
+    &lt;domain&gt;. is marked as invalid because of a previous" for
+    non-DNSSEC signed zone.
+  * Fix that when rpz is applied the message does not get picked up
+    by the validator. That stops validation failures for the
+    message.
+  * Fix that stub-zone and forward-zone clauses do not exhaust
+    memory for long content.
+  * Fix to print port number in logs for auth zone transfer
+    activities.
+  * b.root renumbering.
+  * Add new IANA trust anchor.
+  * Fix config file read for dnstap-sample-rate.
+  * Fix alloc-size and calloc-transposed-args compiler warnings.
+  * Fix to limit NSEC and NSEC3 TTL when aggressive nsec is enabled
+    (RFC9077).
+  * Fix dns64 with prefetch that the prefetch is stored in cache.
+  * Attempt to further fix doh_downstream_buffer_size.tdir
+    flakiness.
+  * More clear text for prefetch and minimal-responses in the
+    unbound.conf man page.
+  * Fix cache update when serve expired is used. Expired records
+    are favored over resolution and validation failures when
+    serve-expired is used.
+  * Fix negative cache NSEC3 parameter compares for zero length
+    NSEC3 salt.
+  * Fix unbound-control-setup hangs sometimes depending on the
+    openssl version.
+  * Fix Cannot override tcp-upstream and tls-upstream with
+    forward-tcp-upstream and forward-tls-upstream.
+  * Fix to limit NSEC TTL for messages from cachedb. Fix to limit
+    the prefetch ttl for messages after a CNAME with short TTL.
+  * Fix to disable detection of quic configured ports when quic is
+    not compiled in.
+  * Fix harden-unverified-glue for AAAA cache_fill_missing lookups.
+  * Fix contrib/aaaa-filter-iterator for change in call
+    signature for cache_fill_missing.
+  * Fix to display warning if quic-port is set but dnsoverquic is
+    not enabled when compiled.
+  * Fix dnsoverquic to extend the number of streams when one is
+    closed.
+  * Fix for dnstap with dnscrypt and dnstap without dnsoverquic.
+  * Fix for dnsoverquic and dnstap to use the correct dnstap
+    environment.
+
+- Update to 1.21.1:
+  Security Fixes:
+  * CVE-2024-8508: unbounded name compression could lead to
+    denial of service. (bsc#1231284)
+</description>
+  <package>unbound</package>
+  <package>unbound:libunbound-devel-mini</package>
+  <seperate_build_arch/>
+</patchinfo>