758 lines
39 KiB
Plaintext
758 lines
39 KiB
Plaintext
<patchinfo>
|
|
<!-- generated from request(s) 340963 -->
|
|
<issue tracker="bnc" id="1215628">unbound fails to start under openSUSE MicroOS</issue>
|
|
<issue tracker="bnc" id="1219823">VUL-0: CVE-2023-50387 : unbound, pdns, bind, dnsmasq: Denial Of Service while trying to validate specially crafted DNSSEC responses</issue>
|
|
<issue tracker="bnc" id="1219826">VUL-0: CVE-2023-50868: unbound, bind, pdns, dnsmasq: Denial Of Service while trying to validate specially crafted DNSSEC responses</issue>
|
|
<issue tracker="bnc" id="1221164">VUL-0: CVE-2024-1931: unbound: Infinite loop due to improper EDE message size check</issue>
|
|
<issue tracker="cve" id="2023-50387"/>
|
|
<issue tracker="cve" id="2023-50868"/>
|
|
<issue tracker="cve" id="2024-1931"/>
|
|
<issue tracker="cve" id="2024-33655"/>
|
|
<packager>jcronenberg</packager>
|
|
<rating>important</rating>
|
|
<category>security</category>
|
|
<summary>Security update for unbound</summary>
|
|
<description>This update for unbound fixes the following issues:
|
|
|
|
- Update to 1.20.0:
|
|
Features:
|
|
* The config for discard-timeout, wait-limit, wait-limit-cookie,
|
|
wait-limit-netblock and wait-limit-cookie-netblock was added,
|
|
for the fix to the DNSBomb issue.
|
|
* Merge GH#1027: Introduce 'cache-min-negative-ttl' option.
|
|
* Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support;
|
|
updates config.guess(2024-01-01) and config.sub(2024-01-01),
|
|
verified with upstream.
|
|
* Implement cachedb-check-when-serve-expired: yes option, default
|
|
is enabled. When serve expired is enabled with cachedb, it
|
|
first checks cachedb before serving the expired response.
|
|
* Fix GH#876: [FR] can unbound-checkconf be silenced when
|
|
configuration is valid?
|
|
|
|
Bug Fixes:
|
|
* Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to
|
|
Xiang Li from the Network and Information Security Lab of
|
|
Tsinghua University for reporting it.
|
|
* Update doc/unbound.doxygen with 'doxygen -u'. Fixes option
|
|
deprecation warnings and updates with newer defaults.
|
|
* Remove unused portion from iter_dname_ttl unit test.
|
|
* Fix validator classification of qtype DNAME for positive and
|
|
redirection answers, and fix validator signature routine for
|
|
dealing with the synthesized CNAME for a DNAME without
|
|
previously encountering it and also for when the qtype is
|
|
DNAME.
|
|
* Fix qname minimisation for reply with a DNAME for qtype CNAME
|
|
that answers it.
|
|
* Fix doc test so it ignores but outputs unsupported doxygen
|
|
options.
|
|
* Fix GH#1021 Inconsistent Behavior with Changing
|
|
rpz-cname-override and doing a unbound-control reload.
|
|
* Merge GH#1028: Clearer documentation for tcp-idle-timeout and
|
|
edns-tcp-keepalive-timeout.
|
|
* Fix GH#1029: rpz trigger clientip and action rpz-passthru not
|
|
working as expected.
|
|
* Fix rpz that the rpz override is taken in case of clientip
|
|
triggers. Fix that the clientip passthru action is logged. Fix
|
|
that the clientip localdata action is logged. Fix rpz override
|
|
action cname for the clientip trigger.
|
|
* Fix to unify codepath for local alias for rpz cname action
|
|
override.
|
|
* Fix rpz for cname override action after nsdname and nsip
|
|
triggers.
|
|
* Fix that addrinfo is not kept around but copied and freed, so
|
|
that log-destaddr uses a copy of the information, much like NSD
|
|
does.
|
|
* Merge GH#1030: Persist the openssl and expat directories for
|
|
repeated Windows builds.
|
|
* Fix that rpz CNAME content is limited to the max number of
|
|
cnames.
|
|
* Fix rpz, it follows iterator CNAMEs for nsip and nsdname and
|
|
sets the reply query_info values, that is better for debug
|
|
logging.
|
|
* Fix rpz that copies the cname override completely to the temp
|
|
region, so there are no references to the rpz region.
|
|
* Add rpz unit test for nsip action override.
|
|
* Fix rpz for qtype CNAME after nameserver trigger.
|
|
* Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix
|
|
that clientip and nsip can give a CNAME.
|
|
* Fix localdata and rpz localdata to match CNAME only if no
|
|
direct type match is available.
|
|
* Merge GH#831 from Pierre4012: Improve Windows NSIS installer
|
|
script (setup.nsi).
|
|
* For GH#831: Format text, use exclamation icon and explicit label
|
|
names.
|
|
* Fix name of unit test for subnet cache response.
|
|
* Fix GH#1032: The size of subnet_msg_cache calculation mistake
|
|
cause memory usage increased beyond expectations.
|
|
* Fix for GH#1032, add safeguard to make table space positive.
|
|
* Fix comment in lruhash space function.
|
|
* Fix to add unit test for lruhash space that exercises the
|
|
routines.
|
|
* Fix that when the server truncates the pidfile, it does not
|
|
follow symbolic links.
|
|
* Fix that the server does not chown the pidfile.
|
|
* Fix GH#1034: DoT forward-zone via unbound-control.
|
|
* Fix for crypto related failures to have a better error string.
|
|
* Fix GH#1035: Potential Bug while parsing port from the
|
|
"stub-host" string; also affected forward-zones and
|
|
remote-control host directives.
|
|
* Fix GH#369: dnstap showing extra responses; for client responses
|
|
right from the cache when replying with expired data or
|
|
prefetching.
|
|
* Fix GH#1040: fix heap-buffer-overflow issue in function
|
|
cfg_mark_ports of file util/config_file.c.
|
|
* For GH#1040: adjust error text and disallow negative ports in
|
|
other parts of cfg_mark_ports.
|
|
* Fix comment syntax for view function views_find_view.
|
|
* Fix GH#595: unbound-anchor cannot deal with full disk; it will
|
|
now first write out to a temp file before replacing the
|
|
original one, like Unbound already does for
|
|
auto-trust-anchor-file.
|
|
* Fixup compile without cachedb.
|
|
* Add test for cachedb serve expired.
|
|
* Extended test for cachedb serve expired.
|
|
* Fix makefile dependencies for fake_event.c.
|
|
* Fix cachedb for serve-expired with serve-expired-reply-ttl.
|
|
* Fix to not reply serve expired unless enabled for cachedb.
|
|
* Fix cachedb for serve-expired with
|
|
serve-expired-client-timeout.
|
|
* Fixup unit test for cachedb server expired client timeout with
|
|
a check if response if from upstream or from cachedb.
|
|
* Fixup cachedb to not refetch when serve-expired-client-timeout
|
|
is used.
|
|
* Merge GH#1049 from Petr Menšík: Py_NoSiteFlag is not needed since
|
|
Python 3.8
|
|
* Fix GH#1048: Update ax_pkg_swig.m4 and ax_pthread.m4.
|
|
* Fix configure, autoconf for GH#1048.
|
|
* Add checklock feature verbose_locking to trace locks and
|
|
unlocks.
|
|
* Fix edns subnet to sort rrset references when storing messages
|
|
in the cache. This fixes a race condition in the rrset locks.
|
|
* Merge GH#1053: Remove child delegations from cache when
|
|
grandchild delegations are returned from parent.
|
|
* Fix ci workflow for macos for moved install locations.
|
|
* Fix configure flto check error, by finding grep for it.
|
|
* Merge GH#1041: Stub and Forward unshare. This has one structure
|
|
for them and fixes GH#1038: fatal error: Could not initialize
|
|
thread / error: reading root hints.
|
|
* Fix to disable fragmentation on systems with IP_DONTFRAG, with
|
|
a nonzero value for the socket option argument.
|
|
* Fix doc unit test for out of directory build.
|
|
* Fix cachedb with serve-expired-client-timeout disabled. The
|
|
edns subnet module deletes global cache and cachedb cache when
|
|
it stores a result, and serve-expired is enabled, so that the
|
|
global reply, that is older than the ecs reply, does not return
|
|
after the ecs reply expires.
|
|
* Add unit tests for cachedb and subnet cache expired data.
|
|
* Man page entry for unbound-checkconf -q.
|
|
* Cleanup unnecessary strdup calls for EDE strings.
|
|
* Fix doxygen comment for errinf_to_str_bogus.
|
|
|
|
- Update to 1.19.3:
|
|
* Features:
|
|
- Merge PR #973: Use the origin (DNAME) TTL for synthesized
|
|
CNAMEs as per RFC 6672.
|
|
* Bug Fixes
|
|
- Fix unit test parse of origin syntax.
|
|
- Use 127.0.0.1 explicitly in tests to avoid delays and errors
|
|
on newer systems.
|
|
- Fix #964: config.h.in~ backup file in release tar balls.
|
|
- Merge #968: Replace the obsolescent fgrep with grep -F in
|
|
tests.
|
|
- Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
|
|
- Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
|
|
- Fix dnstap that assertion failed on logging other than UDP
|
|
and TCP traffic. It lists it as TCP traffic.
|
|
- Fix to sync the tests script file common.sh.
|
|
- iana portlist update.
|
|
- Updated IPv4 and IPv6 address for b.root-servers.net in root
|
|
hints.
|
|
- Update test script file common.sh.
|
|
- Fix tests to use new common.sh functions, wait_logfile and
|
|
kill_from_pidfile.
|
|
- Fix #974: doc: default number of outgoing ports without
|
|
libevent.
|
|
- Merge #975: Fixed some syntax errors in rpl files.
|
|
- Fix root_zonemd unit test, it checks that the root ZONEMD
|
|
verifies, now that the root has a valid ZONEMD.
|
|
- Update example.conf with cookie options.
|
|
- Merge #980: DoH: reject non-h2 early. To fix #979: Improve
|
|
errors for non-HTTP/2 DoH clients.
|
|
- Merge #985: Add DoH and DoT to dnstap message.
|
|
- Fix #983: Sha1 runtime insecure change was incomplete.
|
|
- Remove unneeded newlines and improve indentation in remote
|
|
control code.
|
|
- Merge #987: skip edns frag retry if advertised udp payload
|
|
size is not smaller.
|
|
- Fix unit test for #987 change in udp1xxx retry packet send.
|
|
- Merge #988: Fix NLnetLabs#981: dump_cache truncates large
|
|
records.
|
|
- Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
|
|
- Fix to link with libssp for libcrypto and getaddrinfo check
|
|
for only header. Also update crosscompile to remove ssp for
|
|
32bit.
|
|
- Merge #993: Update b.root-servers.net also in example config
|
|
file.
|
|
- Update workflow for ports to use newer openssl on windows
|
|
compile.
|
|
- Fix warning for windres on resource files due to
|
|
redefinition.
|
|
- Fix for #997: Print details for SSL certificate failure.
|
|
- Update error printout for duplicate trust anchors to include
|
|
the trust anchor name (relates to #920).
|
|
- Update message TTL when using cached RRSETs. It could result
|
|
in non-expired messages with expired RRSETs (non-usable
|
|
messages by Unbound).
|
|
- Merge #999: Search for protobuf-c with pkg-config.
|
|
- Fix #1006: Can't find protobuf-c package since #999.
|
|
- Fix documentation for access-control in the unbound.conf man
|
|
page.
|
|
- Merge #1010: Mention REFUSED has the TC bit set with
|
|
unmatched allow_cookie acl in the manpage. It also fixes the
|
|
code to match the documentation about clients with a valid
|
|
cookie that bypass the ratelimit regardless of the
|
|
allow_cookie acl.
|
|
- Document the suspend argument for process_ds_response().
|
|
- Move github workflows to use checkoutv4.
|
|
- Fix edns subnet replies for scope zero answers to not get
|
|
stored in the global cache, and in cachedb, when the upstream
|
|
replies without an EDNS record.
|
|
- Fix for #1022: Fix ede prohibited in access control refused
|
|
answers.
|
|
- Fix unbound-control-setup.cmd to use 3072 bits so that
|
|
certificates are long enough for newer OpenSSL versions.
|
|
- Fix TTL of synthesized CNAME when a DNAME is used from cache.
|
|
- Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
|
|
like unbound-control-setup.sh has.
|
|
|
|
- Update to 1.19.2:
|
|
* Bug Fixes:
|
|
- Fix CVE-2024-1931, Denial of service when trimming EDE text
|
|
on positive replies.
|
|
[bsc#1221164]
|
|
|
|
- Update to 1.19.1:
|
|
* Bug Fixes: [bsc#1219823, CVE-2023-50387][bsc#1219826, CVE-2023-50868]
|
|
- Fix CVE-2023-50387, DNSSEC verification complexity can be
|
|
exploited to exhaust CPU resources and stall DNS resolvers.
|
|
- Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
|
|
|
|
- as we use --disable-explicit-port-randomisation, also disable
|
|
outgoing-port-permit and outgoing-port-avoid in config file to
|
|
suppress the related unbound-checkconf warnings on every start
|
|
|
|
- Update to 1.19.0:
|
|
* Features:
|
|
- Fix #850: [FR] Ability to use specific database in Redis, with
|
|
new redis-logical-db configuration option.
|
|
- Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream
|
|
requests. This can be helpful for devices that cannot handle
|
|
DNSSEC information. But it should not be enabled otherwise, because
|
|
that would stop DNSSEC validation. The DNSSEC validation would not
|
|
work for Unbound itself, and also not for downstream users. Default
|
|
is no. The option is disable-edns-do: no
|
|
- Expose the script filename in the Python module environment 'mod_env'
|
|
instead of the config_file structure which includes the linked list
|
|
of scripts in a multi Python module setup; fixes #79.
|
|
- Expose the configured listening and outgoing interfaces, if any, as
|
|
a list of strings in the Python 'config_file' class instead of the
|
|
current Swig object proxy; fixes #79.
|
|
- Mailing list patches from Daniel Gröber for DNS64 fallback to plain
|
|
AAAA when no A record exists for synthesis, and minor DNS64 code
|
|
refactoring for better readability.
|
|
- Merge #951: Cachedb no store. The cachedb-no-store: yes option is
|
|
used to stop cachedb from writing messages to the backend storage.
|
|
It reads messages when data is available from the backend.
|
|
The default is no.
|
|
* Bug Fixes:
|
|
- Fix for version generation race condition that ignored changes.
|
|
- Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL.
|
|
- Fix for WKS call to getservbyname that creates allocation on exit in
|
|
unit test by testing numbers first and testing from the services list later.
|
|
- Fix autoconf 2.69 warnings in configure.
|
|
- Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1.
|
|
- Merge #931: Prevent warnings from -Wmissing-prototypes.
|
|
- Fix to scrub resource records of type A and AAAA that have an
|
|
inappropriate size. They are removed from responses.
|
|
- Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.
|
|
- Fix to add EDE text when RRs have been removed due to length.
|
|
- Fix to set ede match in unit test for rr length removal.
|
|
- Fix to print EDE text in readable form in output logs.
|
|
- Fix send of udp retries when ENOBUFS is returned. It stops looping
|
|
and also waits for the condition to go away. Reported by Florian Obser.
|
|
- Fix authority zone answers for obscured DNAMEs and delegations.
|
|
- Merge #936: Check for c99 with autoconf versions prior to 2.70.
|
|
- Fix to remove two c99 notations.
|
|
- Fix rpz tcp-only action with rpz triggers nsdname and nsip.
|
|
- Fix misplaced comment.
|
|
- Merge #881: Generalise the proxy protocol code.
|
|
- Fix #946: Forwarder returns servfail on upstream response noerror no data.
|
|
- Fix edns subnet so that queries with a source prefix of zero cause the
|
|
recursor send no edns subnet option to the upstream.
|
|
- Fix that printout of EDNS options shows the EDNS cookie option by name.
|
|
- Fix infinite loop when reading multiple lines of input on a broken remote
|
|
control socket. Addesses #947 and #948.
|
|
- Fix #949: "could not create control compt".
|
|
- Fix that cachedb does not warn when serve-expired is disabled about use
|
|
of serve-expired-reply-ttl and serve-expired-client-timeout.
|
|
- Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.
|
|
- Better fix for infinite loop when reading multiple lines of input on a
|
|
broken remote control socket, by treating a zero byte line the same as
|
|
transmission end. Addesses #947 and #948.
|
|
- For multi Python module setups, clean previously parsed module functions
|
|
in __main__'s dictionary, if any, so that only current module functions
|
|
are registered.
|
|
- Fix #954: Inconsistent RPZ handling for A record returned along with CNAME.
|
|
- Fixes for the DNS64 patches.
|
|
- Update the dns64_lookup.rpl test for the DNS64 fallback patch.
|
|
- Merge #955 from buevsan: fix ipset wrong behavior.
|
|
- Update testdata/ipset.tdir test for ipset fix.
|
|
- Fix to print detailed errors when an SSL IO routine fails via SSL_get_error.
|
|
- Clearer configure text for missing protobuf-c development libraries.
|
|
- autoconf.
|
|
- Merge #930 from Stuart Henderson: add void to log_ident_revert_to_default
|
|
declaration.
|
|
- Fix #941: dnscrypt doesn't work after upgrade to 1.18 with suggestion by
|
|
dukeartem to also fix the udp_ancil with dnscrypt.
|
|
- Fix SSL compile failure for definition in log_crypto_err_io_code_arg.
|
|
- Fix SSL compile failure for other missing definitions in log_crypto_err_io_code_arg.
|
|
- Fix compilation without openssl, remove unused function warning.
|
|
- Mention flex and bison in README.md when building from repository source.
|
|
|
|
- Update to 1.18.0:
|
|
* Features:
|
|
- Аdd a metric about the maximum number of collisions in lrushah.
|
|
- Set max-udp-size default to 1232. This is the same default value
|
|
as the default value for edns-buffer-size. It restricts client
|
|
edns buffer size choices, and makes unbound behave similar to
|
|
other DNS resolvers.
|
|
- Add harden-unknown-additional option. It removes unknown records
|
|
from the authority section and additional section.
|
|
- Added new static zone type block_a to suppress all A queries for
|
|
specific zones.
|
|
- [FR] Ability to use Redis unix sockets.
|
|
- [FR] Ability to set the Redis password.
|
|
- Features/dropqueuedpackets, with sock-queue-timeout option that
|
|
drops packets that have been in the socket queue for too long.
|
|
Added statistics num.queries_timed_out and query.queue_time_us.max
|
|
that track the socket queue timeouts.
|
|
- 'eqvinox' Lamparter: NAT64 support.
|
|
- [FR] Use kernel timestamps for dnstap.
|
|
- Add cachedb hit stat. Introduces 'num.query.cachedb' as a new
|
|
statistical counter.
|
|
- Add SVCB dohpath support.
|
|
- Add validation EDEs to queries where the CD bit is set.
|
|
- Add prefetch support for subnet cache entries.
|
|
- Add EDE (RFC8914) caching.
|
|
- Add support for EDE caching in cachedb and subnetcache.
|
|
- Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server
|
|
cookies for clients that send client cookies. This needs to be explicitly
|
|
turned on in the config file with: `answer-cookie: yes`.
|
|
* Bug Fixes
|
|
- Response change to NODATA for some ANY queries since 1.12.
|
|
- Fix not following cleared RD flags potentially enables
|
|
amplification DDoS attacks.
|
|
- Set default for harden-unknown-additional to no. So that it
|
|
does not hamper future protocol developments.
|
|
- Fix to ignore entirely empty responses, and try at another authority.
|
|
This turns completely empty responses, a type of noerror/nodata into
|
|
a servfail, but they do not conform to RFC2308, and the retry can fetch
|
|
improved content.
|
|
- Allow TTL refresh of expired error responses.
|
|
- Fix: Unexpected behavior with client-subnet-always-forward and serve-expired
|
|
- Fix unbound-dnstap-socket test program to reply the finish frame over
|
|
a TLS connection correctly.
|
|
- Fix: reserved identifier violation
|
|
- Fix: Unencrypted query is sent when forward-tls-upstream: yes is used
|
|
without tls-cert-bundle
|
|
- Extra consistency check to make sure that when TLS is requested,
|
|
either we set up a TLS connection or we return an error.
|
|
- Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record.
|
|
- Fix: Bad interaction with 0 TTL records and serve-expired
|
|
- Fix RPZ IP responses with trigger rpz-drop on cache entries.
|
|
- Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
|
|
- Fix dereference of NULL variable warning in mesh_do_callback.
|
|
- Fix ip_ratelimit test to work with dig that enables DNS cookies.
|
|
- Fix for iter_dec_attempts that could cause a hang, part of capsforid
|
|
and qname minimisation, depending on the settings.
|
|
- Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
|
|
- Fix stat_values test to work with dig that enables DNS cookies.
|
|
- unbound.service: Main process exited, code=killed, status=11/SEGV.
|
|
Fixes cachedb configuration handling.
|
|
- Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply.
|
|
|
|
- Update to 1.20.0:
|
|
Features:
|
|
* The config for discard-timeout, wait-limit, wait-limit-cookie,
|
|
wait-limit-netblock and wait-limit-cookie-netblock was added,
|
|
for the fix to the DNSBomb issue.
|
|
* Merge GH#1027: Introduce 'cache-min-negative-ttl' option.
|
|
* Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support;
|
|
updates config.guess(2024-01-01) and config.sub(2024-01-01),
|
|
verified with upstream.
|
|
* Implement cachedb-check-when-serve-expired: yes option, default
|
|
is enabled. When serve expired is enabled with cachedb, it
|
|
first checks cachedb before serving the expired response.
|
|
* Fix GH#876: [FR] can unbound-checkconf be silenced when
|
|
configuration is valid?
|
|
|
|
Bug Fixes:
|
|
* Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to
|
|
Xiang Li from the Network and Information Security Lab of
|
|
Tsinghua University for reporting it.
|
|
* Update doc/unbound.doxygen with 'doxygen -u'. Fixes option
|
|
deprecation warnings and updates with newer defaults.
|
|
* Remove unused portion from iter_dname_ttl unit test.
|
|
* Fix validator classification of qtype DNAME for positive and
|
|
redirection answers, and fix validator signature routine for
|
|
dealing with the synthesized CNAME for a DNAME without
|
|
previously encountering it and also for when the qtype is
|
|
DNAME.
|
|
* Fix qname minimisation for reply with a DNAME for qtype CNAME
|
|
that answers it.
|
|
* Fix doc test so it ignores but outputs unsupported doxygen
|
|
options.
|
|
* Fix GH#1021 Inconsistent Behavior with Changing
|
|
rpz-cname-override and doing a unbound-control reload.
|
|
* Merge GH#1028: Clearer documentation for tcp-idle-timeout and
|
|
edns-tcp-keepalive-timeout.
|
|
* Fix GH#1029: rpz trigger clientip and action rpz-passthru not
|
|
working as expected.
|
|
* Fix rpz that the rpz override is taken in case of clientip
|
|
triggers. Fix that the clientip passthru action is logged. Fix
|
|
that the clientip localdata action is logged. Fix rpz override
|
|
action cname for the clientip trigger.
|
|
* Fix to unify codepath for local alias for rpz cname action
|
|
override.
|
|
* Fix rpz for cname override action after nsdname and nsip
|
|
triggers.
|
|
* Fix that addrinfo is not kept around but copied and freed, so
|
|
that log-destaddr uses a copy of the information, much like NSD
|
|
does.
|
|
* Merge GH#1030: Persist the openssl and expat directories for
|
|
repeated Windows builds.
|
|
* Fix that rpz CNAME content is limited to the max number of
|
|
cnames.
|
|
* Fix rpz, it follows iterator CNAMEs for nsip and nsdname and
|
|
sets the reply query_info values, that is better for debug
|
|
logging.
|
|
* Fix rpz that copies the cname override completely to the temp
|
|
region, so there are no references to the rpz region.
|
|
* Add rpz unit test for nsip action override.
|
|
* Fix rpz for qtype CNAME after nameserver trigger.
|
|
* Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix
|
|
that clientip and nsip can give a CNAME.
|
|
* Fix localdata and rpz localdata to match CNAME only if no
|
|
direct type match is available.
|
|
* Merge GH#831 from Pierre4012: Improve Windows NSIS installer
|
|
script (setup.nsi).
|
|
* For GH#831: Format text, use exclamation icon and explicit label
|
|
names.
|
|
* Fix name of unit test for subnet cache response.
|
|
* Fix GH#1032: The size of subnet_msg_cache calculation mistake
|
|
cause memory usage increased beyond expectations.
|
|
* Fix for GH#1032, add safeguard to make table space positive.
|
|
* Fix comment in lruhash space function.
|
|
* Fix to add unit test for lruhash space that exercises the
|
|
routines.
|
|
* Fix that when the server truncates the pidfile, it does not
|
|
follow symbolic links.
|
|
* Fix that the server does not chown the pidfile.
|
|
* Fix GH#1034: DoT forward-zone via unbound-control.
|
|
* Fix for crypto related failures to have a better error string.
|
|
* Fix GH#1035: Potential Bug while parsing port from the
|
|
"stub-host" string; also affected forward-zones and
|
|
remote-control host directives.
|
|
* Fix GH#369: dnstap showing extra responses; for client responses
|
|
right from the cache when replying with expired data or
|
|
prefetching.
|
|
* Fix GH#1040: fix heap-buffer-overflow issue in function
|
|
cfg_mark_ports of file util/config_file.c.
|
|
* For GH#1040: adjust error text and disallow negative ports in
|
|
other parts of cfg_mark_ports.
|
|
* Fix comment syntax for view function views_find_view.
|
|
* Fix GH#595: unbound-anchor cannot deal with full disk; it will
|
|
now first write out to a temp file before replacing the
|
|
original one, like Unbound already does for
|
|
auto-trust-anchor-file.
|
|
* Fixup compile without cachedb.
|
|
* Add test for cachedb serve expired.
|
|
* Extended test for cachedb serve expired.
|
|
* Fix makefile dependencies for fake_event.c.
|
|
* Fix cachedb for serve-expired with serve-expired-reply-ttl.
|
|
* Fix to not reply serve expired unless enabled for cachedb.
|
|
* Fix cachedb for serve-expired with
|
|
serve-expired-client-timeout.
|
|
* Fixup unit test for cachedb server expired client timeout with
|
|
a check if response if from upstream or from cachedb.
|
|
* Fixup cachedb to not refetch when serve-expired-client-timeout
|
|
is used.
|
|
* Merge GH#1049 from Petr Menšík: Py_NoSiteFlag is not needed since
|
|
Python 3.8
|
|
* Fix GH#1048: Update ax_pkg_swig.m4 and ax_pthread.m4.
|
|
* Fix configure, autoconf for GH#1048.
|
|
* Add checklock feature verbose_locking to trace locks and
|
|
unlocks.
|
|
* Fix edns subnet to sort rrset references when storing messages
|
|
in the cache. This fixes a race condition in the rrset locks.
|
|
* Merge GH#1053: Remove child delegations from cache when
|
|
grandchild delegations are returned from parent.
|
|
* Fix ci workflow for macos for moved install locations.
|
|
* Fix configure flto check error, by finding grep for it.
|
|
* Merge GH#1041: Stub and Forward unshare. This has one structure
|
|
for them and fixes GH#1038: fatal error: Could not initialize
|
|
thread / error: reading root hints.
|
|
* Fix to disable fragmentation on systems with IP_DONTFRAG, with
|
|
a nonzero value for the socket option argument.
|
|
* Fix doc unit test for out of directory build.
|
|
* Fix cachedb with serve-expired-client-timeout disabled. The
|
|
edns subnet module deletes global cache and cachedb cache when
|
|
it stores a result, and serve-expired is enabled, so that the
|
|
global reply, that is older than the ecs reply, does not return
|
|
after the ecs reply expires.
|
|
* Add unit tests for cachedb and subnet cache expired data.
|
|
* Man page entry for unbound-checkconf -q.
|
|
* Cleanup unnecessary strdup calls for EDE strings.
|
|
* Fix doxygen comment for errinf_to_str_bogus.
|
|
|
|
- Update to 1.19.3:
|
|
* Features:
|
|
- Merge PR #973: Use the origin (DNAME) TTL for synthesized
|
|
CNAMEs as per RFC 6672.
|
|
* Bug Fixes
|
|
- Fix unit test parse of origin syntax.
|
|
- Use 127.0.0.1 explicitly in tests to avoid delays and errors
|
|
on newer systems.
|
|
- Fix #964: config.h.in~ backup file in release tar balls.
|
|
- Merge #968: Replace the obsolescent fgrep with grep -F in
|
|
tests.
|
|
- Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
|
|
- Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
|
|
- Fix dnstap that assertion failed on logging other than UDP
|
|
and TCP traffic. It lists it as TCP traffic.
|
|
- Fix to sync the tests script file common.sh.
|
|
- iana portlist update.
|
|
- Updated IPv4 and IPv6 address for b.root-servers.net in root
|
|
hints.
|
|
- Update test script file common.sh.
|
|
- Fix tests to use new common.sh functions, wait_logfile and
|
|
kill_from_pidfile.
|
|
- Fix #974: doc: default number of outgoing ports without
|
|
libevent.
|
|
- Merge #975: Fixed some syntax errors in rpl files.
|
|
- Fix root_zonemd unit test, it checks that the root ZONEMD
|
|
verifies, now that the root has a valid ZONEMD.
|
|
- Update example.conf with cookie options.
|
|
- Merge #980: DoH: reject non-h2 early. To fix #979: Improve
|
|
errors for non-HTTP/2 DoH clients.
|
|
- Merge #985: Add DoH and DoT to dnstap message.
|
|
- Fix #983: Sha1 runtime insecure change was incomplete.
|
|
- Remove unneeded newlines and improve indentation in remote
|
|
control code.
|
|
- Merge #987: skip edns frag retry if advertised udp payload
|
|
size is not smaller.
|
|
- Fix unit test for #987 change in udp1xxx retry packet send.
|
|
- Merge #988: Fix NLnetLabs#981: dump_cache truncates large
|
|
records.
|
|
- Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
|
|
- Fix to link with libssp for libcrypto and getaddrinfo check
|
|
for only header. Also update crosscompile to remove ssp for
|
|
32bit.
|
|
- Merge #993: Update b.root-servers.net also in example config
|
|
file.
|
|
- Update workflow for ports to use newer openssl on windows
|
|
compile.
|
|
- Fix warning for windres on resource files due to
|
|
redefinition.
|
|
- Fix for #997: Print details for SSL certificate failure.
|
|
- Update error printout for duplicate trust anchors to include
|
|
the trust anchor name (relates to #920).
|
|
- Update message TTL when using cached RRSETs. It could result
|
|
in non-expired messages with expired RRSETs (non-usable
|
|
messages by Unbound).
|
|
- Merge #999: Search for protobuf-c with pkg-config.
|
|
- Fix #1006: Can't find protobuf-c package since #999.
|
|
- Fix documentation for access-control in the unbound.conf man
|
|
page.
|
|
- Merge #1010: Mention REFUSED has the TC bit set with
|
|
unmatched allow_cookie acl in the manpage. It also fixes the
|
|
code to match the documentation about clients with a valid
|
|
cookie that bypass the ratelimit regardless of the
|
|
allow_cookie acl.
|
|
- Document the suspend argument for process_ds_response().
|
|
- Move github workflows to use checkoutv4.
|
|
- Fix edns subnet replies for scope zero answers to not get
|
|
stored in the global cache, and in cachedb, when the upstream
|
|
replies without an EDNS record.
|
|
- Fix for #1022: Fix ede prohibited in access control refused
|
|
answers.
|
|
- Fix unbound-control-setup.cmd to use 3072 bits so that
|
|
certificates are long enough for newer OpenSSL versions.
|
|
- Fix TTL of synthesized CNAME when a DNAME is used from cache.
|
|
- Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
|
|
like unbound-control-setup.sh has.
|
|
|
|
- Update to 1.19.2:
|
|
* Bug Fixes:
|
|
- Fix CVE-2024-1931, Denial of service when trimming EDE text
|
|
on positive replies.
|
|
[bsc#1221164]
|
|
|
|
- Update to 1.19.1:
|
|
* Bug Fixes: [bsc#1219823, CVE-2023-50387][bsc#1219826, CVE-2023-50868]
|
|
- Fix CVE-2023-50387, DNSSEC verification complexity can be
|
|
exploited to exhaust CPU resources and stall DNS resolvers.
|
|
- Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
|
|
|
|
- as we use --disable-explicit-port-randomisation, also disable
|
|
outgoing-port-permit and outgoing-port-avoid in config file to
|
|
suppress the related unbound-checkconf warnings on every start
|
|
|
|
- Use prefixes instead of sudo in unbound.service (bsc#1215628)
|
|
|
|
- Update to 1.19.0:
|
|
* Features:
|
|
- Fix #850: [FR] Ability to use specific database in Redis, with
|
|
new redis-logical-db configuration option.
|
|
- Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream
|
|
requests. This can be helpful for devices that cannot handle
|
|
DNSSEC information. But it should not be enabled otherwise, because
|
|
that would stop DNSSEC validation. The DNSSEC validation would not
|
|
work for Unbound itself, and also not for downstream users. Default
|
|
is no. The option is disable-edns-do: no
|
|
- Expose the script filename in the Python module environment 'mod_env'
|
|
instead of the config_file structure which includes the linked list
|
|
of scripts in a multi Python module setup; fixes #79.
|
|
- Expose the configured listening and outgoing interfaces, if any, as
|
|
a list of strings in the Python 'config_file' class instead of the
|
|
current Swig object proxy; fixes #79.
|
|
- Mailing list patches from Daniel Gröber for DNS64 fallback to plain
|
|
AAAA when no A record exists for synthesis, and minor DNS64 code
|
|
refactoring for better readability.
|
|
- Merge #951: Cachedb no store. The cachedb-no-store: yes option is
|
|
used to stop cachedb from writing messages to the backend storage.
|
|
It reads messages when data is available from the backend.
|
|
The default is no.
|
|
* Bug Fixes:
|
|
- Fix for version generation race condition that ignored changes.
|
|
- Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL.
|
|
- Fix for WKS call to getservbyname that creates allocation on exit in
|
|
unit test by testing numbers first and testing from the services list later.
|
|
- Fix autoconf 2.69 warnings in configure.
|
|
- Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1.
|
|
- Merge #931: Prevent warnings from -Wmissing-prototypes.
|
|
- Fix to scrub resource records of type A and AAAA that have an
|
|
inappropriate size. They are removed from responses.
|
|
- Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.
|
|
- Fix to add EDE text when RRs have been removed due to length.
|
|
- Fix to set ede match in unit test for rr length removal.
|
|
- Fix to print EDE text in readable form in output logs.
|
|
- Fix send of udp retries when ENOBUFS is returned. It stops looping
|
|
and also waits for the condition to go away. Reported by Florian Obser.
|
|
- Fix authority zone answers for obscured DNAMEs and delegations.
|
|
- Merge #936: Check for c99 with autoconf versions prior to 2.70.
|
|
- Fix to remove two c99 notations.
|
|
- Fix rpz tcp-only action with rpz triggers nsdname and nsip.
|
|
- Fix misplaced comment.
|
|
- Merge #881: Generalise the proxy protocol code.
|
|
- Fix #946: Forwarder returns servfail on upstream response noerror no data.
|
|
- Fix edns subnet so that queries with a source prefix of zero cause the
|
|
recursor send no edns subnet option to the upstream.
|
|
- Fix that printout of EDNS options shows the EDNS cookie option by name.
|
|
- Fix infinite loop when reading multiple lines of input on a broken remote
|
|
control socket. Addesses #947 and #948.
|
|
- Fix #949: "could not create control compt".
|
|
- Fix that cachedb does not warn when serve-expired is disabled about use
|
|
of serve-expired-reply-ttl and serve-expired-client-timeout.
|
|
- Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.
|
|
- Better fix for infinite loop when reading multiple lines of input on a
|
|
broken remote control socket, by treating a zero byte line the same as
|
|
transmission end. Addesses #947 and #948.
|
|
- For multi Python module setups, clean previously parsed module functions
|
|
in __main__'s dictionary, if any, so that only current module functions
|
|
are registered.
|
|
- Fix #954: Inconsistent RPZ handling for A record returned along with CNAME.
|
|
- Fixes for the DNS64 patches.
|
|
- Update the dns64_lookup.rpl test for the DNS64 fallback patch.
|
|
- Merge #955 from buevsan: fix ipset wrong behavior.
|
|
- Update testdata/ipset.tdir test for ipset fix.
|
|
- Fix to print detailed errors when an SSL IO routine fails via SSL_get_error.
|
|
- Clearer configure text for missing protobuf-c development libraries.
|
|
- autoconf.
|
|
- Merge #930 from Stuart Henderson: add void to log_ident_revert_to_default
|
|
declaration.
|
|
- Fix #941: dnscrypt doesn't work after upgrade to 1.18 with suggestion by
|
|
dukeartem to also fix the udp_ancil with dnscrypt.
|
|
- Fix SSL compile failure for definition in log_crypto_err_io_code_arg.
|
|
- Fix SSL compile failure for other missing definitions in log_crypto_err_io_code_arg.
|
|
- Fix compilation without openssl, remove unused function warning.
|
|
- Mention flex and bison in README.md when building from repository source.
|
|
|
|
- Update to 1.18.0:
|
|
* Features:
|
|
- Аdd a metric about the maximum number of collisions in lrushah.
|
|
- Set max-udp-size default to 1232. This is the same default value
|
|
as the default value for edns-buffer-size. It restricts client
|
|
edns buffer size choices, and makes unbound behave similar to
|
|
other DNS resolvers.
|
|
- Add harden-unknown-additional option. It removes unknown records
|
|
from the authority section and additional section.
|
|
- Added new static zone type block_a to suppress all A queries for
|
|
specific zones.
|
|
- [FR] Ability to use Redis unix sockets.
|
|
- [FR] Ability to set the Redis password.
|
|
- Features/dropqueuedpackets, with sock-queue-timeout option that
|
|
drops packets that have been in the socket queue for too long.
|
|
Added statistics num.queries_timed_out and query.queue_time_us.max
|
|
that track the socket queue timeouts.
|
|
- 'eqvinox' Lamparter: NAT64 support.
|
|
- [FR] Use kernel timestamps for dnstap.
|
|
- Add cachedb hit stat. Introduces 'num.query.cachedb' as a new
|
|
statistical counter.
|
|
- Add SVCB dohpath support.
|
|
- Add validation EDEs to queries where the CD bit is set.
|
|
- Add prefetch support for subnet cache entries.
|
|
- Add EDE (RFC8914) caching.
|
|
- Add support for EDE caching in cachedb and subnetcache.
|
|
- Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server
|
|
cookies for clients that send client cookies. This needs to be explicitly
|
|
turned on in the config file with: `answer-cookie: yes`.
|
|
* Bug Fixes
|
|
- Response change to NODATA for some ANY queries since 1.12.
|
|
- Fix not following cleared RD flags potentially enables
|
|
amplification DDoS attacks.
|
|
- Set default for harden-unknown-additional to no. So that it
|
|
does not hamper future protocol developments.
|
|
- Fix to ignore entirely empty responses, and try at another authority.
|
|
This turns completely empty responses, a type of noerror/nodata into
|
|
a servfail, but they do not conform to RFC2308, and the retry can fetch
|
|
improved content.
|
|
- Allow TTL refresh of expired error responses.
|
|
- Fix: Unexpected behavior with client-subnet-always-forward and serve-expired
|
|
- Fix unbound-dnstap-socket test program to reply the finish frame over
|
|
a TLS connection correctly.
|
|
- Fix: reserved identifier violation
|
|
- Fix: Unencrypted query is sent when forward-tls-upstream: yes is used
|
|
without tls-cert-bundle
|
|
- Extra consistency check to make sure that when TLS is requested,
|
|
either we set up a TLS connection or we return an error.
|
|
- Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record.
|
|
- Fix: Bad interaction with 0 TTL records and serve-expired
|
|
- Fix RPZ IP responses with trigger rpz-drop on cache entries.
|
|
- Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
|
|
- Fix dereference of NULL variable warning in mesh_do_callback.
|
|
- Fix ip_ratelimit test to work with dig that enables DNS cookies.
|
|
- Fix for iter_dec_attempts that could cause a hang, part of capsforid
|
|
and qname minimisation, depending on the settings.
|
|
- Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
|
|
- Fix stat_values test to work with dig that enables DNS cookies.
|
|
- unbound.service: Main process exited, code=killed, status=11/SEGV.
|
|
Fixes cachedb configuration handling.
|
|
- Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply.
|
|
|
|
</description>
|
|
<package>unbound</package>
|
|
<package>unbound:libunbound-devel-mini</package>
|
|
<seperate_build_arch/>
|
|
</patchinfo>
|