Package Release Info

unbound-1.6.8-150100.10.8.1

Update Info: SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-2668
Available in Package Hub : 15 SP4 Subpackages Updates

platforms

AArch64
ppc64le
s390x
x86-64

subpackages

unbound
unbound-debuginfo
unbound-debugsource
unbound-python
unbound-python-debuginfo

Change Logs

* Wed Jan 19 2022 werner@suse.de
- Import changes from OBS for dlv.isc.org.key, root.anchor, and
  root.key to fix bsc#1112033
* Wed Jan 19 2022 werner@suse.de
- Add patch bsc1179191_CVE-2020-28935_19f8f4d9.patch to really fix
  bsc#1179191 CVE-2020-28935: unbound: symbolic link traversal when
  writing PID file
* Mon Jan 17 2022 werner@suse.de
- Add patches
  * bsc1185382_CVE-2019-25031_f8875527.patch
    bsc#1185382 for CVE-2019-25031
    configuration injection in create_unbound_ad_servers.sh upon a successful man-in-the-middle attack
  * bsc1185383.4_CVE-2019-25032.3_226298bb.patch
    bsc#1185383 for CVE-2019-25032
    integer overflow in the regional allocator via regional_alloc
    bsc#1185384 for CVE-2019-25033
    integer overflow in the regional allocator via the ALIGN_UP macro
  * bsc1185385_CVE-2019-25034_a3545867.patch
    bsc#1185385 for CVE-2019-25034
    integer overflow in sldns_str2wire_dname_buf_origin, leading to an out-of-bounds write
  * bsc1185386.7_CVE-2019-25035.6_fa23ee8f.patch
    bsc#1185386 for CVE-2019-25035
    out-of-bounds write in sldns_bget_token_par
    bsc#1185387 for CVE-2019-25036
    assertion failure and denial of service in synth_cname
  * bsc1185391.2_CVE-2019-25040.1_2d444a50.patch
    bsc#1185391 for CVE-2019-25040
    infinite loop via a compressed name in dname_pkt_copy
    bsc#1185392 for CVE-2019-25041
    assertion failure via a compressed name in dname_pkt_copy
  * bsc1185389.90_CVE-2019-25038.9_02080f6b.patch
    bsc#1185389 for CVE-2019-25038
    integer overflow in a size calculation in dnscrypt/dnscrypt.c
    bsc#1185390 for CVE-2019-25039
    integer overflow in a size calculation in respip/respip.c
  * bsc1185388_CVE-2019-25037_d2eb78e8.patch
    bsc#1185388 for CVE-2019-25037
    assertion failure and denial of service in dname_pkt_copy via an invalid packet
  * bsc1185393_CVE-2019-25042_6c3a0b54.patch
    bsc#1185393 for CVE-2019-25042
    out-of-bounds write via a compressed name in rdata_copy
- Correct indentation in patch unbound-1.6.8-amplifying-an-incoming-query.patch
  to make it fit to above patches
* Tue Jun 23 2020 rtorreromarijnissen@suse.com
- Avoid shell code execution after receiving a specially crafted answer
  Resolves CVE-2019-18934 (bsc#1157268)
  [ + patch_cve_2019-18934.patch ]
* Tue Jun 23 2020 rtorreromarijnissen@suse.com
- Avoid amplifying an incoming query to a large number of queries
  Resolves CVE-2020-12662 CVE-2020-12663 (bsc#1171889)
  [ + unbound-1.6.8-amplifying-an-incoming-query.patch ]
* Tue Apr 23 2019 rtorreromarijnissen@suse.com
- Add systemd require in unbound-anchor to reflect new dependency (due to systemd-timers)
* Thu Mar 07 2019 rtorreromarijnissen@suse.com
- Remove old pwdutils dependency and add shadow to cover both useradd
  and groupadd as suggested in (bsc#1126757)
* Fri Jan 04 2019 rtorreromarijnissen@suse.com
- Use systemd-tmpfiles to create /var/lib/unbound/root.key
  to avoid transactional update breakage (bsc#1111383)
* Thu Nov 15 2018 rtorreromarijnissen@suse.com
- Migrated from cron to systemd timers (bsc#1115417)
* Tue Oct 16 2018 kbabioch@suse.com
- Disabled DLV configuration by default (bsc#1055060)
- Updated the DNSSEC root trust anchor due to KSK roll over (bsc#1112009)
* Tue Oct 16 2018 dmueller@suse.com
- adjust for root KSK rollover (bsc#1112009, bsc#1004165)
* Fri Jan 19 2018 michael@stroeder.com
- update to 1.6.8 (bsc#1076963)
  patch for CVE-2017-15105: vulnerability in the processing of
  wildcard synthesized NSEC records.
* Fri Dec 01 2017 cbosdonnat@suse.com
- Use python3 instead of python2 (fate#323526)
* Thu Nov 23 2017 rbrown@suse.com
- Replace references to /var/adm/fillup-templates with new
  %_fillupdir macro (boo#1069468)
* Tue Oct 10 2017 michael@stroeder.com
- update to 1.6.7
  Features:
- Set trust-anchor-signaling default to yes
- Fix #1440: [dnscrypt] client nonce cache.
- Fix #1435: Please allow UDP to be disabled separately upstream and
  downstream.
  Bug fixes:
- Fix that looping modules always stop the query, and don't pass
  control.
- Fix unbound-host to report error for DNSSEC state of failed lookups.
- Spelling fixes, from Josh Soref.
- Fix #1400: allowing use of global cache on ECS-forwarding unless
  always-forward.
- use a cachedb answer even if it's "expired" when serve-expired is yes
  (patch from Jinmei Tatuya).
- trigger refetching of the answer in that case (this will bypass
  cachedb lookup)
- allow storing a 0-TTL answer from cachedb in the in-memory message
  cache when serve-expired is yes
- Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
- Log name of looping module
- Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch
  (by Danilo G. Baio).
- Fix param unused warning for windows exportsymbol compile.
- Use RCODE from A query on DNS64 synthesized answer.
- Fix trust-anchor-signaling works in libunbound.
- Fix spelling in unbound-control man page.
* Mon Sep 04 2017 michael@stroeder.com
- update to 1.6.6
  Features:
- unbound-control dump_infra prints port number for address if not 53.
- Fix #1344: RFC6761-reserved domains: test. and invalid.
- Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
  With the -p option unbound does not create a pidfile.
- Added stats for queries that have been ratelimited by domain
  recursion.
- Patch to show DNSCrypt status in help output, from Carsten
  Strotmann.
- Fix #1407: Add ECS options check to unbound-checkconf.
- Fix #1415: [dnscrypt] shared secret cache, patch from
  Manu Bretelle.
  Bug Fixes:
- fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
- First fix for zero b64 and hex text zone format in sldns.
- Better fixup of dnscrypt_cert_chacha test for different escapes.
- Fix that infra cache host hash does not change after reconfig.
- Fix python example0 return module wait instead of error for pass.
- enhancement for hardened-tls for DNS over TLS.  Removed duplicated
  security settings.
- Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
  on.
- Fix #1331: libunbound segfault in threaded mode when context is
  deleted.
- Fix pythonmod link line option flag.
- Fix openssl 1.1.0 load of ssl error strings from ssl init.
- Fix 1332: Bump verbosity of failed chown'ing of the control socket.
- Redirect all localhost names to localhost address for RFC6761.
- Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
- Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
- upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
  config.sub(2016-09-05).
- annotate case statement fallthrough for gcc 7.1.1.
- flex output from flex 2.6.1.
- snprintf of thread number does not warn about truncated string.
- squelch TCP fast open error on FreeBSD when kernel has it disabled,
  unless verbosity is high.
- remove warning from windows compile.
- Fix compile with libnettle
- Fix DSA configure switch (--disable dsa) for libnettle and libnss.
- Fix #1365: Add Ed25519 support using libnettle.
- Fix #1394: mix of serve-expired and response-ip could cause a crash.
- Remove unused iter_env member (ip6arpa_dname)
- Do not reset rrset.bogus stats when called using stats_noreset.
- Do not add rrset_bogus and query ratelimiting stats per thread, these
  module stats are global.
- Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
- Fix #1398: make cachedb secret configurable.
- Remove spaces from Makefile.
- Fix issue on macOX 10.10 where TCP fast open is detected but not
  implemented causing TCP to fail. The fix allows fallback to regular
  TCP in this case and is also more robust for cases where connectx()
  fails for some reason.
- Fix #1402: squelch invalid argument error for fd_set_block on windows.
- Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
  allocation failure.
- Fix #1415: patch to free dnscrypt environment on reload.
- iana portlist update
- Small fixes for the shared secret cache patch.
- Fix WKS records on kvm autobuild host, with default protobyname
  entries for udp and tcp.
- Fix #1414: fix segfault on parse failure and log_replies.
- zero qinfo in handle_request, this zeroes local_alias and also the
  qname member.
- new keys and certs for dnscrypt tests.
- fixup WKS test on buildhost without servicebyname.
- updated contrib/fastrpz.patch to apply with configparser changes.
- Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
- Fix #1424: cachedb:testframe is not thread safe.
- Fix #1417: [dnscrypt] shared secret cache counters, and works when
  dnscrypt is not enabled.  And cache size configuration option.
- Fix #1418: [ip ratelimit] initialize slabhash using
  ip-ratelimit-slabs.
- Recommend 1472 buffer size in unbound.conf
* Mon Aug 21 2017 michael@stroeder.com
- update to 1.6.5
  * Fix install of trust anchor when two anchors are present, makes both
    valid.  Checks hash of DS but not signature of new key.  This fixes
    installs between sep11 and oct11 2017.
* Tue Aug 08 2017 jengelh@inai.de
- RPM group fix. Do not suppress user/group creation problems.
  Replace %__ type macro indirections.
* Tue Jun 27 2017 michael@stroeder.com
- update to 1.6.4
  Features:
- Implemented trust anchor signaling using key tag query.
- unbound-checkconf -o allows query of dnstap config variables.
  Also unbound-control get_option.  Also for dnscrypt.
- unbound.h exports the shm stats structures.  They use
  type long long and no ifdefs, and ub_ before the typenames.
- Implemented opportunistic IPsec support module (ipsecmod).
- Added redirect-bogus.patch to contrib directory.
- Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
- renumbering B-Root's IPv6 address to 2001:500:200::b.
- Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
- Fix #1277: disable domain ratelimit by setting value to 0.
- Added fastrpz patch to contrib
  Bug Fixes:
- Added ECS unit test (from Manu Bretelle).
- ECS documentation fix (from Manu Bretelle).
- Fix #1252: more indentation inconsistencies.
- Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
- Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
- iana portlist update
- Based on #1257: check parse limit before t increment in sldns RR
  string parse routine.
- Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
  and fix that 64bit getting installed in C:\Program Files (x86).
- Fix #1259: "--disable-ecdsa" argument overwritten
  by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
- iana portlist update
- Added test for leak of stub information.
- Fix sldns wire2str printout of RR type CAA tags.
- Fix sldns int16_data parse.
- Fix sldns parse and printout of TSIG RRs.
- sldns SMIMEA and AVC definitions, same as getdns definitions.
- Fix tcp-mss failure printout text.
- Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
  connect limited tcp connections.  With the option tcp connections
  can share the same source port (for different destinations).
- Add 'c' to getopt() in testbound.
- Adjust servfail by iterator to not store in cache when serve-expired
  is enabled, to avoid overwriting useful information there.
- Fix queries for nameservers under a stub leaking to the internet.
- document trust-anchor-signaling in example config file.
- updated configure, dependencies and flex output.
- better module memory lookup, fix of unbound-control shm names for
  module memory printout of statistics.
- Fix type AVC sldns rrdef.
- Some whitespace fixup.
- Fix #1265: contrib/unbound.service contains hardcoded path.
- Fix #1265 to use /bin/kill.
- Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
  and compatibility with BoringSSL.
- Fix #1268: SIGSEGV after log_reopen.
- exec_prefix is by default equal to prefix.
- printout localzone for duplicate local-zone warnings.
- Fix assertion for low buffer size and big edns payload when worker
  overrides udpsize.
- Support for openssl EVP_DigestVerify.
- Fix #1269: inconsistent use of built-in local zones with views.
- Add defaults for new local-zone trees added to views using
  unbound-control.
- Fix #1273: cachedb.c doesn't compile with -Wextra.
- If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
- Also use global local-zones when there is a matching view that does
  not have any local-zone specified.
- Fix fastopen EPIPE fallthrough to perform connect.
- Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
  (from Manu Bretelle).
- Fix #1275: cached data in cachedb is never used.
- Fix that unbound-control can set val_clean_additional and
  val_permissive_mode.
- Add dnscrypt XChaCha20 tests.
- Detect chacha for dnscrypt at configure time.
- dnscrypt unit tests with chacha.
- Added domain name based ECS whitelist.
- Fix #1278: Incomplete wildcard proof.
- Fix #1279: Memory leak on reload when python module is enabled.
- Fix #1280: Unbound fails assert when response from authoritative
  contains malformed qname.  When 0x20 caps-for-id is enabled, when
  assertions are not enabled the malformed qname is handled correctly.
- More fixes in depth for buffer checks in 0x20 qname checks.
- Fix stub zone queries leaking to the internet for
  harden-referral-path ns checks.
- Fix query for refetch_glue of stub leaking to internet.
- Fix #1301: memory leak in respip and tests.
- Free callback in edns-subnetmod on exit and restart.
- Fix memory leak in sldns_buffer_new_frm_data.
- Fix memory leak in dnscrypt config read.
- Fix dnscrypt chacha cert support ifdefs.
- Fix dnscrypt chacha cert unit test escapes in grep.
- Fix to unlock view in view test.
- Fix warning in pythonmod under clang compiler.
- Fix lintian typo.
- Fix #1316: heap read buffer overflow in parse_edns_options.
* Wed Jun 14 2017 michael@stroeder.com
- update to 1.6.3
  Bug Fixes
- Fix #1280: Unbound fails assert when response from authoritative
  contains malformed qname. When 0x20 caps-for-id is enabled, when
  assertions are not enabled the malformed qname is handled correctly.
Version: 1.20.0-150100.10.13.1
* Thu Mar 21 2024 jorik.cronenberg@suse.com
- Update to 1.20.0
  * A lot of bugfixes and added features.
    For a complete list take a look at the changelog located at:
    /usr/share/doc/packages/unbound/Changelog or
    https://www.nlnetlabs.nl/projects/unbound/download/
  Some Noteworthy Changes:
  * Removed DLV. The DLV has been decommisioned since unbound
    1.5.4 and has been advised to stop using it since. The use of
    dlv options displays a warning.
  * Remove EDNS lame procedure, do not re-query without EDNS after
    timeout.
  * Add DNS over HTTPS
  * libunbound has been upgraded to major version 8
  Security Fixes:
  * Fix CVE-2023-50387, DNSSEC verification complexity can be
    exploited to exhaust CPU resources and stall DNS resolvers.
  [bsc#1219823, CVE-2023-50387]
  * Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust
    CPU.
  [bsc#1219826, CVE-2023-50868]
  * Fix CVE-2022-30698, Novel "ghost domain names" attack by
    introducing subdomain delegations.
  [bsc#1202033, CVE-2022-30698]
  * Fix CVE-2022-30699, Novel "ghost domain names" attack by
    updating almost expired delegation information.
  [bsc#1202031, CVE-2022-30699]
  * Fix CVE-2022-3204, NRDelegation attack leads to uncontrolled
    resource consumption (Non-Responsive Delegation Attack).
  [bsc#1203643, CVE-2022-3204]
  Packaging Changes:
  * Use prefixes instead of sudo in unbound.service
  * Remove no longer necessary BuildRequires: libfstrm-devel and
    libprotobuf-c-devel
  * Following patches removed because they are now obsolete:
    unbound-1.6.8-amplifying-an-incoming-query.patch
    patch_cve_2019-18934.patch
    bsc1185382_CVE-2019-25031_f8875527.patch
    bsc1185383.4_CVE-2019-25032.3_226298bb.patch
    bsc1185385_CVE-2019-25034_a3545867.patch
    bsc1185386.7_CVE-2019-25035.6_fa23ee8f.patch
    bsc1185391.2_CVE-2019-25040.1_2d444a50.patch
    bsc1185389.90_CVE-2019-25038.9_02080f6b.patch
    bsc1185388_CVE-2019-25037_d2eb78e8.patch
    bsc1185393_CVE-2019-25042_6c3a0b54.patch
    bsc1179191_CVE-2020-28935_19f8f4d9.patch
  [jsc#PED-8333]