pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/net/unbound Update unbound to version 1.9.6

branches:  trunk
changeset: 345465:c2161dced044
user:      he <>
date:      Thu Dec 12 14:26:38 2019 +0000

Update unbound to version 1.9.6

Pkgsrc changes:
 * Remove now integrated patch.

Upstream changes:

This release contains a number of security related fixes, contributed by
X41 D-Sec. They have conducted a security audit of Unbound, funded by
OSTIF. The previous CVEs fixed in 1.9.4 and 1.9.5 were the most
important ones, less important fixes and side findings for more robust
code have been included in this release, alongside a normal number of
bug fixes.

The sort order for included config snippets is now ascending by name, it
previously was reversed due to an oversight.  Most config snippets do
not depend on the order as they add a stub or forward zone or some
server: section config entries.

- The unbound.conf includes are sorted ascending, for include
  statements with a '*' from glob.
- drop-tld.diff in contrib/ : adds option drop-tld: yesno that drops 2 label
  queries, to stop random floods.  Apply with
  patch -p1 < contrib/drop-tld.diff and compile.
  From Saksham Manchanda (Secure64).  Please note that we think this
  will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
  lookups for downstream clients.
- Add new configure option `--enable-fully-static` to enable full static
  build if requested; in relation to #91.
- Add make distclean that removes everything configure produced,
  and make maintainer-clean that removes bison and flex output.
- unbound-fuzzers.tar.bz2 in contrib/ : three programs for fuzzing, that
  are 1:1 replacements for unbound-fuzzme.c that gets created after applying
  the contrib/unbound-fuzzme.patch.  They are contributed by
  Eric Sesterhenn from X41 D-Sec.

Bug Fixes:
- Fix that pkg-config is setup before --enable-systemd needs it.
- Fix contrib/fastrpz.patch asprintf return value checks.
- ipset module #28: log that an address is added, when verbosity high.
- ipset: refactor long routine into three smaller ones.
- updated Makefile dependencies.
- squelch DNS over TLS errors 'ssl handshake failed crypto error'
  on low verbosity, they show on verbosity 3 (query details), because
  there is a high volume and the operator cannot do anything for the
  remote failure.  Specifically filters the high volume errors.
- Fix #71: fix openssl error squelch commit compilation error.
- Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
  LOG_DAEMON (as before) can set the syslog facility that the server
  uses to log messages.
- Use explicit bzero for wiping clear buffer of hash in cachedb,
  reported by Eric Sesterhenn from X41 D-Sec.
- Fix #78: Memory leak in outside_network.c.
- Merge pull request #76 from Maryse47: Improvements and fixes for
  systemd unbound.service.
- oss-fuzz badge on
- Fix fix for #78 to also free service callback struct.
- Fix for oss-fuzz build warning.
- Fix wrong response ttl for prepended short CNAME ttls, this would
  create a wrong zero_ttl response count with serve-expired enabled.
- Merge #80 from stasic: Improve wording in man page.
- Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW
  in unbound.service.
- Merge #81 from Maryse47: Consistently use /dev/urandom instead
  of /dev/random in scripts and docs.
- Merge #83 from Maryse47: contrib/ do not fork
  into the background.
- Merge #85 for #84 from sam-lunt: Add kill capability to systemd
  service file to fix that systemctl reload fails.
- Merge #87 from hardfalcon: Fix contrib/,
  Drop CAP_KILL, use + prefix for ExecReload= instead.
- Merge #90 from vcunat: fix build with nettle-3.5.
- Fix for CVE-2019-16866.  That fix is also in 1.9.4.
- Merge #86 from psquarejho: Added -b source address option to
  smallapp/unbound-anchor.c, from Lukas Wunner.
- Add doxygen comments to unbound-anchor source address code, in #86.
- Merge #97: manpage: Add missing word on unbound.conf,
  from Erethon.
- Fix #99: Memory leak in ub_ctx (event_base will never be freed).
- Fix #109: check number of arguments for stdin-pipes in
  unbound-control and fail if too many arguments.
- Merge #102 from jrtc27: Add getentropy emulation for FreeBSD.
- iana portlist updated.
- contrib/fastrpz.patch updated to apply for current code.
- fixes for splint cleanliness, long vs int in SSL set_mode.
- In unbound-host use separate variable for get_option to please
  code checkers.
- update to bison output of 3.4.1 in code repository.
- Provide a prototype for compat malloc to remove compile warning.
- Portable grep usage for reuseport configure test.
- Check return type of HMAC_Init_ex for openssl 0.9.8.
- gitignore .source tempfile used for compatible make.
- Fix for CVE-2019-18934, shell execution in ipsecmod.  This fix is also
  in 1.9.5.
- Fix authzone printout buffer length check.
- Fixes to please lint checks.
- Fix Integer Overflow in Regional Allocator,
  reported by X41 D-Sec.
- Fix Unchecked NULL Pointer in dns64_inform_super()
  and ipsecmod_new(), reported by X41 D-Sec.
- Fix Out-of-bounds Read in rr_comment_dnskey(),
  reported by X41 D-Sec.
- Fix Integer Overflows in Size Calculations,
  reported by X41 D-Sec.
- Fix Integer Overflow to Buffer Overflow in
  sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
- Fix Out of Bounds Read in sldns_str2wire_dname(),
  reported by X41 D-Sec.
- Fix Out of Bounds Write in sldns_bget_token_par(),
  reported by X41 D-Sec.
- Fix Out of Bounds Read in rrinternal_get_owner(),
  reported by X41 D-Sec.
- Fix Race Condition in autr_tp_create(),
  reported by X41 D-Sec.
- Fix Shared Memory World Writeable,
  reported by X41 D-Sec.
- Adjust unbound-control to make stats_shm a read only operation.
- Fix Weak Entropy Used For Nettle,
  reported by X41 D-Sec.
- Fix Randomness Error not Handled Properly,
  reported by X41 D-Sec.
- Fix Out-of-Bounds Read in dname_valid(),
  reported by X41 D-Sec.
- Fix Config Injection in,
  reported by X41 D-Sec.
- Fix Local Memory Leak in cachedb_init(),
  reported by X41 D-Sec.
- Fix Integer Underflow in Regional Allocator,
  reported by X41 D-Sec.
- Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD.
- Synchronize compat/getentropy_win.c with version 1.5 from
  OpenBSD, no changes but makes the file, comments, identical.
- Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD.
- Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD.
- Changes to compat/getentropy files for,
  no link to openssl if using nettle, and hence config.h for
  HAVE_NETTLE variable.
  compat definition of MAP_ANON, for older systems.
  ifdef stdint.h inclusion for older systems.
  ifdef sha2.h inclusion for older systems.
- Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec.
- Fix compile with --enable-alloc-checks, reported by X41 D-Sec.
- Fix Terminating Quotes not Written, reported by X41 D-Sec.
- Fix Useless memset() in validator, reported by X41 D-Sec.
- Fix Unrequired Checks, reported by X41 D-Sec.
- Fix Enum Name not Used, reported by X41 D-Sec.
- Fix NULL Pointer Dereference via Control Port,
  reported by X41 D-Sec.
- Fix Bad Randomness in Seed, reported by X41 D-Sec.
- Fix python examples/ for eval, reported by X41 D-Sec.
- Fix comments for doxygen in dns64.
- Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec.
- Fix compiler warnings.
- Merge pull request #122 from he32: In tcp_callback_writer(),
  don't disable time-out when changing to read.
- Merge pull request #124 from rmetrich: Changed log lock
  from 'quick' to 'basic' because this is an I/O lock.
- Fix text around serial arithmatic used for RRSIG times to refer
  to correct RFC number.
- Fix Assert Causing DoS in synth_cname(),
  reported by X41 D-Sec.
- Fix similar code in auth_zone synth cname to add the extra checks.
- Fix Assert Causing DoS in dname_pkt_copy(),
  reported by X41 D-Sec.
- Fix OOB Read in sldns_wire2str_dname_scan(),
  reported by X41 D-Sec.
- Fix Out of Bounds Write in sldns_str2wire_str_buf(),
  reported by X41 D-Sec.
- Fix Out of Bounds Write in sldns_b64_pton(),
  fixed by check in sldns_str2wire_int16_data_buf(),
  reported by X41 D-Sec.
- Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
  reported by X41 D-Sec.
- Fix Out of Bound Write Compressed Names in rdata_copy(),
  reported by X41 D-Sec.
- Fix Hang in sldns_wire2str_pkt_scan(),
  reported by X41 D-Sec.
  This further lowers the max to 256.
- Fix snprintf() supports the n-specifier,
  reported by X41 D-Sec.
- Fix Bad Indentation, in dnscrypt.c,
  reported by X41 D-Sec.
- Fix Client NONCE Generation used for Server NONCE,
  reported by X41 D-Sec.
- Fix compile error in dnscrypt.
- Fix _vfixed not Used, removed from sbuffer code,
  reported by X41 D-Sec.
- Fix Hardcoded Constant, reported by X41 D-Sec.
- make depend
- Fix lock type for memory purify log lock deletion.
- Fix testbound for alloccheck runs, memory purify and lock checks.
- update contrib/fastrpz.patch to apply more cleanly.
- Fix Make Test Fails when Configured With --enable-alloc-nonregional,
  reported by X41 D-Sec.
- Fix ipsecmod compile
- Fix for ipset module compile, from Adi Prasaja.


 net/unbound/Makefile                      |   5 ++---
 net/unbound/distinfo                      |  11 +++++------
 net/unbound/patches/patch-util_netevent.c |  21 ---------------------
 3 files changed, 7 insertions(+), 30 deletions(-)

diffs (55 lines):

diff -r b46d5e18f96d -r c2161dced044 net/unbound/Makefile
--- a/net/unbound/Makefile      Thu Dec 12 14:16:03 2019 +0000
+++ b/net/unbound/Makefile      Thu Dec 12 14:26:38 2019 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.73 2019/12/03 08:08:58 he Exp $
+# $NetBSD: Makefile,v 1.74 2019/12/12 14:26:38 he Exp $
-DISTNAME=      unbound-1.9.5
+DISTNAME=      unbound-1.9.6
diff -r b46d5e18f96d -r c2161dced044 net/unbound/distinfo
--- a/net/unbound/distinfo      Thu Dec 12 14:16:03 2019 +0000
+++ b/net/unbound/distinfo      Thu Dec 12 14:26:38 2019 +0000
@@ -1,8 +1,7 @@
-$NetBSD: distinfo,v 1.55 2019/12/03 08:08:58 he Exp $
+$NetBSD: distinfo,v 1.56 2019/12/12 14:26:38 he Exp $
-SHA1 (unbound-1.9.5.tar.gz) = e5a417fe46e5f2911b91e5ec6bbedc2ed14d9d0b
-RMD160 (unbound-1.9.5.tar.gz) = a49319ccc743709687792a57f1796acfa22e791e
-SHA512 (unbound-1.9.5.tar.gz) = 0b198b49165b25c93899ca41fead67c479e5b6fd255f7e2af6930f4b9898c73d8a72caf376fce9a2a33199d0764db58388371c3fdbd442999ddfdb0b8b5394ea
-Size (unbound-1.9.5.tar.gz) = 5686689 bytes
+SHA1 (unbound-1.9.6.tar.gz) = b6af3dc87ec3b372f96390c2527140ab8679fc18
+RMD160 (unbound-1.9.6.tar.gz) = 91d58d5eb3e4341ae816612795cc546559914138
+SHA512 (unbound-1.9.6.tar.gz) = 39a60f51da912ed25d247bc1e882b1242d80a63b0c2b3f753d38ed558f3a24691267375136ff6d85e5945a98ca0c4ac87e43e131c97737a355374dde64259951
+Size (unbound-1.9.6.tar.gz) = 5680145 bytes
 SHA1 (patch-configure) = eabd0c478e92ebe37adf143849389e0e792dc77f
-SHA1 (patch-util_netevent.c) = 3fba509f23d74fce18e45ffe1fcdb97ad609be46
diff -r b46d5e18f96d -r c2161dced044 net/unbound/patches/patch-util_netevent.c
--- a/net/unbound/patches/patch-util_netevent.c Thu Dec 12 14:16:03 2019 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,21 +0,0 @@
-$NetBSD: patch-util_netevent.c,v 1.1 2019/12/03 08:08:58 he Exp $
-Apply fix from
-which fixes
-Briefly: TCP socket timeouts would effectively be disabled after
-the exchange of the initial DNS query/response.
---- util/netevent.c.orig       2019-11-19 06:51:50.000000000 +0000
-+++ util/netevent.c
-@@ -1001,7 +1001,7 @@ tcp_callback_writer(struct comm_point* c
-               tcp_req_info_handle_writedone(c->tcp_req_info);
-       } else {
-               comm_point_stop_listening(c);
--              comm_point_start_listening(c, -1, -1);
-+              comm_point_start_listening(c, -1, c->tcp_timeout_msec);
-       }
- }

Home | Main Index | Thread Index | Old Index