- Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li
from the Network and Information Security Lab of Tsinghua University
for reporting it.
- Fix cachedb with serve-expired-client-timeout disabled. The edns
subnet module deletes global cache and cachedb cache when it
stores a result, and serve-expired is enabled, so that the global
reply, that is older than the ecs reply, does not return after
the ecs reply expires.
Changelog note for #1041 and #1038.
- Merge #1041: Stub and Forward unshare. This has one structure
for them and fixes #1038: fatal error: Could not initialize
thread / error: reading root hints.
Update locking management for iter_fwd and iter_hints methods. (#1054)
fast reload, move most of the locking management to iter_fwd and
iter_hints methods. The caller still has the ability to handle its
own locking, if desired, for atomic operations on sets of different
structs.
- When a granchild delegation is returned, remove any cached child delegations
up to parent to not cause delegation invalidation because of an
expired child delegation that would never be updated. Most likely to
happen without qname-minimisation. Reported by Roland van Rijswijk-Deij.
Petr Mensik [Mon, 15 Apr 2024 11:43:58 +0000 (13:43 +0200)]
Py_NoSiteFlag is not needed since Python 3.8
Python since 3.12 prints warning about Py_NoSiteFlag is deprecated. It
seems that variable is not needed since Python 3.8, since it sets in
such cases directly config.site_import variable few moments later.
Move using deprecated variable to versions before that flag in config
could be used only.
This should fix warning like:
pythonmod/pythonmod.c: In function 'pythonmod_init':
pythonmod/pythonmod.c:359:7: warning: 'Py_NoSiteFlag' is deprecated [-Wdeprecated-declarations]
359 | Py_NoSiteFlag = 1;
| ^~~~~~~~~~~~~
In file included from /usr/include/python3.12/Python.h:48,
from pythonmod/pythonmod.c:54:
/usr/include/python3.12/cpython/pydebug.h:14:37: note: declared here
14 | Py_DEPRECATED(3.12) PyAPI_DATA(int) Py_NoSiteFlag;
| ^~~~~~~~~~~~~
Petr Mensik [Mon, 15 Apr 2024 09:30:19 +0000 (11:30 +0200)]
Update ax_pkg_swig.m4 and ax_pthread.m4
Use vanilla m4 files with known source. Prepared for possible removal at
build time if the system already has autoconf-archive source present.
Switch to AX_PKG_SWIG macro for versioned or unversioned swig detection.
- Implement cachedb-check-when-serve-expired: yes option, default
is enabled. When serve expired is enabled with cachedb, it first
checks cachedb before serving the expired response.
- Fix #595: unbound-anchor cannot deal with full disk; it will now
first write out to a temp file before replacing the original one,
like Unbound already does for auto-trust-anchor-file.
- fast-reload, for nonthreaded, the unbound-control commands forward,
forward_add and forward_delete should be distributed to other processes,
but when threaded, they should not be distributed to other threads because
the structure is not thread specific any more.
Pierre4012 [Mon, 25 Mar 2024 15:43:49 +0000 (16:43 +0100)]
Improve Windows NSIS installer script (setup.nsi) (#831)
* Improve Windows NSIS installer script (setup.nsi)
Two improvements of installer script :
- avoid error message when Unbound is running,
- add "DisplayVersion" in registry thus Windows package manager (Winget) can handle Unbound.
* Update setup.nsi ask user to stop unbound service + DisplayVersion in Windows registry
- Fix rpz that the rpz override is taken in case of clientip triggers.
Fix that the clientip passthru action is logged. Fix that the
clientip localdata action is logged. Fix rpz override action cname
for the clientip trigger.
- Fix validator classification of qtype DNAME for positive and
redirection answers, and fix validator signature routine for dealing
with the synthesized CNAME for a DNAME without previously
encountering it and also for when the qtype is DNAME.
- Version set to 1.19.3 for release. After 1.19.2 point release with
security fix for CVE-2024-1931, Denial of service when trimming
EDE text on positive replies. The code repo includes the fix and
is for version 1.19.3.
- Fix edns subnet replies for scope zero answers to not get stored
in the global cache, and in cachedb, when the upstream replies
without an EDNS record.
Changelog entry for #1010:
- Merge #1010: Mention REFUSED has the TC bit set with unmatched
allow_cookie acl in the manpage. It also fixes the code to match the
documentation about clients with a valid cookie that bypass the
ratelimit regardless of the allow_cookie acl.