unbound: Update to 1.19.0 For details see: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-0 Again: Changelog is IMHO too long to be published here... Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
unbound: Update to 1.18.0 For details see: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-18-0 Changelog is IMHO too long to be published here... Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
unbound: Update to 1.17.1 For details see: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-17-1 "Features Expose 'statistics-inhibit-zero' as a configuration option; the default value retains Unbound's behavior. Expose 'max-sent-count' as a configuration option; the default value retains Unbound's behavior. Merge #461 from Christian Allred: Add max-query-restarts option. Exposes an internal configuration but the default value retains Unbound's behavior. Merge #569 from JINMEI Tatuya: add keep-cache option to 'unbound-control reload' to keep caches. Bug Fixes Merge #768 from fobser: Arithmetic on a pointer to void is a GNU extension. In unit test, print python script name list correctly. testcode/dohclient sets log identity to its name. Clarify the use of MAX_SENT_COUNT in the iterator code. Fix that cachedb does not store failures in the external cache. Merge #767 from jonathangray: consistently use IPv4/IPv6 in unbound.conf.5. Fix to ignore tcp events for closed comm points. Fix to make sure to not read again after a tcp comm point is closed. Fix #775: libunbound: subprocess reap causes parent process reap to hang. iana portlist update. Complementary fix for distutils.sysconfig deprecation in Python 3.10 to commit 62c5039ab9da42713e006e840b7578e01d66e7f2. Fix #779: [doc] Missing documention in ub_resolve_event() for callback parameter was_ratelimited. Ignore expired error responses. Merge #720 from jonathangray: fix use after free when WSACreateEvent() fails. Fix for the ignore of tcp events for closed comm points, preserve the use after free protection features. Fix #782: Segmentation fault in stats.c:404. Add SVCB and HTTPS to the types removed by 'unbound-control flush'. Clear documentation for interactivity between the subnet module and the serve-expired and prefetch configuration options. Fix #773: When used with systemd-networkd, unbound does not start until systemd-networkd-wait-online.service times out. Merge #808: Wrap Makefile script's directory variables in quotes. Fix to wrap Makefile scripts directory in quotes for uninstall. Fix windows compile for libunbound subprocess reap comm point closes. Update github workflows to use checkout v3. Fix wildcard in hyperlocal zone service degradation, reported by Sergey Kacheev." Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
unbound: Update to 1.17.0 For details see: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-17-0 "Features Merge #753: ACL per interface. (New interface-* configuration options). Merge #760: PROXYv2 downstream support. (New proxy-protocol-port configuration option). Bug Fixes Fix #728: alloc_reg_obtain() core dump. Stop double alloc_reg_release when serviced_create fails. Fix edns subnet so that scope 0 answers only match sourcemask 0 queries for answers from cache if from a query with sourcemask 0. Fix unittest for edns subnet change. Merge #730 from luisdallos: Fix startup failure on Windows 8.1 due to unsupported IPV6_USER_MTU socket option being set. Fix ratelimit inconsistency, for ip-ratelimits the value is the amount allowed, like for ratelimits. Fix #734 [FR] enable unbound-checkconf to detect more (basic) errors. Fix to log accept error ENFILE and EMFILE errno, but slowly, once per 10 seconds. Also log accept failures when no slow down is used. Fix to avoid process wide fcntl calls mixed with nonblocking operations after a blocked write. Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive operations, so that instruction reordering does not cause mistakenly blocking socket operations. Fix to wait for blocked write on UDP sockets, with a timeout if it takes too long the packet is dropped. Fix for wait for udp send to stop when packet is successfully sent. Fix #741: systemd socket activation fails on IPv6. Fix to update config tests to fix checking if nonblocking sockets work on OpenBSD. Slow down log frequency of write wait failures. Fix to set out of file descriptor warning to operational verbosity. Fix to log a verbose message at operational notice level if a thread is not responding, to stats requests. It is logged with thread identifiers. Remove include that was there for debug purposes. Fix to check pthread_t size after pthread has been detected. Convert tdir tests to use the new skip_test functionality. Remove unused testcode/mini_tpkg.sh file. Better output for skipped tdir tests. Fix doxygen warning in respip.h. Fix to remove erroneous TC flag from TCP upstream. Fix test tdir skip report printout. Fix windows compile, the identifier interface is defined in headers. Fix to close errno block in comm_point_tcp_handle_read outside of ifdef. Fix static analysis report to remove dead code from the rpz_callback_from_iterator_module function. Fix to clean up after the acl_interface unit test. Merge #764: Leniency for target discovery when under load (for NRDelegation changes). Use DEBUG_TDIR from environment in mini_tdir.sh for debugging. Fix string comparison in mini_tdir.sh. Make ede.tdir test more predictable by using static data. Fix checkconf test for dnscrypt and proxy port. Fix dnscrypt compile for proxy protocol code changes. Fix to stop responses with TC flag from resulting in partial responses. It retries to fetch the data elsewhere, or fails the query and in depth fix removes the TC flag from the cached item. Fix proxy length debug output printout typecasts. Fix to stop possible loops in the tcp reuse code (write_wait list and tcp_wait list). Based on analysis and patch from Prad Seniappan and Karthik Umashankar. Fix PROXYv2 header read for TCP connections when no proxied addresses are provided." Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
unbound: Update to 1.16.3 For details see: https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-September/007885.html "This release fixes CVE-2022-3204 Non-Responsive Delegation Attack. It was reported by Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr and Shani Stajnrod from Reichman University. This fixes for better performance when under load, by cutting promiscuous queries for nameserver discovery and limiting the number of times a delegation point can look in the cache for missing records. Bug Fixes - Patch for CVE-2022-3204 Non-Responsive Delegation Attack." Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
unbound: Update to 1.16.2 For details see: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-2 "Features Merge #718: Introduce infra-cache-max-rtt option to config max retransmit timeout. Bug Fixes Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for one loop pass'. Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on outbound tcp sockets. Fix verbose EDE error printout. Fix dname count in sldns parse type descriptor for SVCB and HTTPS. For windows crosscompile, fix setting the IPV6_MTU socket option equivalent (IPV6_USER_MTU); allows cross compiling with latest cross-compiler versions. Merge PR 714: Avoid treat normal hosts as unresponsive servers. And fixup the lock code. iana portlist update. Update documentation for 'outbound-msg-retry:'. Tests for ghost domain fixes." Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
unbound: Update to 1.16.1 For details see: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-1 "Features Fix #704: [FR] Statistics counter for number of outgoing UDP queries sent; introduces 'num.query.udpout' to the 'unbound-control stats' command. Bug Fixes makedist.sh picks up 32bit libssp-0.dll when 32bit compile. Fix for edns client subnet to respect not looking in its cache when instructed to do so (e.g., prefetch). Merge PR #688: Rpz url notify issue. Note in the unbound.conf text that NOTIFY is allowed from the 'url:' addresses for auth and rpz zones. Remove unused LDNS function check for GOST Engine unloading. Fix for loading locally stored zones that have lines with blanks or blanks and comments. Fix #663: use after free issue with edns options. Clarify -v flag manpage entry (#705) Fix test program dohclient close to use portability routine. Show the output of the exact .rpl run that failed with 'make test'. Fix for cached 0 TTL records to not trigger prefetching when serve-expired-client-timeout is set. Add debug option to the mini_tdir.sh test code. Fix to not count cached NXDOMAIN for MAX_TARGET_NX. Allow fallback to the parent side when MAX_TARGET_NX is reached. This will also allow MAX_TARGET_NX more NXDOMAINs. iana portlist update. Fix detection of libz on windows compile with static option. Fix compile warning for windows compile. Merge PR #706: NXNS fallback. From #706: Cached NXDOMAIN does not increase the target nx responses. From #706: Don't generate parent side queries if we already have the lame records in cache. From #706: When a lame address is the best choice, don't try to generate target queries when the missing targets are all lame. Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS mode on openssl3. Merge PR #660 from Petr Menšík: Sha1 runtime insecure. For #660: formatting, less verbose logging, add EDE information. Fix for correct openssl error when adding windows CA certificates to the openssl trust store. Improve val_sigcrypt.c::algo_needs_missing for one loop pass. Reintroduce documentation and more EDE support for val_sigcrypt.c::dnskeyset_verify_rrset_sig. Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for one loop pass'. Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on outbound tcp sockets." Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
unbound: Update to 1.13.2 For details see: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-13-2 Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
unbound: Update to 1.11.0 For details see: https://lists.nlnetlabs.nl/pipermail/unbound-users/2020-July/006921.html Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
unbound: Update to 1.10.1 For details see: https://lists.nlnetlabs.nl/pipermail/unbound-users/2020-May/006833.html Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
unbound: Update to 1.10.0 For details see: https://lists.nlnetlabs.nl/pipermail/unbound-users/2020-February/006711.html Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
unbound: Update to 1.9.6 For details see: https://nlnetlabs.nl/pipermail/unbound-users/2019-December/011941.html Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
unbound: Update to 1.9.5 For details see: https://nlnetlabs.nl/pipermail/unbound-users/2019-November/011897.html "This release is a fix for vulnerability CVE-2019-18934, that can cause shell execution in ipsecmod. Bug Fixes: - Fix for the reported vulnerability. The CVE number for this vulnerability is CVE-2019-18934" Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
unbound: Update to 1.9.4 For details see: https://nlnetlabs.nl/pipermail/unbound-users/2019-October/011832.html "This release is a fix for vulnerability CVE-2019-16866 that causes a failure when a specially crafted query is received." Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>