From: Oto Šťáva <oto.stava@nic.cz>
Date: Fri, 22 Mar 2024 11:30:31 +0000 (+0100)
Subject: Merge remote-tracking branch 'origin/master' into 6.0
X-Git-Tag: v6.0.7~8
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=refs%2Fenvironments%2Fdocs-develop-6-0-mvwoqi%2Fdeployments%2F3557;p=thirdparty%2Fknot-resolver.git

Merge remote-tracking branch 'origin/master' into 6.0
---

88b8fd0b155d3cf6268960ab3268bec4639d4583
diff --cc NEWS
index a93d2fbc6,2288b377b..c0fd0dcae
--- a/NEWS
+++ b/NEWS
@@@ -1,65 -1,10 +1,73 @@@
 +Knot Resolver 6.0.7 (2024-0m-dd)
 +================================
 +
 +Improvements
 +------------
 +- manager: clear the cache via management HTTP API (#876,!1491)
 +- docs: documentation is now separated into user and developer parts (!1514)
 +
 +Bugfixes
 +--------
 +- fix listening by interface name containing dashes (#900, !1500)
 +- fix kresctl http request timeout (!1505)
 +- fix RPZ if it contains apex NS record (!1516)
++- fix on 32-bit systems with 64-bit time_t (!1510)
 +
 +
 +Knot Resolver 6.0.6 (2024-02-13)
 +================================
 +
 +Security
 +--------
 +- CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU
 +  * validator: lower the NSEC3 iteration limit (150 -> 50)
 +  * validator: similarly also limit excessive NSEC3 salt length
 +  * cache: limit the amount of work on SHA1 in NSEC3 aggressive cache
 +  * validator: limit the amount of work on SHA1 in NSEC3 proofs
 +  * validator: refuse to validate answers with more than 8 NSEC3 records
 +
 +- CVE-2023-50387 "KeyTrap": DNSSEC verification complexity
 +  could be exploited to exhaust CPU resources and stall DNS resolvers.
 +  Solution boils down mainly to limiting crypto-validations per packet.
 +
 +  We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel and Michael Waidner
 +  from the German National Research Center for Applied Cybersecurity ATHENE
 +  for bringing this vulnerability to our attention.
 +
 +Improvements
 +------------
 +- update addresses of B.root-servers.net (!1478)
 +- tweak the default run_dir on non-Linux (!1481)
 +
 +Bugfixes
 +--------
 +- fix potential SERVFAIL deadlocks if net.ipv6 = false (#880)
 +- fix validation of RRsets around 64 KiB size; needs libknot >= 3.4 (!1497)
 +
 +
 +Knot Resolver 6.0.5 (2024-01-09)
 +================================
 +
 +6.0.x are "early access" versions,
 +not generally recommended for production use.
 +
 +6.0 contains biggest changes in the history of Knot Resolver releases.
 +You will have to rewrite your configuration.  See documentation, in particular:
 +https://knot.pages.nic.cz/knot-resolver/upgrading-to-6.html
 +
 +
 +
 +
 +5.x branch longterm support
 +~~~~~~~~~~~~~~~~~~~~~~~~~~~
 +
+ Knot Resolver 5.7.2 (2024-0m-dd)
+ ================================
+ 
+ Bugfixes
+ --------
+ - fix on 32-bit systems with 64-bit time_t (!1510)
+ 
  
  Knot Resolver 5.7.1 (2024-02-13)
  ================================
diff --cc daemon/proxyv2.c
index f796aad80,aedbb91a7..73eb57690
--- a/daemon/proxyv2.c
+++ b/daemon/proxyv2.c
@@@ -136,20 -138,20 +136,20 @@@ bool proxy_allowed(const struct sockadd
  	size_t addr_size;
  	switch (saddr->sa_family) {
  	case AF_INET:
 -		if (net->proxy_all4)
 +		if (the_network->proxy_all4)
  			return true;
  
 -		trie = net->proxy_addrs4;
 +		trie = the_network->proxy_addrs4;
  		addr_size = sizeof(addr.ip4);
- 		addr.ip4 = ((struct sockaddr_in *) saddr)->sin_addr;
+ 		addr.ip4 = ((struct sockaddr_in *)saddr)->sin_addr;
  		break;
  	case AF_INET6:
 -		if (net->proxy_all6)
 +		if (the_network->proxy_all6)
  			return true;
  
 -		trie = net->proxy_addrs6;
 +		trie = the_network->proxy_addrs6;
  		addr_size = sizeof(addr.ip6);
- 		addr.ip6 = ((struct sockaddr_in6 *) saddr)->sin6_addr;
+ 		addr.ip6 = ((struct sockaddr_in6 *)saddr)->sin6_addr;
  		break;
  	default:
  		kr_assert(false); // Only IPv4 and IPv6 proxy addresses supported
@@@ -164,10 -166,10 +164,10 @@@
  	kr_assert(val);
  	const struct net_proxy_data *found = *val;
  	kr_assert(found);
- 	return kr_bitcmp((char *) &addr, (char *) &found->addr, found->netmask) == 0;
+ 	return kr_bitcmp((char *)&addr, (char *)&found->addr, found->netmask) == 0;
  }
  
 -ssize_t proxy_process_header(struct proxy_result *out, struct session *s,
 +ssize_t proxy_process_header(struct proxy_result *out,
  		const void *buf, const ssize_t nread)
  {
  	if (!buf)
diff --cc daemon/proxyv2.h
index c18e71ce3,fdee12635..a21f14b1e
--- a/daemon/proxyv2.h
+++ b/daemon/proxyv2.h
@@@ -6,9 -6,11 +6,8 @@@
  
  #include <stdint.h>
  
- #include "daemon/session2.h"
  #include "lib/utils.h"
  
 -struct network;
 -struct session;
 -
  extern const char PROXY2_SIGNATURE[12];
  
  #define PROXY2_MIN_SIZE 16