[Unbound-users] unbound 1.4.14 release

W.C.A. Wijngaards wouter at NLnetLabs.nl
Mon Dec 19 11:27:13 UTC 2011

Hash: SHA1


Unbound 1.4.14 is release, get it here:
sha1 1435029abe63d0106213acb9f173b885183cf1d7
sha256 c15b85145e3175f3d933837071b4ffaae8da4a394139ac0e7f3dfee11712e7d3

It contains a patch for VU#209659 CVE-2011-4528: Unbound denial of
service vulnerabilities from nonstandard redirection and denial of
existence.  http://www.unbound.net/downloads/CVE-2011-4528.txt

Therefore, 1.4.14 does not equal 1.4.14rc1, it has code changes (this
patch and some other fixes found during the review process).

Major changes are a new BSD-compatible makefile (with BSD-make).
SSL-wrapped query support (for dnssec-trigger, passing firewalls, it
does *not* check the actual SSL certificate at this time).

It stores timeouts per-zonename, for compatibility with servers that
drop out-of-served-zone queries.  It attempts EDNS1480 (or 12xx on
ip6) probes in case EDNS0 fails to workaround fragmentation issues
more easily.

- -   Makefile changed for BSD make compatibility.
- -   dns over ssl support as a client, ssl-upstream yes turns it on. It
performs an SSL transaction for every DNS query.
- -   dns over ssl support as a server, ssl-service-pem and
ssl-service-key files can be given and then TCP queries are serviced
wrapped in SSL.
- -   lame-ttl and lame-size options no longer exist, it is integrated
with the host info. They are ignored (with verbose warning) if
encountered to keep the config file backwards compatible.
- -   TCP-upstream calculates tcp-ping so server selection works if
there are alternatives.
- -   Unbound probes at EDNS1480 if there an EDNS0 timeout.

Bug Fixes
- -   Fix for VU#209659 CVE-2011-4528: Unbound denial of service
vulnerabilities from nonstandard redirection and denial of existence
- -   Fix for tcp-upstream and ssl-upstream for if a laptop sleeps,
causes SERVFAILs. Also fixed for UDP (but less likely).
- -   Fix quartile time estimate, it was too low, (thanks Jan Komissar).
- -   Fix double free in unbound-host, reported by Steve Grubb.
- -   fix -flto detection on Lion for llvm-gcc.
- -   [bugzilla: 416 ] Infra cache stores information about ping and
lameness per IP, zone.
- -   [bugzilla: 415 ] Fix resolve of partners.extranet.microsoft.com
with a fix for the server selection for choosing out of a (particular)
list of bad choices.
- -   Fix make_new_space function so that the incoming query is not
overwritten if a jostled out query causes a waiting query to be
resumed that then fails and sends an error message. (Thanks to Matthew
- -   fix unbound-anchor for broken strptime on OSX lion, detected in
- -   Detect if GOST really works, openssl1.0 on OSX fails.
- -   Implement ipv6%interface notation for scope_id usage.
- -   better documentation for inform_super (Thanks Yang Zhe).
- -   Fix for out-of-memory condition in libunbound (thanks Robert
- -   Fix --enable-allsymbols, it depended on link specifics of the
target platform, or fptr_wlist assertion failures could occur. The
feature is disabled on windows.
- -   updated contrib/unbound_munin_ to family=auto so that it works
with munin-node-configure automatically (if installed as
/usr/local/share/munin/plugins/unbound_munin_ ).
- -   unbound.exe -w windows option for start and stop service.
- -   Fix classification of NS set in answer section, where there is a
parent-child server, and the answer has the AA flag for dir.slb.com.
Thanks to Amanda Constant from Secure64.
- -   [bugzilla: 408 ] accept patch from Steve Snyder that comments out
unused functions in lookup3.c.
- -   fix various compiler warnings (reported by Paul Wouters).
- -   max sent count. EDNS1480 only for rtt < 5000. No promiscuous fetch
if sentcount > 3, stop query if sentcount > 16. Count is reset when
referral or CNAME happens. This makes unbound better at managing large
NS sets, they are explored when there is continued interest (in the
form of queries).
- -   remove uninit warning from cachedump code.
- -   Fix parse error on negative SOA RRSIGs if badly ordered in the packet.
- -   fix infra cache comparison.
- -   Fix to constrain signer_name to be a parent of the lookupname.
- -   robust checks for next-closer NSEC3s.
- -   iana portlist updated.

Best regards,
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/


More information about the Unbound-users mailing list