Unbound 1.9.6rc1 pre-release

Yuri yvoinov at gmail.com
Thu Dec 5 19:29:55 UTC 2019


Built and running well on Solaris.

05.12.2019 17:24, Wouter Wijngaards via Unbound-users пишет:
> Hi,
>
> Unbound 1.9.6rc1 pre-release is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.9.6rc1.tar.gz
> sha256 7e8a5e8856158d646504a853201bebfb389bb84e627a0a3362ba71f0c909ad79
> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.9.6rc1.tar.gz.asc
>
>
> This release contains a number of security related fixes, contributed by
> X41 D-Sec.  They have conducted a security audit of Unbound, funded by
> OSTIF.  The previous CVEs fixed in 1.9.4 and 1.9.5 were the most
> important ones, less important fixes and side findings for more robust
> code have been included in this release, alongside a normal number of
> bug fixes.
>
> The sort order for included config snippets is not ascending by name, it
> previously was reversed due to an oversight.  Most config snippets do
> not depend on the order as they add a stub or forward zone or some
> server: section config entries.
>
>
> Features:
> - The unbound.conf includes are sorted ascending, for include
>   statements with a '*' from glob.
> - drop-tld.diff in contrib/ : adds option drop-tld: yesno that drops 2 label
>   queries, to stop random floods.  Apply with
>   patch -p1 < contrib/drop-tld.diff and compile.
>   From Saksham Manchanda (Secure64).  Please note that we think this
>   will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
>   lookups for downstream clients.
> - Add new configure option `--enable-fully-static` to enable full static
>   build if requested; in relation to #91.
> - Add make distclean that removes everything configure produced,
>   and make maintainer-clean that removes bison and flex output.
> - unbound-fuzzers.tar.bz2 in contrib/ : three programs for fuzzing, that
> are 1:1
>   replacements for unbound-fuzzme.c that gets created after applying
>   the contrib/unbound-fuzzme.patch.  They are contributed by
>   Eric Sesterhenn from X41 D-Sec.
>
> Bug Fixes:
> - Fix that pkg-config is setup before --enable-systemd needs it.
> - Fix contrib/fastrpz.patch asprintf return value checks.
> - ipset module #28: log that an address is added, when verbosity high.
> - ipset: refactor long routine into three smaller ones.
> - updated Makefile dependencies.
> - squelch DNS over TLS errors 'ssl handshake failed crypto error'
>   on low verbosity, they show on verbosity 3 (query details), because
>   there is a high volume and the operator cannot do anything for the
>   remote failure.  Specifically filters the high volume errors.
> - Fix #71: fix openssl error squelch commit compilation error.
> - Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
>   LOG_DAEMON (as before) can set the syslog facility that the server
>   uses to log messages.
> - Use explicit bzero for wiping clear buffer of hash in cachedb,
>   reported by Eric Sesterhenn from X41 D-Sec.
> - Fix #78: Memory leak in outside_network.c.
> - Merge pull request #76 from Maryse47: Improvements and fixes for
>   systemd unbound.service.
> - oss-fuzz badge on README.md.
> - Fix fix for #78 to also free service callback struct.
> - Fix for oss-fuzz build warning.
> - Fix wrong response ttl for prepended short CNAME ttls, this would
>   create a wrong zero_ttl response count with serve-expired enabled.
> - Merge #80 from stasic: Improve wording in man page.
> - Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW
>   in unbound.service.
> - Merge #81 from Maryse47: Consistently use /dev/urandom instead
>   of /dev/random in scripts and docs.
> - Merge #83 from Maryse47: contrib/unbound.service.in: do not fork
>   into the background.
> - Merge #85 for #84 from sam-lunt: Add kill capability to systemd
>   service file to fix that systemctl reload fails.
> - Merge #87 from hardfalcon: Fix contrib/unbound.service.in,
>   Drop CAP_KILL, use + prefix for ExecReload= instead.
> - Merge #90 from vcunat: fix build with nettle-3.5.
> - Fix for CVE-2019-16866.  That fix is also in 1.9.4.
> - Merge #86 from psquarejho: Added -b source address option to
>   smallapp/unbound-anchor.c, from Lukas Wunner.
> - Add doxygen comments to unbound-anchor source address code, in #86.
> - Merge #97: manpage: Add missing word on unbound.conf,
>   from Erethon.
> - Fix #99: Memory leak in ub_ctx (event_base will never be freed).
> - Fix #109: check number of arguments for stdin-pipes in
>   unbound-control and fail if too many arguments.
> - Merge #102 from jrtc27: Add getentropy emulation for FreeBSD.
> - iana portlist updated.
> - contrib/fastrpz.patch updated to apply for current code.
> - fixes for splint cleanliness, long vs int in SSL set_mode.
> - In unbound-host use separate variable for get_option to please
>   code checkers.
> - update to bison output of 3.4.1 in code repository.
> - Provide a prototype for compat malloc to remove compile warning.
> - Portable grep usage for reuseport configure test.
> - Check return type of HMAC_Init_ex for openssl 0.9.8.
> - gitignore .source tempfile used for compatible make.
> - Fix for CVE-2019-18934, shell execution in ipsecmod.  This fix is also
> in 1.9.5.
> - Fix authzone printout buffer length check.
> - Fixes to please lint checks.
> - Fix Integer Overflow in Regional Allocator,
>   reported by X41 D-Sec.
> - Fix Unchecked NULL Pointer in dns64_inform_super()
>   and ipsecmod_new(), reported by X41 D-Sec.
> - Fix Out-of-bounds Read in rr_comment_dnskey(),
>   reported by X41 D-Sec.
> - Fix Integer Overflows in Size Calculations,
>   reported by X41 D-Sec.
> - Fix Integer Overflow to Buffer Overflow in
>   sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
> - Fix Out of Bounds Read in sldns_str2wire_dname(),
>   reported by X41 D-Sec.
> - Fix Out of Bounds Write in sldns_bget_token_par(),
>   reported by X41 D-Sec.
> - Fix Out of Bounds Read in rrinternal_get_owner(),
>   reported by X41 D-Sec.
> - Fix Race Condition in autr_tp_create(),
>   reported by X41 D-Sec.
> - Fix Shared Memory World Writeable,
>   reported by X41 D-Sec.
> - Adjust unbound-control to make stats_shm a read only operation.
> - Fix Weak Entropy Used For Nettle,
>   reported by X41 D-Sec.
> - Fix Randomness Error not Handled Properly,
>   reported by X41 D-Sec.
> - Fix Out-of-Bounds Read in dname_valid(),
>   reported by X41 D-Sec.
> - Fix Config Injection in create_unbound_ad_servers.sh,
>   reported by X41 D-Sec.
> - Fix Local Memory Leak in cachedb_init(),
>   reported by X41 D-Sec.
> - Fix Integer Underflow in Regional Allocator,
>   reported by X41 D-Sec.
> - Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD.
> - Synchronize compat/getentropy_win.c with version 1.5 from
>   OpenBSD, no changes but makes the file, comments, identical.
> - Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD.
> - Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD.
> - Changes to compat/getentropy files for,
>   no link to openssl if using nettle, and hence config.h for
>   HAVE_NETTLE variable.
>   compat definition of MAP_ANON, for older systems.
>   ifdef stdint.h inclusion for older systems.
>   ifdef sha2.h inclusion for older systems.
> - Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec.
> - Fix compile with --enable-alloc-checks, reported by X41 D-Sec.
> - Fix Terminating Quotes not Written, reported by X41 D-Sec.
> - Fix Useless memset() in validator, reported by X41 D-Sec.
> - Fix Unrequired Checks, reported by X41 D-Sec.
> - Fix Enum Name not Used, reported by X41 D-Sec.
> - Fix NULL Pointer Dereference via Control Port,
>   reported by X41 D-Sec.
> - Fix Bad Randomness in Seed, reported by X41 D-Sec.
> - Fix python examples/calc.py for eval, reported by X41 D-Sec.
> - Fix comments for doxygen in dns64.
> - Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec.
> - Fix compiler warnings.
> - Merge pull request #122 from he32: In tcp_callback_writer(),
>   don't disable time-out when changing to read.
> - Merge pull request #124 from rmetrich: Changed log lock
>   from 'quick' to 'basic' because this is an I/O lock.
> - Fix text around serial arithmatic used for RRSIG times to refer
>   to correct RFC number.
> - Fix Assert Causing DoS in synth_cname(),
>   reported by X41 D-Sec.
> - Fix similar code in auth_zone synth cname to add the extra checks.
> - Fix Assert Causing DoS in dname_pkt_copy(),
>   reported by X41 D-Sec.
> - Fix OOB Read in sldns_wire2str_dname_scan(),
>   reported by X41 D-Sec.
> - Fix Out of Bounds Write in sldns_str2wire_str_buf(),
>   reported by X41 D-Sec.
> - Fix Out of Bounds Write in sldns_b64_pton(),
>   fixed by check in sldns_str2wire_int16_data_buf(),
>   reported by X41 D-Sec.
> - Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
>   reported by X41 D-Sec.
> - Fix Out of Bound Write Compressed Names in rdata_copy(),
>   reported by X41 D-Sec.
> - Fix Hang in sldns_wire2str_pkt_scan(),
>   reported by X41 D-Sec.
>   This further lowers the max to 256.
> - Fix snprintf() supports the n-specifier,
>   reported by X41 D-Sec.
> - Fix Bad Indentation, in dnscrypt.c,
>   reported by X41 D-Sec.
> - Fix Client NONCE Generation used for Server NONCE,
>   reported by X41 D-Sec.
> - Fix compile error in dnscrypt.
> - Fix _vfixed not Used, removed from sbuffer code,
>   reported by X41 D-Sec.
> - Fix Hardcoded Constant, reported by X41 D-Sec.
> - make depend
> - Fix lock type for memory purify log lock deletion.
> - Fix testbound for alloccheck runs, memory purify and lock checks.
> - update contrib/fastrpz.patch to apply more cleanly.
> - Fix Make Test Fails when Configured With --enable-alloc-nonregional,
>   reported by X41 D-Sec.
>
>
> Best regards, Wouter
>
-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20191206/01405594/attachment.bin>


More information about the Unbound-users mailing list