Unbound 1.9.6 release

Yuri yvoinov at gmail.com
Thu Dec 12 15:15:49 UTC 2019


Fixed.

Got compat/getentropy_solaris.c from 1.9.5 and built successfully.

Seems updated file broken on SPARC (two x86 Solaris 10 boxes updated
successfully).

12.12.2019 20:50, Yuri пишет:
> Failed to build on Solaris 10 SPARC:
>
> Undefined                       first referenced
>  symbol                             in file
> dl_iterate_phdr                    
> /patch/tmp3/unbound-1.9.6/.libs/libunbound.so
> ld: fatal: symbol referencing errors. No output written to
> .libs/unbound-host
> collect2: error: ld returned 1 exit status
> Undefined                       first referenced
>  symbol                             in file
> dl_iterate_phdr                     .libs/getentropy_solaris.o
> ld: fatal: symbol referencing errors. No output written to
> .libs/unbound-anchor
> collect2: error: ld returned 1 exit status
> gmake: *** [Makefile:339: unbound-host] Error 1
> gmake: *** Waiting for unfinished jobs....
> gmake: *** [Makefile:342: unbound-anchor] Error 1
>
> Same configuration for 1.9.5 built ok.
>
> 12.12.2019 17:35, Ralph Dolmans via Unbound-users пишет:
>> Hi,
>>
>> Unbound 1.9.6 release is available:
>> https://nlnetlabs.nl/downloads/unbound/unbound-1.9.6.tar.gz
>> sha256 1d98fc6ea99197a20b4a0e540e87022cf523085786e0fc26de6ebb2720f5aaf0
>> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.9.6.tar.gz.asc
>>
>>
>> This release contains a number of security related fixes, contributed by
>> X41 D-Sec. They have conducted a security audit of Unbound, funded by
>> OSTIF. The previous CVEs fixed in 1.9.4 and 1.9.5 were the most
>> important ones, less important fixes and side findings for more robust
>> code have been included in this release, alongside a normal number of
>> bug fixes.
>>
>> The sort order for included config snippets is now ascending by name, it
>> previously was reversed due to an oversight.  Most config snippets do
>> not depend on the order as they add a stub or forward zone or some
>> server: section config entries.
>>
>>
>> Features:
>> - The unbound.conf includes are sorted ascending, for include
>>   statements with a '*' from glob.
>> - drop-tld.diff in contrib/ : adds option drop-tld: yesno that drops 2 label
>>   queries, to stop random floods.  Apply with
>>   patch -p1 < contrib/drop-tld.diff and compile.
>>   From Saksham Manchanda (Secure64).  Please note that we think this
>>   will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
>>   lookups for downstream clients.
>> - Add new configure option `--enable-fully-static` to enable full static
>>   build if requested; in relation to #91.
>> - Add make distclean that removes everything configure produced,
>>   and make maintainer-clean that removes bison and flex output.
>> - unbound-fuzzers.tar.bz2 in contrib/ : three programs for fuzzing, that
>> are 1:1
>>   replacements for unbound-fuzzme.c that gets created after applying
>>   the contrib/unbound-fuzzme.patch.  They are contributed by
>>   Eric Sesterhenn from X41 D-Sec.
>>
>> Bug Fixes:
>> - Fix that pkg-config is setup before --enable-systemd needs it.
>> - Fix contrib/fastrpz.patch asprintf return value checks.
>> - ipset module #28: log that an address is added, when verbosity high.
>> - ipset: refactor long routine into three smaller ones.
>> - updated Makefile dependencies.
>> - squelch DNS over TLS errors 'ssl handshake failed crypto error'
>>   on low verbosity, they show on verbosity 3 (query details), because
>>   there is a high volume and the operator cannot do anything for the
>>   remote failure.  Specifically filters the high volume errors.
>> - Fix #71: fix openssl error squelch commit compilation error.
>> - Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
>>   LOG_DAEMON (as before) can set the syslog facility that the server
>>   uses to log messages.
>> - Use explicit bzero for wiping clear buffer of hash in cachedb,
>>   reported by Eric Sesterhenn from X41 D-Sec.
>> - Fix #78: Memory leak in outside_network.c.
>> - Merge pull request #76 from Maryse47: Improvements and fixes for
>>   systemd unbound.service.
>> - oss-fuzz badge on README.md.
>> - Fix fix for #78 to also free service callback struct.
>> - Fix for oss-fuzz build warning.
>> - Fix wrong response ttl for prepended short CNAME ttls, this would
>>   create a wrong zero_ttl response count with serve-expired enabled.
>> - Merge #80 from stasic: Improve wording in man page.
>> - Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW
>>   in unbound.service.
>> - Merge #81 from Maryse47: Consistently use /dev/urandom instead
>>   of /dev/random in scripts and docs.
>> - Merge #83 from Maryse47: contrib/unbound.service.in: do not fork
>>   into the background.
>> - Merge #85 for #84 from sam-lunt: Add kill capability to systemd
>>   service file to fix that systemctl reload fails.
>> - Merge #87 from hardfalcon: Fix contrib/unbound.service.in,
>>   Drop CAP_KILL, use + prefix for ExecReload= instead.
>> - Merge #90 from vcunat: fix build with nettle-3.5.
>> - Fix for CVE-2019-16866.  That fix is also in 1.9.4.
>> - Merge #86 from psquarejho: Added -b source address option to
>>   smallapp/unbound-anchor.c, from Lukas Wunner.
>> - Add doxygen comments to unbound-anchor source address code, in #86.
>> - Merge #97: manpage: Add missing word on unbound.conf,
>>   from Erethon.
>> - Fix #99: Memory leak in ub_ctx (event_base will never be freed).
>> - Fix #109: check number of arguments for stdin-pipes in
>>   unbound-control and fail if too many arguments.
>> - Merge #102 from jrtc27: Add getentropy emulation for FreeBSD.
>> - iana portlist updated.
>> - contrib/fastrpz.patch updated to apply for current code.
>> - fixes for splint cleanliness, long vs int in SSL set_mode.
>> - In unbound-host use separate variable for get_option to please
>>   code checkers.
>> - update to bison output of 3.4.1 in code repository.
>> - Provide a prototype for compat malloc to remove compile warning.
>> - Portable grep usage for reuseport configure test.
>> - Check return type of HMAC_Init_ex for openssl 0.9.8.
>> - gitignore .source tempfile used for compatible make.
>> - Fix for CVE-2019-18934, shell execution in ipsecmod.  This fix is also
>> in 1.9.5.
>> - Fix authzone printout buffer length check.
>> - Fixes to please lint checks.
>> - Fix Integer Overflow in Regional Allocator,
>>   reported by X41 D-Sec.
>> - Fix Unchecked NULL Pointer in dns64_inform_super()
>>   and ipsecmod_new(), reported by X41 D-Sec.
>> - Fix Out-of-bounds Read in rr_comment_dnskey(),
>>   reported by X41 D-Sec.
>> - Fix Integer Overflows in Size Calculations,
>>   reported by X41 D-Sec.
>> - Fix Integer Overflow to Buffer Overflow in
>>   sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
>> - Fix Out of Bounds Read in sldns_str2wire_dname(),
>>   reported by X41 D-Sec.
>> - Fix Out of Bounds Write in sldns_bget_token_par(),
>>   reported by X41 D-Sec.
>> - Fix Out of Bounds Read in rrinternal_get_owner(),
>>   reported by X41 D-Sec.
>> - Fix Race Condition in autr_tp_create(),
>>   reported by X41 D-Sec.
>> - Fix Shared Memory World Writeable,
>>   reported by X41 D-Sec.
>> - Adjust unbound-control to make stats_shm a read only operation.
>> - Fix Weak Entropy Used For Nettle,
>>   reported by X41 D-Sec.
>> - Fix Randomness Error not Handled Properly,
>>   reported by X41 D-Sec.
>> - Fix Out-of-Bounds Read in dname_valid(),
>>   reported by X41 D-Sec.
>> - Fix Config Injection in create_unbound_ad_servers.sh,
>>   reported by X41 D-Sec.
>> - Fix Local Memory Leak in cachedb_init(),
>>   reported by X41 D-Sec.
>> - Fix Integer Underflow in Regional Allocator,
>>   reported by X41 D-Sec.
>> - Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD.
>> - Synchronize compat/getentropy_win.c with version 1.5 from
>>   OpenBSD, no changes but makes the file, comments, identical.
>> - Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD.
>> - Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD.
>> - Changes to compat/getentropy files for,
>>   no link to openssl if using nettle, and hence config.h for
>>   HAVE_NETTLE variable.
>>   compat definition of MAP_ANON, for older systems.
>>   ifdef stdint.h inclusion for older systems.
>>   ifdef sha2.h inclusion for older systems.
>> - Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec.
>> - Fix compile with --enable-alloc-checks, reported by X41 D-Sec.
>> - Fix Terminating Quotes not Written, reported by X41 D-Sec.
>> - Fix Useless memset() in validator, reported by X41 D-Sec.
>> - Fix Unrequired Checks, reported by X41 D-Sec.
>> - Fix Enum Name not Used, reported by X41 D-Sec.
>> - Fix NULL Pointer Dereference via Control Port,
>>   reported by X41 D-Sec.
>> - Fix Bad Randomness in Seed, reported by X41 D-Sec.
>> - Fix python examples/calc.py for eval, reported by X41 D-Sec.
>> - Fix comments for doxygen in dns64.
>> - Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec.
>> - Fix compiler warnings.
>> - Merge pull request #122 from he32: In tcp_callback_writer(),
>>   don't disable time-out when changing to read.
>> - Merge pull request #124 from rmetrich: Changed log lock
>>   from 'quick' to 'basic' because this is an I/O lock.
>> - Fix text around serial arithmatic used for RRSIG times to refer
>>   to correct RFC number.
>> - Fix Assert Causing DoS in synth_cname(),
>>   reported by X41 D-Sec.
>> - Fix similar code in auth_zone synth cname to add the extra checks.
>> - Fix Assert Causing DoS in dname_pkt_copy(),
>>   reported by X41 D-Sec.
>> - Fix OOB Read in sldns_wire2str_dname_scan(),
>>   reported by X41 D-Sec.
>> - Fix Out of Bounds Write in sldns_str2wire_str_buf(),
>>   reported by X41 D-Sec.
>> - Fix Out of Bounds Write in sldns_b64_pton(),
>>   fixed by check in sldns_str2wire_int16_data_buf(),
>>   reported by X41 D-Sec.
>> - Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
>>   reported by X41 D-Sec.
>> - Fix Out of Bound Write Compressed Names in rdata_copy(),
>>   reported by X41 D-Sec.
>> - Fix Hang in sldns_wire2str_pkt_scan(),
>>   reported by X41 D-Sec.
>>   This further lowers the max to 256.
>> - Fix snprintf() supports the n-specifier,
>>   reported by X41 D-Sec.
>> - Fix Bad Indentation, in dnscrypt.c,
>>   reported by X41 D-Sec.
>> - Fix Client NONCE Generation used for Server NONCE,
>>   reported by X41 D-Sec.
>> - Fix compile error in dnscrypt.
>> - Fix _vfixed not Used, removed from sbuffer code,
>>   reported by X41 D-Sec.
>> - Fix Hardcoded Constant, reported by X41 D-Sec.
>> - make depend
>> - Fix lock type for memory purify log lock deletion.
>> - Fix testbound for alloccheck runs, memory purify and lock checks.
>> - update contrib/fastrpz.patch to apply more cleanly.
>> - Fix Make Test Fails when Configured With --enable-alloc-nonregional,
>>   reported by X41 D-Sec.
>> - Fix ipsecmod compile
>> - Fix Makefile.in for ipset module compile, from Adi Prasaja.
>>
>> Regards,
>> -- Ralph

-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20191212/ccad27a8/attachment.bin>


More information about the Unbound-users mailing list