Unbound 1.13.0 released
Yuri
yvoinov at gmail.com
Thu Dec 3 13:01:34 UTC 2020
Well, built on first server. Runs ok.
Later will deploy on two others. )
03.12.2020 15:11, Wouter Wijngaards via Unbound-users пишет:
> Hi,
>
> Unbound 1.13.0 is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0.tar.gz
> sha256 a954043a95b0326ca4037e50dace1f3a207a0a19e9a4a22f4c6718fc623db2a1
> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0.tar.gz.asc
>
>
> This version has fixes to connect for UDP sockets, slowing down
> potential ICMP side channel leakage. The fix can be controlled with the
> option udp-connect: yes, it is enabled by default.
>
> Additionally CVE-2020-28935 is fixed, this solves a problem where the
> pidfile is altered by a symlink, and fails if a symlink is encountered.
> See https://nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt for more
> information.
>
> New features are upstream TCP and TLS query reuse, where a channel is
> reused for several queries. And http-notls-downstream: yesno for
> unencrypted DoH, useful for back end support servers. The option
> infra-keep-probing can be used to probe hosts that are down more
> frequently.
>
> The options edns-client-string and edns-client-string-opcode can be used
> to add an EDNS option with the specified string in queries towards
> servers, with the servers specified by IP address. It replaces the
> edns-client-tag option.
>
> The released version equals the 1.13.0rc4 with an added fix for stream
> reuse and tcp fast open.
>
> Features
> - Pass the comm_reply information to the inplace_cb_reply* functions
> during the mesh state and update the documentation on that.
> - Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.
> This adds the option http-notls-downstream: yesno to change that,
> and the dohclient test code has the -n option.
> - Merge PR #228 : infra-keep-probing option to probe hosts that are
> down. Add infra-keep-probing: yes option. Hosts that are down are
> probed more frequently.
> With the option turned on, it probes about every 120 seconds,
> eventually after exponential backoff, and that keeps that way. If
> traffic keeps up for the domain. It probes with one at a time, eg.
> one query is allowed to probe, other queries within that 120 second
> interval are turned away.
> - Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with
> edns-client-string option.
> - Merge PR #283 : Stream reuse. This implements upstream stream
> reuse for performing several queries over the same TCP or TLS
> channel.
> - Fix to connect() to UDP destinations, default turned on,
> this lowers vulnerability to ICMP side channels.
> Option to toggle udp-connect, default is enabled.
>
> Bug Fixes
> - Fix #319: potential memory leak on config failure, in rpz config.
> - Fix dnstap socket and the chroot not applied properly to the dnstap
> socket path.
> - Fix warning in libnss compile, nss_buf2dsa is not used without DSA.
> - Fix #323: unbound testsuite fails on mock build in systemd-nspawn
> if systemd support is build.
> - Fix for python reply callback to see mesh state reply_list member,
> it only removes it briefly for the commpoint call so that it does
> not drop it and attempt to modify the reply list during reply.
> - Fix that if there are on reply callbacks, those are called per
> reply and a new message created if that was modified by the call.
> - Free up auth zone parse region after use for lookup of host
> - Merge PR #326 from netblue30: DoH: implement content-length
> header field.
> - DoH content length, simplify code, remove declaration after
> statement and fix cast warning.
> - Fix that if there are reply callbacks for the given rcode, those
> are called per reply and a new message created if that was modified
> by the call.
> - Fix that the out of order TCP processing does not limit the
> number of outstanding queries over a connection.
> - Fix python documentation warning on functions.rst inplace_cb_reply.
> - Log ip address when http session recv fails, eg. due to tls fail.
> - Fix to set the tcp handler event toggle flag back to default when
> the handler structure is reused.
> - Clean the fix for out of order TCP processing limits on number
> of queries. It was tested to work.
> - Fix that http settings have colon in set_option, for
> http-endpoint, http-max-streams, http-query-buffer-size,
> http-response-buffer-size, and http-nodelay.
> - Fix memory leak of https port string when reading config.
> - local-zone regional allocations outside of chunk
> - Merge PR #324 from James Renken: Add modern X.509v3 extensions to
> unbound-control TLS certificates.
> - Fix for PR #324 to attach the x509v3 extensions to the client
> certificate.
> - Fix #327: net/if.h check fails on some darwin versions; contribution
> by Joshua Root.
> - Fix #320: potential memory corruption due to size miscomputation upton
> custom region alloc init.
> - Fix #333: Unbound Segmentation Fault w/ log_info Functions From
> Python Mod.
> - Fix that minimal-responses does not remove addresses from a priming
> query response.
> - In man page note that tls-cert-bundle is read before permission
> drop and chroot.
> - Fix #341: fixing a possible memory leak.
> - Fix memory leak after fix for possible memory leak failure.
> - Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX'
> undeclared.
> - Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere
> with chown of pidfile.
> - Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
> - Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error:
> failed to list interfaces: getifaddrs: Address family not
> supported by protocol.
> - Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket
> address families.
> - iana portlist updated.
> - Fix crash when TLS connection is closed prematurely, when
> reuse tree comparison is not properly identical to insertion.
> - Fix padding of struct regional for 32bit systems.
> - with udp-connect ignore connection refused with UDP timeouts.
> - Fix udp-connect on FreeBSD, do send calls on connected UDP socket.
> - Better fix for reuse tree comparison for is-tls sockets. Where
> the tree key identity is preserved after cleanup of the TLS state.
> - Fix memory leak for edns client tag opcode config element.
> - Attempt fix for libevent state in tcp reuse cases after a packet
> is written.
> - Fix readagain and writeagain callback functions for comm point
> cleanup.
> - Fix to omit UDP receive errors from log, if verbosity low.
> These happen because of udp-connect.
> - For #352: contrib/metrics.awk for Prometheus style metrics output.
> - Fix that after failed read, the readagain cannot activate.
> - Clear readagain upon decommission of pending tcp structure.
> - Fix compile warning for type cast in http2_submit_dns_response.
> - Fix when use free buffer to initialize rbtree for stream reuse.
> - Fix compile warnings for windows.
> - Fix compile warnings in rpz initialization.
> - Fix contrib/metrics.awk for FreeBSD awk compatibility.
> - Fix assertion failure on double callback when iterator loses
> interest in query at head of line that then has the tcp stream
> not kept for reuse.
> - Fix stream reuse and tcp fast open.
>
>
> Best regards, Wouter
>
More information about the Unbound-users
mailing list