Unbound 1.9.6 release

George Thessalonikefs george at nlnetlabs.nl
Tue Jan 7 13:31:55 UTC 2020


Hi Yuri,

Thanks for reporting.
I have reverted the compat/getentropy_solaris.c file to a previous version.
Upon further investigation it seems support for the dl_iterate_phdr()
function is not consistent across architectures for solaris 10.

The changes are already committed on master.

Best regards,
-- George

On 12/12/2019 17:15, Yuri via Unbound-users wrote:
> Fixed.
> 
> Got compat/getentropy_solaris.c from 1.9.5 and built successfully.
> 
> Seems updated file broken on SPARC (two x86 Solaris 10 boxes updated
> successfully).
> 
> 12.12.2019 20:50, Yuri пишет:
>> Failed to build on Solaris 10 SPARC:
>>
>> Undefined                       first referenced
>>  symbol                             in file
>> dl_iterate_phdr                    
>> /patch/tmp3/unbound-1.9.6/.libs/libunbound.so
>> ld: fatal: symbol referencing errors. No output written to
>> .libs/unbound-host
>> collect2: error: ld returned 1 exit status
>> Undefined                       first referenced
>>  symbol                             in file
>> dl_iterate_phdr                     .libs/getentropy_solaris.o
>> ld: fatal: symbol referencing errors. No output written to
>> .libs/unbound-anchor
>> collect2: error: ld returned 1 exit status
>> gmake: *** [Makefile:339: unbound-host] Error 1
>> gmake: *** Waiting for unfinished jobs....
>> gmake: *** [Makefile:342: unbound-anchor] Error 1
>>
>> Same configuration for 1.9.5 built ok.
>>
>> 12.12.2019 17:35, Ralph Dolmans via Unbound-users пишет:
>>> Hi,
>>>
>>> Unbound 1.9.6 release is available:
>>> https://nlnetlabs.nl/downloads/unbound/unbound-1.9.6.tar.gz
>>> sha256 1d98fc6ea99197a20b4a0e540e87022cf523085786e0fc26de6ebb2720f5aaf0
>>> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.9.6.tar.gz.asc
>>>
>>>
>>> This release contains a number of security related fixes, contributed by
>>> X41 D-Sec. They have conducted a security audit of Unbound, funded by
>>> OSTIF. The previous CVEs fixed in 1.9.4 and 1.9.5 were the most
>>> important ones, less important fixes and side findings for more robust
>>> code have been included in this release, alongside a normal number of
>>> bug fixes.
>>>
>>> The sort order for included config snippets is now ascending by name, it
>>> previously was reversed due to an oversight.  Most config snippets do
>>> not depend on the order as they add a stub or forward zone or some
>>> server: section config entries.
>>>
>>>
>>> Features:
>>> - The unbound.conf includes are sorted ascending, for include
>>>   statements with a '*' from glob.
>>> - drop-tld.diff in contrib/ : adds option drop-tld: yesno that drops 2 label
>>>   queries, to stop random floods.  Apply with
>>>   patch -p1 < contrib/drop-tld.diff and compile.
>>>   From Saksham Manchanda (Secure64).  Please note that we think this
>>>   will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
>>>   lookups for downstream clients.
>>> - Add new configure option `--enable-fully-static` to enable full static
>>>   build if requested; in relation to #91.
>>> - Add make distclean that removes everything configure produced,
>>>   and make maintainer-clean that removes bison and flex output.
>>> - unbound-fuzzers.tar.bz2 in contrib/ : three programs for fuzzing, that
>>> are 1:1
>>>   replacements for unbound-fuzzme.c that gets created after applying
>>>   the contrib/unbound-fuzzme.patch.  They are contributed by
>>>   Eric Sesterhenn from X41 D-Sec.
>>>
>>> Bug Fixes:
>>> - Fix that pkg-config is setup before --enable-systemd needs it.
>>> - Fix contrib/fastrpz.patch asprintf return value checks.
>>> - ipset module #28: log that an address is added, when verbosity high.
>>> - ipset: refactor long routine into three smaller ones.
>>> - updated Makefile dependencies.
>>> - squelch DNS over TLS errors 'ssl handshake failed crypto error'
>>>   on low verbosity, they show on verbosity 3 (query details), because
>>>   there is a high volume and the operator cannot do anything for the
>>>   remote failure.  Specifically filters the high volume errors.
>>> - Fix #71: fix openssl error squelch commit compilation error.
>>> - Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
>>>   LOG_DAEMON (as before) can set the syslog facility that the server
>>>   uses to log messages.
>>> - Use explicit bzero for wiping clear buffer of hash in cachedb,
>>>   reported by Eric Sesterhenn from X41 D-Sec.
>>> - Fix #78: Memory leak in outside_network.c.
>>> - Merge pull request #76 from Maryse47: Improvements and fixes for
>>>   systemd unbound.service.
>>> - oss-fuzz badge on README.md.
>>> - Fix fix for #78 to also free service callback struct.
>>> - Fix for oss-fuzz build warning.
>>> - Fix wrong response ttl for prepended short CNAME ttls, this would
>>>   create a wrong zero_ttl response count with serve-expired enabled.
>>> - Merge #80 from stasic: Improve wording in man page.
>>> - Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW
>>>   in unbound.service.
>>> - Merge #81 from Maryse47: Consistently use /dev/urandom instead
>>>   of /dev/random in scripts and docs.
>>> - Merge #83 from Maryse47: contrib/unbound.service.in: do not fork
>>>   into the background.
>>> - Merge #85 for #84 from sam-lunt: Add kill capability to systemd
>>>   service file to fix that systemctl reload fails.
>>> - Merge #87 from hardfalcon: Fix contrib/unbound.service.in,
>>>   Drop CAP_KILL, use + prefix for ExecReload= instead.
>>> - Merge #90 from vcunat: fix build with nettle-3.5.
>>> - Fix for CVE-2019-16866.  That fix is also in 1.9.4.
>>> - Merge #86 from psquarejho: Added -b source address option to
>>>   smallapp/unbound-anchor.c, from Lukas Wunner.
>>> - Add doxygen comments to unbound-anchor source address code, in #86.
>>> - Merge #97: manpage: Add missing word on unbound.conf,
>>>   from Erethon.
>>> - Fix #99: Memory leak in ub_ctx (event_base will never be freed).
>>> - Fix #109: check number of arguments for stdin-pipes in
>>>   unbound-control and fail if too many arguments.
>>> - Merge #102 from jrtc27: Add getentropy emulation for FreeBSD.
>>> - iana portlist updated.
>>> - contrib/fastrpz.patch updated to apply for current code.
>>> - fixes for splint cleanliness, long vs int in SSL set_mode.
>>> - In unbound-host use separate variable for get_option to please
>>>   code checkers.
>>> - update to bison output of 3.4.1 in code repository.
>>> - Provide a prototype for compat malloc to remove compile warning.
>>> - Portable grep usage for reuseport configure test.
>>> - Check return type of HMAC_Init_ex for openssl 0.9.8.
>>> - gitignore .source tempfile used for compatible make.
>>> - Fix for CVE-2019-18934, shell execution in ipsecmod.  This fix is also
>>> in 1.9.5.
>>> - Fix authzone printout buffer length check.
>>> - Fixes to please lint checks.
>>> - Fix Integer Overflow in Regional Allocator,
>>>   reported by X41 D-Sec.
>>> - Fix Unchecked NULL Pointer in dns64_inform_super()
>>>   and ipsecmod_new(), reported by X41 D-Sec.
>>> - Fix Out-of-bounds Read in rr_comment_dnskey(),
>>>   reported by X41 D-Sec.
>>> - Fix Integer Overflows in Size Calculations,
>>>   reported by X41 D-Sec.
>>> - Fix Integer Overflow to Buffer Overflow in
>>>   sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
>>> - Fix Out of Bounds Read in sldns_str2wire_dname(),
>>>   reported by X41 D-Sec.
>>> - Fix Out of Bounds Write in sldns_bget_token_par(),
>>>   reported by X41 D-Sec.
>>> - Fix Out of Bounds Read in rrinternal_get_owner(),
>>>   reported by X41 D-Sec.
>>> - Fix Race Condition in autr_tp_create(),
>>>   reported by X41 D-Sec.
>>> - Fix Shared Memory World Writeable,
>>>   reported by X41 D-Sec.
>>> - Adjust unbound-control to make stats_shm a read only operation.
>>> - Fix Weak Entropy Used For Nettle,
>>>   reported by X41 D-Sec.
>>> - Fix Randomness Error not Handled Properly,
>>>   reported by X41 D-Sec.
>>> - Fix Out-of-Bounds Read in dname_valid(),
>>>   reported by X41 D-Sec.
>>> - Fix Config Injection in create_unbound_ad_servers.sh,
>>>   reported by X41 D-Sec.
>>> - Fix Local Memory Leak in cachedb_init(),
>>>   reported by X41 D-Sec.
>>> - Fix Integer Underflow in Regional Allocator,
>>>   reported by X41 D-Sec.
>>> - Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD.
>>> - Synchronize compat/getentropy_win.c with version 1.5 from
>>>   OpenBSD, no changes but makes the file, comments, identical.
>>> - Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD.
>>> - Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD.
>>> - Changes to compat/getentropy files for,
>>>   no link to openssl if using nettle, and hence config.h for
>>>   HAVE_NETTLE variable.
>>>   compat definition of MAP_ANON, for older systems.
>>>   ifdef stdint.h inclusion for older systems.
>>>   ifdef sha2.h inclusion for older systems.
>>> - Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec.
>>> - Fix compile with --enable-alloc-checks, reported by X41 D-Sec.
>>> - Fix Terminating Quotes not Written, reported by X41 D-Sec.
>>> - Fix Useless memset() in validator, reported by X41 D-Sec.
>>> - Fix Unrequired Checks, reported by X41 D-Sec.
>>> - Fix Enum Name not Used, reported by X41 D-Sec.
>>> - Fix NULL Pointer Dereference via Control Port,
>>>   reported by X41 D-Sec.
>>> - Fix Bad Randomness in Seed, reported by X41 D-Sec.
>>> - Fix python examples/calc.py for eval, reported by X41 D-Sec.
>>> - Fix comments for doxygen in dns64.
>>> - Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec.
>>> - Fix compiler warnings.
>>> - Merge pull request #122 from he32: In tcp_callback_writer(),
>>>   don't disable time-out when changing to read.
>>> - Merge pull request #124 from rmetrich: Changed log lock
>>>   from 'quick' to 'basic' because this is an I/O lock.
>>> - Fix text around serial arithmatic used for RRSIG times to refer
>>>   to correct RFC number.
>>> - Fix Assert Causing DoS in synth_cname(),
>>>   reported by X41 D-Sec.
>>> - Fix similar code in auth_zone synth cname to add the extra checks.
>>> - Fix Assert Causing DoS in dname_pkt_copy(),
>>>   reported by X41 D-Sec.
>>> - Fix OOB Read in sldns_wire2str_dname_scan(),
>>>   reported by X41 D-Sec.
>>> - Fix Out of Bounds Write in sldns_str2wire_str_buf(),
>>>   reported by X41 D-Sec.
>>> - Fix Out of Bounds Write in sldns_b64_pton(),
>>>   fixed by check in sldns_str2wire_int16_data_buf(),
>>>   reported by X41 D-Sec.
>>> - Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
>>>   reported by X41 D-Sec.
>>> - Fix Out of Bound Write Compressed Names in rdata_copy(),
>>>   reported by X41 D-Sec.
>>> - Fix Hang in sldns_wire2str_pkt_scan(),
>>>   reported by X41 D-Sec.
>>>   This further lowers the max to 256.
>>> - Fix snprintf() supports the n-specifier,
>>>   reported by X41 D-Sec.
>>> - Fix Bad Indentation, in dnscrypt.c,
>>>   reported by X41 D-Sec.
>>> - Fix Client NONCE Generation used for Server NONCE,
>>>   reported by X41 D-Sec.
>>> - Fix compile error in dnscrypt.
>>> - Fix _vfixed not Used, removed from sbuffer code,
>>>   reported by X41 D-Sec.
>>> - Fix Hardcoded Constant, reported by X41 D-Sec.
>>> - make depend
>>> - Fix lock type for memory purify log lock deletion.
>>> - Fix testbound for alloccheck runs, memory purify and lock checks.
>>> - update contrib/fastrpz.patch to apply more cleanly.
>>> - Fix Make Test Fails when Configured With --enable-alloc-nonregional,
>>>   reported by X41 D-Sec.
>>> - Fix ipsecmod compile
>>> - Fix Makefile.in for ipset module compile, from Adi Prasaja.
>>>
>>> Regards,
>>> -- Ralph
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200107/32441337/attachment.bin>


More information about the Unbound-users mailing list