Unbound 1.13.0rc1 pre-release

Yuri yvoinov at gmail.com
Tue Nov 24 15:59:01 UTC 2020 

Debug build produced following stacktrace:

t at 3 (l at 3) terminated by signal SEGV (no mapping at the fault address)
Current function is reuse_cmp_addrportssl
   144           r = sockaddr_cmp(&r1->addr, r1->addrlen, &r2->addr, 
r2->addrlen);
(dbx) where
current thread: t at 3
=>[1] reuse_cmp_addrportssl(key1 = 0xfffffd7ffc1ff268, key2 = (nil)), 
line 144 in "outside_network.c"
   [2] reuse_cmp(key1 = 0xfffffd7ffc1ff268, key2 = (nil)), line 160 in 
"outside_network.c"
   [3] rbtree_find_less_equal(rbtree = 0xfffffd7ffe6e0300, key = 
0xfffffd7ffc1ff268, result = 0xfffffd7ffc1fefe8), line 527 in "rbtree.c"
   [4] reuse_tcp_find(outnet = 0xfffffd7ffe6e0200, addr = 
0xfffffd7ffe6f6258, addrlen = 16U, use_ssl = 1), line 480 in 
"outside_network.c"
   [5] pending_tcp_query(sq = 0xfffffd7ffe6f6200, packet = 
0xfffffd7fc12180c0, timeout = 3000, callback = 0x57adec = 
&serviced_tcp_callback(struct comm_point *c, void *arg, int error, 
struct comm_reply *rep), callback_arg = 0xfffffd7ffe6f6200), line 2056 
in "outside_network.c"
   [6] serviced_tcp_send(sq = 0xfffffd7ffe6f6200, buff = 
0xfffffd7fc12180c0), line 2767 in "outside_network.c"
   [7] outnet_serviced_query(outnet = 0xfffffd7ffe6e0200, qinfo = 
0xfffffd7fa1294580, flags = 256U, dnssec = 32768, want_dnssec = 0, 
nocaps = 0, tcp_upstream = 0, ssl_upstream = 1, tls_auth_name = 
0xfffffd7fa1294958 "cloudflare-dns.com", addr = 0xfffffd7fa1294840, 
addrlen = 16U, zone = 0xfffffd7fa1294820 "", zonelen = 1U, qstate = 
0xfffffd7fa1294088, callback = 0x4c1e16 = 
&worker_handle_service_reply(), callback_arg = 0xfffffd7fa1295b40, buff 
= 0xfffffd7fc12180c0, env = 0xfffffd7ffd815540), line 2998 in 
"outside_network.c"
   [8] worker_send_query(qinfo = 0xfffffd7fa1294580, flags = 256U, 
dnssec = 32768, want_dnssec = 0, nocaps = 0, addr = 0xfffffd7fa1294840, 
addrlen = 16U, zone =0xfffffd7fa1294820 "", zonelen = 1U, ssl_upstream = 
1, tls_auth_name = 0xfffffd7fa1294958 "cloudflare-dns.com", q = 
0xfffffd7fa1294088), line 2001 in "worker.c"
   [9] processQueryTargets(qstate = 0xfffffd7fa1294088, iq = 
0xfffffd7fa1294480,ie = 0xfffffd7ffe28b100, id = 1), line 2600 in 
"iterator.c"
   [10] iter_handle(qstate = 0xfffffd7fa1294088, iq = 
0xfffffd7fa1294480, ie = 0xfffffd7ffe28b100, id = 1), line 3634 in 
"iterator.c"
   [11] process_request(qstate = 0xfffffd7fa1294088, iq = 
0xfffffd7fa1294480, ie= 0xfffffd7ffe28b100, id = 1), line 3677 in 
"iterator.c"
   [12] iter_operate(qstate = 0xfffffd7fa1294088, event = 
module_event_pass, id = 1, outbound = (nil)), line 3889 in "iterator.c"
   [13] mesh_run(mesh = 0xfffffd7ffe6f0600, mstate = 0xfffffd7fa1294038, 
ev = module_event_pass, e = (nil)), line 1699 in "mesh.c"
   [14] mesh_new_client(mesh = 0xfffffd7ffe6f0600, qinfo = 
0xfffffd7ffc1ffb90, cinfo = (nil), qflags = 288U, edns = 
0xfffffd7ffc1ffb70, rep = 0xfffffd7ffc1ffc70, qid = 48945U), line 585 in 
"mesh.c"
   [15] worker_handle_request(c = 0xfffffd7fca6e2800, arg = 
0xfffffd7ffd814000, error = 0, repinfo = 0xfffffd7ffc1ffc70), line 1565 
in "worker.c"
   [16] comm_point_udp_callback(fd = 3, event = 2, arg = 
0xfffffd7fca6e2800), line 716 in "netevent.c"
   [17] event_process_active_single_queue(), at 0x5d1680
   [18] event_process_active(), at 0x5d1b27
   [19] 42(), at 0x5d5e48
   [20] ub_event_base_dispatch(base = 0xfffffd7fe5a00400), line 280 in 
"ub_event.c"
   [21] comm_base_dispatch(b = 0xfffffd7ffe015d40), line 246 in "netevent.c"
   [22] worker_work(worker = 0xfffffd7ffd814000), line 1941 in "worker.c"
   [23] thread_start(arg = 0xfffffd7ffd814000), line 540 in "daemon.c"
   [24] _thr_setup(), at 0xfffffd7ffef5dbab
   [25] _lwp_start(), at 0xfffffd7ffef5dde0

24.11.2020 20:28, Wouter Wijngaards via Unbound-users пишет:
> Hi,
>
> Unbound 1.13.0rc1 pre-release is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0rc1.tar.gz
> sha256 a55e8b5dfc290867017e7fbb75f1023ee2f6234943f870a5c24694b0908d7c17
> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0rc1.tar.gz.asc
>
>
> This version has fixes to connect for UDP sockets, slowing down
> potential ICMP side channel leakage.  The fix can be controlled with the
> option udp-connect: yes, it is enabled by default.
>
> Additionally CVE-2020-28935 is fixed, this solves a problem where the
> pidfile is altered by a symlink, and fails if a symlink is encountered.
> See https://nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt for more
> information.
>
> New features are upstream TCP and TLS query reuse, where a channel is
> reused for several queries.  And http-notls-downstream: yesno for
> unencrypted DoH, useful for back end support servers.  The option
> infra-keep-probing can be used to probe hosts that are down more
> frequently.
>
> The options edns-client-string and edns-client-string-opcode can be used
> to add an EDNS option with the specified string in queries towards
> servers, with the servers specified by IP address.  It replaces the
> edns-client-tag option.
>
> Features
> - Pass the comm_reply information to the inplace_cb_reply* functions
>    during the mesh state and update the documentation on that.
> - Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.
>    This adds the option http-notls-downstream: yesno to change that,
>    and the dohclient test code has the -n option.
> - Merge PR #228 : infra-keep-probing option to probe hosts that are
>    down.  Add infra-keep-probing: yes option. Hosts that are down are
>    probed more frequently.
>    With the option turned on, it probes about every 120 seconds,
>    eventually after exponential backoff, and that keeps that way. If
>    traffic keeps up for the domain. It probes with one at a time, eg.
>    one query is allowed to probe, other queries within that 120 second
>    interval are turned away.
> - Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with
>    edns-client-string option.
> - Merge PR #283 : Stream reuse.  This implements upstream stream
>    reuse for performing several queries over the same TCP or TLS
>    channel.
> - Fix to connect() to UDP destinations, default turned on,
>    this lowers vulnerability to ICMP side channels.
>    Option to toggle udp-connect, default is enabled.
>
> Bug Fixes
> - Fix #319: potential memory leak on config failure, in rpz config.
> - Fix dnstap socket and the chroot not applied properly to the dnstap
>    socket path.
> - Fix warning in libnss compile, nss_buf2dsa is not used without DSA.
> - Fix #323: unbound testsuite fails on mock build in systemd-nspawn
>    if systemd support is build.
> - Fix for python reply callback to see mesh state reply_list member,
>    it only removes it briefly for the commpoint call so that it does
>    not drop it and attempt to modify the reply list during reply.
> - Fix that if there are on reply callbacks, those are called per
>    reply and a new message created if that was modified by the call.
> - Free up auth zone parse region after use for lookup of host
> - Merge PR #326 from netblue30: DoH: implement content-length
>    header field.
> - DoH content length, simplify code, remove declaration after
>    statement and fix cast warning.
> - Fix that if there are reply callbacks for the given rcode, those
>    are called per reply and a new message created if that was modified
>    by the call.
> - Fix that the out of order TCP processing does not limit the
>    number of outstanding queries over a connection.
> - Fix python documentation warning on functions.rst inplace_cb_reply.
> - Log ip address when http session recv fails, eg. due to tls fail.
> - Fix to set the tcp handler event toggle flag back to default when
>    the handler structure is reused.
> - Clean the fix for out of order TCP processing limits on number
>    of queries.  It was tested to work.
> - Fix that http settings have colon in set_option, for
>    http-endpoint, http-max-streams, http-query-buffer-size,
>    http-response-buffer-size, and http-nodelay.
> - Fix memory leak of https port string when reading config.
> - local-zone regional allocations outside of chunk
> - Merge PR #324 from James Renken: Add modern X.509v3 extensions to
>    unbound-control TLS certificates.
> - Fix for PR #324 to attach the x509v3 extensions to the client
>    certificate.
> - Fix #327: net/if.h check fails on some darwin versions; contribution by
>    Joshua Root.
> - Fix #320: potential memory corruption due to size miscomputation upton
>    custom region alloc init.
> - Fix #333: Unbound Segmentation Fault w/ log_info Functions From
>    Python Mod.
> - Fix that minimal-responses does not remove addresses from a priming
>    query response.
> - In man page note that tls-cert-bundle is read before permission
>    drop and chroot.
> - Fix #341: fixing a possible memory leak.
> - Fix memory leak after fix for possible memory leak failure.
> - Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX'
>    undeclared.
> - Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere
>    with chown of pidfile.
> - Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
> - Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error:
>    failed to list interfaces: getifaddrs: Address family not
>    supported by protocol.
> - Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket
>    address families.
> - iana portlist updated.
>
> Best regards, Wouter
>

More information about the Unbound-users mailing list