Unbound 1.13.0rc1 pre-release

Wouter Wijngaards wouter at nlnetlabs.nl
Tue Nov 24 16:01:10 UTC 2020 

Hi RayG,

Thanks for the detail!  It looks like the sort order on item removal is
not the same as when it was inserted and this is caused by the removal
code in the wrong order that happens in the case of this closure order.

There is a commit that fixes it, I think (I have not reproduced the
case, but it looks like the code should exactly fix it), in
https://github.com/NLnetLabs/unbound/commit/978d3840dc6a28d634b1a184a62645663b679175

Best regards, Wouter

On 24/11/2020 16:52, RayG wrote:
> Hi Wouter,
> 
> This is the entry in the event log Windows 20H2 19042.630
> 
> I have 3 of them and they are all the same.
> 
> Faulting application name: unbound.exe, version: 1.13.0.1, time stamp: 0x5fbd149c
> Faulting module name: unbound.exe, version: 1.13.0.1, time stamp: 0x5fbd149c
> Exception code: 0xc0000005
> Fault offset: 0x00000000000a2326
> Faulting process ID: 0x412c
> Faulting application start time: 0x01d6c277643f681a
> Faulting application path: C:\Program Files\Unbound\unbound.exe
> Faulting module path: C:\Program Files\Unbound\unbound.exe
> Report ID: a79bec8f-f4a2-49fa-ad58-6de5bbaefe3c
> Faulting package full name: 
> Faulting package-relative application ID:
> 
> -----Original Message-----
> From: Wouter Wijngaards <wouter at nlnetlabs.nl> 
> Sent: 24 November 2020 14:29
> To: unbound-users at nlnetlabs.nl; maintainers at nlnetlabs.nl
> Subject: Unbound 1.13.0rc1 pre-release
> 
> Hi,
> 
> Unbound 1.13.0rc1 pre-release is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0rc1.tar.gz
> sha256 a55e8b5dfc290867017e7fbb75f1023ee2f6234943f870a5c24694b0908d7c17
> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0rc1.tar.gz.asc
> 
> 
> This version has fixes to connect for UDP sockets, slowing down potential ICMP side channel leakage.  The fix can be controlled with the option udp-connect: yes, it is enabled by default.
> 
> Additionally CVE-2020-28935 is fixed, this solves a problem where the pidfile is altered by a symlink, and fails if a symlink is encountered.
> See https://nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt for more information.
> 
> New features are upstream TCP and TLS query reuse, where a channel is reused for several queries.  And http-notls-downstream: yesno for unencrypted DoH, useful for back end support servers.  The option infra-keep-probing can be used to probe hosts that are down more frequently.
> 
> The options edns-client-string and edns-client-string-opcode can be used to add an EDNS option with the specified string in queries towards servers, with the servers specified by IP address.  It replaces the edns-client-tag option.
> 
> Features
> - Pass the comm_reply information to the inplace_cb_reply* functions
>   during the mesh state and update the documentation on that.
> - Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.
>   This adds the option http-notls-downstream: yesno to change that,
>   and the dohclient test code has the -n option.
> - Merge PR #228 : infra-keep-probing option to probe hosts that are
>   down.  Add infra-keep-probing: yes option. Hosts that are down are
>   probed more frequently.
>   With the option turned on, it probes about every 120 seconds,
>   eventually after exponential backoff, and that keeps that way. If
>   traffic keeps up for the domain. It probes with one at a time, eg.
>   one query is allowed to probe, other queries within that 120 second
>   interval are turned away.
> - Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with
>   edns-client-string option.
> - Merge PR #283 : Stream reuse.  This implements upstream stream
>   reuse for performing several queries over the same TCP or TLS
>   channel.
> - Fix to connect() to UDP destinations, default turned on,
>   this lowers vulnerability to ICMP side channels.
>   Option to toggle udp-connect, default is enabled.
> 
> Bug Fixes
> - Fix #319: potential memory leak on config failure, in rpz config.
> - Fix dnstap socket and the chroot not applied properly to the dnstap
>   socket path.
> - Fix warning in libnss compile, nss_buf2dsa is not used without DSA.
> - Fix #323: unbound testsuite fails on mock build in systemd-nspawn
>   if systemd support is build.
> - Fix for python reply callback to see mesh state reply_list member,
>   it only removes it briefly for the commpoint call so that it does
>   not drop it and attempt to modify the reply list during reply.
> - Fix that if there are on reply callbacks, those are called per
>   reply and a new message created if that was modified by the call.
> - Free up auth zone parse region after use for lookup of host
> - Merge PR #326 from netblue30: DoH: implement content-length
>   header field.
> - DoH content length, simplify code, remove declaration after
>   statement and fix cast warning.
> - Fix that if there are reply callbacks for the given rcode, those
>   are called per reply and a new message created if that was modified
>   by the call.
> - Fix that the out of order TCP processing does not limit the
>   number of outstanding queries over a connection.
> - Fix python documentation warning on functions.rst inplace_cb_reply.
> - Log ip address when http session recv fails, eg. due to tls fail.
> - Fix to set the tcp handler event toggle flag back to default when
>   the handler structure is reused.
> - Clean the fix for out of order TCP processing limits on number
>   of queries.  It was tested to work.
> - Fix that http settings have colon in set_option, for
>   http-endpoint, http-max-streams, http-query-buffer-size,
>   http-response-buffer-size, and http-nodelay.
> - Fix memory leak of https port string when reading config.
> - local-zone regional allocations outside of chunk
> - Merge PR #324 from James Renken: Add modern X.509v3 extensions to
>   unbound-control TLS certificates.
> - Fix for PR #324 to attach the x509v3 extensions to the client
>   certificate.
> - Fix #327: net/if.h check fails on some darwin versions; contribution by
>   Joshua Root.
> - Fix #320: potential memory corruption due to size miscomputation upton
>   custom region alloc init.
> - Fix #333: Unbound Segmentation Fault w/ log_info Functions From
>   Python Mod.
> - Fix that minimal-responses does not remove addresses from a priming
>   query response.
> - In man page note that tls-cert-bundle is read before permission
>   drop and chroot.
> - Fix #341: fixing a possible memory leak.
> - Fix memory leak after fix for possible memory leak failure.
> - Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX'
>   undeclared.
> - Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere
>   with chown of pidfile.
> - Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
> - Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error:
>   failed to list interfaces: getifaddrs: Address family not
>   supported by protocol.
> - Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket
>   address families.
> - iana portlist updated.
> 
> Best regards, Wouter
> 
>

More information about the Unbound-users mailing list