Hello community, here is the log from the commit of package unbound for openSUSE:Factory checked in at 2017-07-21 22:41:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/unbound (Old) and /work/SRC/openSUSE:Factory/.unbound.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "unbound" Fri Jul 21 22:41:56 2017 rev:16 rq:506460 version:1.6.4 Changes: -------- --- /work/SRC/openSUSE:Factory/unbound/libunbound-devel-mini.changes 2017-02-25 00:59:18.627531649 +0100 +++ /work/SRC/openSUSE:Factory/.unbound.new/libunbound-devel-mini.changes 2017-07-21 22:41:57.627688602 +0200 @@ -1,0 +2,218 @@ +Tue Jun 27 11:13:31 UTC 2017 - mich...@stroeder.com + +- update to 1.6.4 + +Features: +- Implemented trust anchor signaling using key tag query. +- unbound-checkconf -o allows query of dnstap config variables. + Also unbound-control get_option. Also for dnscrypt. +- unbound.h exports the shm stats structures. They use + type long long and no ifdefs, and ub_ before the typenames. +- Implemented opportunistic IPsec support module (ipsecmod). +- Added redirect-bogus.patch to contrib directory. +- Support for the ED25519 algorithm with openssl (from openssl 1.1.1). +- renumbering B-Root's IPv6 address to 2001:500:200::b. +- Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher. +- Fix #1277: disable domain ratelimit by setting value to 0. +- Added fastrpz patch to contrib + +Bug Fixes: +- Added ECS unit test (from Manu Bretelle). +- ECS documentation fix (from Manu Bretelle). +- Fix #1252: more indentation inconsistencies. +- Fix #1253: unused variable in edns-subnet/addrtree.c:getbit(). +- Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle). +- iana portlist update +- Based on #1257: check parse limit before t increment in sldns RR + string parse routine. +- Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start. + and fix that 64bit getting installed in C:\Program Files (x86). +- Fix #1259: "--disable-ecdsa" argument overwritten + by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c". +- iana portlist update +- Added test for leak of stub information. +- Fix sldns wire2str printout of RR type CAA tags. +- Fix sldns int16_data parse. +- Fix sldns parse and printout of TSIG RRs. +- sldns SMIMEA and AVC definitions, same as getdns definitions. +- Fix tcp-mss failure printout text. +- Set SO_REUSEADDR on outgoing tcp connections to fix the bind before + connect limited tcp connections. With the option tcp connections + can share the same source port (for different destinations). +- Add 'c' to getopt() in testbound. +- Adjust servfail by iterator to not store in cache when serve-expired + is enabled, to avoid overwriting useful information there. +- Fix queries for nameservers under a stub leaking to the internet. +- document trust-anchor-signaling in example config file. +- updated configure, dependencies and flex output. +- better module memory lookup, fix of unbound-control shm names for + module memory printout of statistics. +- Fix type AVC sldns rrdef. +- Some whitespace fixup. +- Fix #1265: contrib/unbound.service contains hardcoded path. +- Fix #1265 to use /bin/kill. +- Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs, + and compatibility with BoringSSL. +- Fix #1268: SIGSEGV after log_reopen. +- exec_prefix is by default equal to prefix. +- printout localzone for duplicate local-zone warnings. +- Fix assertion for low buffer size and big edns payload when worker + overrides udpsize. +- Support for openssl EVP_DigestVerify. +- Fix #1269: inconsistent use of built-in local zones with views. +- Add defaults for new local-zone trees added to views using + unbound-control. +- Fix #1273: cachedb.c doesn't compile with -Wextra. +- If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write. +- Also use global local-zones when there is a matching view that does + not have any local-zone specified. +- Fix fastopen EPIPE fallthrough to perform connect. +- Fix #1274: automatically trim chroot path from dnscrypt key/cert paths + (from Manu Bretelle). +- Fix #1275: cached data in cachedb is never used. +- Fix that unbound-control can set val_clean_additional and + val_permissive_mode. +- Add dnscrypt XChaCha20 tests. +- Detect chacha for dnscrypt at configure time. +- dnscrypt unit tests with chacha. +- Added domain name based ECS whitelist. +- Fix #1278: Incomplete wildcard proof. +- Fix #1279: Memory leak on reload when python module is enabled. +- Fix #1280: Unbound fails assert when response from authoritative + contains malformed qname. When 0x20 caps-for-id is enabled, when + assertions are not enabled the malformed qname is handled correctly. +- More fixes in depth for buffer checks in 0x20 qname checks. +- Fix stub zone queries leaking to the internet for + harden-referral-path ns checks. +- Fix query for refetch_glue of stub leaking to internet. +- Fix #1301: memory leak in respip and tests. +- Free callback in edns-subnetmod on exit and restart. +- Fix memory leak in sldns_buffer_new_frm_data. +- Fix memory leak in dnscrypt config read. +- Fix dnscrypt chacha cert support ifdefs. +- Fix dnscrypt chacha cert unit test escapes in grep. +- Fix to unlock view in view test. +- Fix warning in pythonmod under clang compiler. +- Fix lintian typo. +- Fix #1316: heap read buffer overflow in parse_edns_options. + +------------------------------------------------------------------- +Wed Jun 14 10:22:38 UTC 2017 - mich...@stroeder.com + +- update to 1.6.3 + +Bug Fixes +- Fix #1280: Unbound fails assert when response from authoritative + contains malformed qname. When 0x20 caps-for-id is enabled, when + assertions are not enabled the malformed qname is handled correctly. + +------------------------------------------------------------------- +Mon Apr 24 15:54:02 UTC 2017 - mich...@stroeder.com + +- update to 1.6.2 + +Features +- Add trustanchor.unbound CH TXT that gets a response with a number + of TXT RRs with a string like "example.com. 2345 1234" with + the trust anchors and their keytags. +- Patch for view functionality for local-data-ptr from Björn Ketelaars. +- Response actions based on IP address from Jinmei Tatuya (Infoblox). +- Patch from Luiz Fernando Softov for Stats Shared Memory. +- unbound-control stats_shm command prints stats using shared memory, + which uses less cpu. +- --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and + DS records. NSEC3 is not disabled. +- #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then + enabled in the config file from Manu Bretelle. +- Merge EDNS Client subnet implementation from feature branch into main + branch, using new EDNS processing framework. +- harden-algo-downgrade: no also makes unbound more lenient about + digest algorithms in DS records. + +Bug fixes +- sldns has ED25519 and ED448 algorithm number and name for display. +- sldns updated for vfixed and buffer resize indication from getdns. +- iana portlist update +- Fix #1224: Fix that defaults should not fall back to "Program Files + (x86) if Unbound is 64bit by default on windows. +- Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to + redirect. +- make depend, autoconf, doxygen and lint fixed up. +- include sys/time.h for new shm code on NetBSD. +- Fix #1227: Fix that Unbound control allows weak ciphersuits. +- Fix #1226: provide official 32bit binary for windows. +- For #1227: if we have sha256, set the cipher list to have no + known vulns. +- Fix testpkts.c, check if DO bit is set, not only if there is an OPT + record. +- Fix #1229: Systemd service sandboxing in contrib/unbound.service. +- Fix #1230: swig version 2.0.1 is required for pythonmod, with + 1.3.40 it crashes when running repeatly unbound-control reload. +- fix enum conversion warnings +- fake-sha1 test option; print warning if used. To make unit tests. +- unbound-control list local zone and data commands listed in the + help output. +- Fix #1234: shortening DNAME loop produces duplicate DNAME records + in ANSWER section. +- testbound understands Deckard MATCH rcode question answer commands. +- Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead + of YXDOMAIN + query loop, reported by Petr Spacek. +- Fix that SHM is not inited if not enabled. +- Fix that looped DNAMEs do not cause unbound to spend effort. +- trustanchor tags are sorted. reusable routine to fetch taglist. +- Fix #1237 - Wrong resolving in chain, for norec queries that get + SERVFAIL returned. +- make depend, autoconf, remove warnings about statement before var. +- lru_demote and lruhash_insert_or_retrieve functions for getdns. +- fixup for lruhash (whitespace and header file comment). +- dnscrypt tests. +- Fix doxygen for dnscrypt files. +- Fix #1238: segmentation fault when adding through the remote + interface a per-view local zone to a view with no previous + (configured) local zones. +- Fix #1229: Systemd service sandboxing, options in wrong sections. +- Fix #1239: configure fails to find python distutils if python + prints warning. +- Fix to prevent non-referal query from being cached as referal when the + no_cache_store flag was set. +- Remove (now unused) event2 include from dnscrypt code. +- Fix #1217: Add metrics to unbound-control interface showing + crypted, cert request, plaintext and malformed queries (from + Manu Bretelle). +- Do not add current time twice to TTL before ECS cache store. +- Do not touch rrset cache after ECS cache message generation. +- Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode. +- Fix #1244: document that use of chroot requires trust anchor file to + be under chroot. +- Small fixup for documentation. +- Fix respip for braces when locks arent used. +- Fix pythonmod for cb changes. +- Generalise inplace callback (de)registration +- (de)register inplace callbacks for module id +- No unbound-control set_option for ECS options +- Deprecated client-subnet-opcode config option +- Introduced client-subnet-always-forward config option +- Changed max-client-subnet-ipv6 default to 56 (as in RFC) +- Removed extern ECS config options +- module_restart_next now calls clear on all following modules ++++ 21 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/unbound/libunbound-devel-mini.changes ++++ and /work/SRC/openSUSE:Factory/.unbound.new/libunbound-devel-mini.changes unbound.changes: same change Old: ---- unbound-1.6.1.tar.gz New: ---- unbound-1.6.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libunbound-devel-mini.spec ++++++ --- /var/tmp/diff_new_pack.Pd5CXP/_old 2017-07-21 22:42:04.758682678 +0200 +++ /var/tmp/diff_new_pack.Pd5CXP/_new 2017-07-21 22:42:04.758682678 +0200 @@ -24,7 +24,7 @@ # Name: libunbound-devel-mini -Version: 1.6.1 +Version: 1.6.4 Release: 0 # # @@ -34,6 +34,7 @@ BuildRequires: libevent-devel BuildRequires: libexpat-devel BuildRequires: openssl-devel +BuildRequires: libsodium-devel Requires: this-is-only-for-build-envs Conflicts: unbound-devel Conflicts: libunbound2 @@ -81,6 +82,7 @@ --enable-event-api \ --enable-pie \ --enable-relro-now \ + --enable-dnscrypt \ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \ --with-pidfile=%{piddir}%{name}/%{name}.pid \ --without-pythonmodule --without-pyunbound \ ++++++ unbound.spec ++++++ --- /var/tmp/diff_new_pack.Pd5CXP/_old 2017-07-21 22:42:04.822673651 +0200 +++ /var/tmp/diff_new_pack.Pd5CXP/_new 2017-07-21 22:42:04.826673087 +0200 @@ -53,7 +53,7 @@ %endif Name: unbound -Version: 1.6.1 +Version: 1.6.4 Release: 0 # # @@ -64,6 +64,7 @@ BuildRequires: libexpat-devel BuildRequires: openssl-devel BuildRequires: python-devel +BuildRequires: libsodium-devel %if %{with dnstap} BuildRequires: protobuf-c >= 1.0.0 BuildRequires: libprotobuf-c-devel >= 1.0.0 @@ -199,6 +200,7 @@ --enable-event-api \ --enable-pie \ --enable-relro-now \ + --enable-dnscrypt \ %if %{with dnstap} --enable-dnstap \ %endif ++++++ unbound-1.6.1.tar.gz -> unbound-1.6.4.tar.gz ++++++ ++++ 45694 lines of diff (skipped)