Hello community,
here is the log from the commit of package unbound for openSUSE:Factory checked
in at 2019-12-23 22:41:59
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/unbound (Old)
and /work/SRC/openSUSE:Factory/.unbound.new.6675 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "unbound"
Mon Dec 23 22:41:59 2019 rev:43 rq:758330 version:1.9.6
Changes:
--------
--- /work/SRC/openSUSE:Factory/unbound/libunbound-devel-mini.changes
2019-12-02 11:37:55.174455356 +0100
+++ /work/SRC/openSUSE:Factory/.unbound.new.6675/libunbound-devel-mini.changes
2019-12-23 22:43:56.113989277 +0100
@@ -1,0 +2,186 @@
+Thu Dec 12 21:01:07 UTC 2019 - Michael Ströder <mich...@stroeder.com>
+
+- update to 1.9.6
+ This release contains a number of security related fixes found in
+ a security audit
+
+Features:
+- The unbound.conf includes are sorted ascending, for include
+ statements with a '*' from glob.
+- drop-tld.diff in contrib/ : adds option drop-tld: yesno that drops 2 label
+ queries, to stop random floods. Apply with
+ patch -p1 < contrib/drop-tld.diff and compile.
+ From Saksham Manchanda (Secure64). Please note that we think this
+ will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
+ lookups for downstream clients.
+- Add new configure option `--enable-fully-static` to enable full static
+ build if requested; in relation to #91.
+- Add make distclean that removes everything configure produced,
+ and make maintainer-clean that removes bison and flex output.
+- unbound-fuzzers.tar.bz2 in contrib/ : three programs for fuzzing, that
+ are 1:1 replacements for unbound-fuzzme.c that gets created after applying
+ the contrib/unbound-fuzzme.patch. They are contributed by
+ Eric Sesterhenn from X41 D-Sec.
+
+Bug Fixes:
+- Fix that pkg-config is setup before --enable-systemd needs it.
+- Fix contrib/fastrpz.patch asprintf return value checks.
+- ipset module #28: log that an address is added, when verbosity high.
+- ipset: refactor long routine into three smaller ones.
+- updated Makefile dependencies.
+- squelch DNS over TLS errors 'ssl handshake failed crypto error'
+ on low verbosity, they show on verbosity 3 (query details), because
+ there is a high volume and the operator cannot do anything for the
+ remote failure. Specifically filters the high volume errors.
+- Fix #71: fix openssl error squelch commit compilation error.
+- Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
+ LOG_DAEMON (as before) can set the syslog facility that the server
+ uses to log messages.
+- Use explicit bzero for wiping clear buffer of hash in cachedb,
+ reported by Eric Sesterhenn from X41 D-Sec.
+- Fix #78: Memory leak in outside_network.c.
+- Merge pull request #76 from Maryse47: Improvements and fixes for
+ systemd unbound.service.
+- oss-fuzz badge on README.md.
+- Fix fix for #78 to also free service callback struct.
+- Fix for oss-fuzz build warning.
+- Fix wrong response ttl for prepended short CNAME ttls, this would
+ create a wrong zero_ttl response count with serve-expired enabled.
+- Merge #80 from stasic: Improve wording in man page.
+- Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW
+ in unbound.service.
+- Merge #81 from Maryse47: Consistently use /dev/urandom instead
+ of /dev/random in scripts and docs.
+- Merge #83 from Maryse47: contrib/unbound.service.in: do not fork
+ into the background.
+- Merge #85 for #84 from sam-lunt: Add kill capability to systemd
+ service file to fix that systemctl reload fails.
+- Merge #87 from hardfalcon: Fix contrib/unbound.service.in,
+ Drop CAP_KILL, use + prefix for ExecReload= instead.
+- Merge #90 from vcunat: fix build with nettle-3.5.
+- Fix for CVE-2019-16866. That fix is also in 1.9.4.
+- Merge #86 from psquarejho: Added -b source address option to
+ smallapp/unbound-anchor.c, from Lukas Wunner.
+- Add doxygen comments to unbound-anchor source address code, in #86.
+- Merge #97: manpage: Add missing word on unbound.conf,
+ from Erethon.
+- Fix #99: Memory leak in ub_ctx (event_base will never be freed).
+- Fix #109: check number of arguments for stdin-pipes in
+ unbound-control and fail if too many arguments.
+- Merge #102 from jrtc27: Add getentropy emulation for FreeBSD.
+- iana portlist updated.
+- contrib/fastrpz.patch updated to apply for current code.
+- fixes for splint cleanliness, long vs int in SSL set_mode.
+- In unbound-host use separate variable for get_option to please
+ code checkers.
+- update to bison output of 3.4.1 in code repository.
+- Provide a prototype for compat malloc to remove compile warning.
+- Portable grep usage for reuseport configure test.
+- Check return type of HMAC_Init_ex for openssl 0.9.8.
+- gitignore .source tempfile used for compatible make.
+- Fix for CVE-2019-18934, shell execution in ipsecmod.
+ This fix is also in 1.9.5.
+- Fix authzone printout buffer length check.
+- Fixes to please lint checks.
+- Fix Integer Overflow in Regional Allocator,
+ reported by X41 D-Sec.
+- Fix Unchecked NULL Pointer in dns64_inform_super()
+ and ipsecmod_new(), reported by X41 D-Sec.
+- Fix Out-of-bounds Read in rr_comment_dnskey(),
+ reported by X41 D-Sec.
+- Fix Integer Overflows in Size Calculations,
+ reported by X41 D-Sec.
+- Fix Integer Overflow to Buffer Overflow in
+ sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
+- Fix Out of Bounds Read in sldns_str2wire_dname(),
+ reported by X41 D-Sec.
+- Fix Out of Bounds Write in sldns_bget_token_par(),
+ reported by X41 D-Sec.
+- Fix Out of Bounds Read in rrinternal_get_owner(),
+ reported by X41 D-Sec.
+- Fix Race Condition in autr_tp_create(),
+ reported by X41 D-Sec.
+- Fix Shared Memory World Writeable,
+ reported by X41 D-Sec.
+- Adjust unbound-control to make stats_shm a read only operation.
+- Fix Weak Entropy Used For Nettle,
+ reported by X41 D-Sec.
+- Fix Randomness Error not Handled Properly,
+ reported by X41 D-Sec.
+- Fix Out-of-Bounds Read in dname_valid(),
+ reported by X41 D-Sec.
+- Fix Config Injection in create_unbound_ad_servers.sh,
+ reported by X41 D-Sec.
+- Fix Local Memory Leak in cachedb_init(),
+ reported by X41 D-Sec.
+- Fix Integer Underflow in Regional Allocator,
+ reported by X41 D-Sec.
+- Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD.
+- Synchronize compat/getentropy_win.c with version 1.5 from
+ OpenBSD, no changes but makes the file, comments, identical.
+- Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD.
+- Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD.
+- Changes to compat/getentropy files for,
+ no link to openssl if using nettle, and hence config.h for
+ HAVE_NETTLE variable.
+ compat definition of MAP_ANON, for older systems.
+ ifdef stdint.h inclusion for older systems.
+ ifdef sha2.h inclusion for older systems.
+- Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec.
+- Fix compile with --enable-alloc-checks, reported by X41 D-Sec.
+- Fix Terminating Quotes not Written, reported by X41 D-Sec.
+- Fix Useless memset() in validator, reported by X41 D-Sec.
+- Fix Unrequired Checks, reported by X41 D-Sec.
+- Fix Enum Name not Used, reported by X41 D-Sec.
+- Fix NULL Pointer Dereference via Control Port,
+ reported by X41 D-Sec.
+- Fix Bad Randomness in Seed, reported by X41 D-Sec.
+- Fix python examples/calc.py for eval, reported by X41 D-Sec.
+- Fix comments for doxygen in dns64.
+- Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec.
+- Fix compiler warnings.
+- Merge pull request #122 from he32: In tcp_callback_writer(),
+ don't disable time-out when changing to read.
+- Merge pull request #124 from rmetrich: Changed log lock
+ from 'quick' to 'basic' because this is an I/O lock.
+- Fix text around serial arithmatic used for RRSIG times to refer
+ to correct RFC number.
+- Fix Assert Causing DoS in synth_cname(),
+ reported by X41 D-Sec.
+- Fix similar code in auth_zone synth cname to add the extra checks.
+- Fix Assert Causing DoS in dname_pkt_copy(),
+ reported by X41 D-Sec.
+- Fix OOB Read in sldns_wire2str_dname_scan(),
+ reported by X41 D-Sec.
+- Fix Out of Bounds Write in sldns_str2wire_str_buf(),
+ reported by X41 D-Sec.
+- Fix Out of Bounds Write in sldns_b64_pton(),
+ fixed by check in sldns_str2wire_int16_data_buf(),
+ reported by X41 D-Sec.
+- Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
+ reported by X41 D-Sec.
+- Fix Out of Bound Write Compressed Names in rdata_copy(),
+ reported by X41 D-Sec.
+- Fix Hang in sldns_wire2str_pkt_scan(),
+ reported by X41 D-Sec.
+ This further lowers the max to 256.
+- Fix snprintf() supports the n-specifier,
+ reported by X41 D-Sec.
+- Fix Bad Indentation, in dnscrypt.c,
+ reported by X41 D-Sec.
+- Fix Client NONCE Generation used for Server NONCE,
+ reported by X41 D-Sec.
+- Fix compile error in dnscrypt.
+- Fix _vfixed not Used, removed from sbuffer code,
+ reported by X41 D-Sec.
+- Fix Hardcoded Constant, reported by X41 D-Sec.
+- make depend
+- Fix lock type for memory purify log lock deletion.
+- Fix testbound for alloccheck runs, memory purify and lock checks.
+- update contrib/fastrpz.patch to apply more cleanly.
+- Fix Make Test Fails when Configured With --enable-alloc-nonregional,
+ reported by X41 D-Sec.
+- Fix ipsecmod compile
+- Fix Makefile.in for ipset module compile, from Adi Prasaja.
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/unbound/unbound.changes 2019-12-02
11:37:55.426455409 +0100
+++ /work/SRC/openSUSE:Factory/.unbound.new.6675/unbound.changes
2019-12-23 22:44:01.777991734 +0100
@@ -1,0 +2,192 @@
+Thu Dec 19 15:33:17 UTC 2019 - Dominique Leuenberger <dims...@opensuse.org>
+
+- BuildRequire pkgconfig(libsystemd) instead of systemd-devel:
+ Allow OBS to shortcut through the -mini flavors.
+
+-------------------------------------------------------------------
+Thu Dec 12 21:01:07 UTC 2019 - Michael Ströder <mich...@stroeder.com>
+
+- update to 1.9.6
+ This release contains a number of security related fixes found in
+ a security audit
+
+Features:
+- The unbound.conf includes are sorted ascending, for include
+ statements with a '*' from glob.
+- drop-tld.diff in contrib/ : adds option drop-tld: yesno that drops 2 label
+ queries, to stop random floods. Apply with
+ patch -p1 < contrib/drop-tld.diff and compile.
+ From Saksham Manchanda (Secure64). Please note that we think this
+ will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
+ lookups for downstream clients.
+- Add new configure option `--enable-fully-static` to enable full static
+ build if requested; in relation to #91.
+- Add make distclean that removes everything configure produced,
+ and make maintainer-clean that removes bison and flex output.
+- unbound-fuzzers.tar.bz2 in contrib/ : three programs for fuzzing, that
+ are 1:1 replacements for unbound-fuzzme.c that gets created after applying
+ the contrib/unbound-fuzzme.patch. They are contributed by
+ Eric Sesterhenn from X41 D-Sec.
+
+Bug Fixes:
+- Fix that pkg-config is setup before --enable-systemd needs it.
+- Fix contrib/fastrpz.patch asprintf return value checks.
+- ipset module #28: log that an address is added, when verbosity high.
+- ipset: refactor long routine into three smaller ones.
+- updated Makefile dependencies.
+- squelch DNS over TLS errors 'ssl handshake failed crypto error'
+ on low verbosity, they show on verbosity 3 (query details), because
+ there is a high volume and the operator cannot do anything for the
+ remote failure. Specifically filters the high volume errors.
+- Fix #71: fix openssl error squelch commit compilation error.
+- Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
+ LOG_DAEMON (as before) can set the syslog facility that the server
+ uses to log messages.
+- Use explicit bzero for wiping clear buffer of hash in cachedb,
+ reported by Eric Sesterhenn from X41 D-Sec.
+- Fix #78: Memory leak in outside_network.c.
+- Merge pull request #76 from Maryse47: Improvements and fixes for
+ systemd unbound.service.
+- oss-fuzz badge on README.md.
+- Fix fix for #78 to also free service callback struct.
+- Fix for oss-fuzz build warning.
+- Fix wrong response ttl for prepended short CNAME ttls, this would
+ create a wrong zero_ttl response count with serve-expired enabled.
+- Merge #80 from stasic: Improve wording in man page.
+- Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW
+ in unbound.service.
+- Merge #81 from Maryse47: Consistently use /dev/urandom instead
+ of /dev/random in scripts and docs.
+- Merge #83 from Maryse47: contrib/unbound.service.in: do not fork
+ into the background.
+- Merge #85 for #84 from sam-lunt: Add kill capability to systemd
+ service file to fix that systemctl reload fails.
+- Merge #87 from hardfalcon: Fix contrib/unbound.service.in,
+ Drop CAP_KILL, use + prefix for ExecReload= instead.
+- Merge #90 from vcunat: fix build with nettle-3.5.
+- Fix for CVE-2019-16866. That fix is also in 1.9.4.
+- Merge #86 from psquarejho: Added -b source address option to
+ smallapp/unbound-anchor.c, from Lukas Wunner.
+- Add doxygen comments to unbound-anchor source address code, in #86.
+- Merge #97: manpage: Add missing word on unbound.conf,
+ from Erethon.
+- Fix #99: Memory leak in ub_ctx (event_base will never be freed).
+- Fix #109: check number of arguments for stdin-pipes in
+ unbound-control and fail if too many arguments.
+- Merge #102 from jrtc27: Add getentropy emulation for FreeBSD.
+- iana portlist updated.
+- contrib/fastrpz.patch updated to apply for current code.
+- fixes for splint cleanliness, long vs int in SSL set_mode.
+- In unbound-host use separate variable for get_option to please
+ code checkers.
+- update to bison output of 3.4.1 in code repository.
+- Provide a prototype for compat malloc to remove compile warning.
+- Portable grep usage for reuseport configure test.
+- Check return type of HMAC_Init_ex for openssl 0.9.8.
+- gitignore .source tempfile used for compatible make.
+- Fix for CVE-2019-18934, shell execution in ipsecmod.
+ This fix is also in 1.9.5.
+- Fix authzone printout buffer length check.
+- Fixes to please lint checks.
+- Fix Integer Overflow in Regional Allocator,
+ reported by X41 D-Sec.
+- Fix Unchecked NULL Pointer in dns64_inform_super()
+ and ipsecmod_new(), reported by X41 D-Sec.
+- Fix Out-of-bounds Read in rr_comment_dnskey(),
+ reported by X41 D-Sec.
+- Fix Integer Overflows in Size Calculations,
+ reported by X41 D-Sec.
+- Fix Integer Overflow to Buffer Overflow in
+ sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
+- Fix Out of Bounds Read in sldns_str2wire_dname(),
+ reported by X41 D-Sec.
+- Fix Out of Bounds Write in sldns_bget_token_par(),
+ reported by X41 D-Sec.
+- Fix Out of Bounds Read in rrinternal_get_owner(),
+ reported by X41 D-Sec.
+- Fix Race Condition in autr_tp_create(),
+ reported by X41 D-Sec.
+- Fix Shared Memory World Writeable,
+ reported by X41 D-Sec.
+- Adjust unbound-control to make stats_shm a read only operation.
+- Fix Weak Entropy Used For Nettle,
+ reported by X41 D-Sec.
+- Fix Randomness Error not Handled Properly,
+ reported by X41 D-Sec.
+- Fix Out-of-Bounds Read in dname_valid(),
+ reported by X41 D-Sec.
+- Fix Config Injection in create_unbound_ad_servers.sh,
+ reported by X41 D-Sec.
+- Fix Local Memory Leak in cachedb_init(),
+ reported by X41 D-Sec.
+- Fix Integer Underflow in Regional Allocator,
+ reported by X41 D-Sec.
+- Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD.
+- Synchronize compat/getentropy_win.c with version 1.5 from
+ OpenBSD, no changes but makes the file, comments, identical.
+- Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD.
+- Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD.
+- Changes to compat/getentropy files for,
+ no link to openssl if using nettle, and hence config.h for
+ HAVE_NETTLE variable.
+ compat definition of MAP_ANON, for older systems.
+ ifdef stdint.h inclusion for older systems.
+ ifdef sha2.h inclusion for older systems.
+- Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec.
+- Fix compile with --enable-alloc-checks, reported by X41 D-Sec.
+- Fix Terminating Quotes not Written, reported by X41 D-Sec.
+- Fix Useless memset() in validator, reported by X41 D-Sec.
+- Fix Unrequired Checks, reported by X41 D-Sec.
+- Fix Enum Name not Used, reported by X41 D-Sec.
+- Fix NULL Pointer Dereference via Control Port,
+ reported by X41 D-Sec.
+- Fix Bad Randomness in Seed, reported by X41 D-Sec.
+- Fix python examples/calc.py for eval, reported by X41 D-Sec.
+- Fix comments for doxygen in dns64.
+- Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec.
+- Fix compiler warnings.
+- Merge pull request #122 from he32: In tcp_callback_writer(),
+ don't disable time-out when changing to read.
+- Merge pull request #124 from rmetrich: Changed log lock
+ from 'quick' to 'basic' because this is an I/O lock.
+- Fix text around serial arithmatic used for RRSIG times to refer
+ to correct RFC number.
+- Fix Assert Causing DoS in synth_cname(),
+ reported by X41 D-Sec.
+- Fix similar code in auth_zone synth cname to add the extra checks.
+- Fix Assert Causing DoS in dname_pkt_copy(),
+ reported by X41 D-Sec.
+- Fix OOB Read in sldns_wire2str_dname_scan(),
+ reported by X41 D-Sec.
+- Fix Out of Bounds Write in sldns_str2wire_str_buf(),
+ reported by X41 D-Sec.
+- Fix Out of Bounds Write in sldns_b64_pton(),
+ fixed by check in sldns_str2wire_int16_data_buf(),
+ reported by X41 D-Sec.
+- Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
+ reported by X41 D-Sec.
+- Fix Out of Bound Write Compressed Names in rdata_copy(),
+ reported by X41 D-Sec.
+- Fix Hang in sldns_wire2str_pkt_scan(),
+ reported by X41 D-Sec.
+ This further lowers the max to 256.
+- Fix snprintf() supports the n-specifier,
+ reported by X41 D-Sec.
+- Fix Bad Indentation, in dnscrypt.c,
+ reported by X41 D-Sec.
+- Fix Client NONCE Generation used for Server NONCE,
+ reported by X41 D-Sec.
+- Fix compile error in dnscrypt.
+- Fix _vfixed not Used, removed from sbuffer code,
+ reported by X41 D-Sec.
+- Fix Hardcoded Constant, reported by X41 D-Sec.
+- make depend
+- Fix lock type for memory purify log lock deletion.
+- Fix testbound for alloccheck runs, memory purify and lock checks.
+- update contrib/fastrpz.patch to apply more cleanly.
+- Fix Make Test Fails when Configured With --enable-alloc-nonregional,
+ reported by X41 D-Sec.
+- Fix ipsecmod compile
+- Fix Makefile.in for ipset module compile, from Adi Prasaja.
+
+-------------------------------------------------------------------
Old:
----
unbound-1.9.5.tar.gz
New:
----
unbound-1.9.6.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libunbound-devel-mini.spec ++++++
--- /var/tmp/diff_new_pack.E3DvXD/_old 2019-12-23 22:44:04.437992888 +0100
+++ /var/tmp/diff_new_pack.E3DvXD/_new 2019-12-23 22:44:04.445992892 +0100
@@ -24,7 +24,7 @@
#
Name: libunbound-devel-mini
-Version: 1.9.5
+Version: 1.9.6
Release: 0
#
#
++++++ unbound.spec ++++++
--- /var/tmp/diff_new_pack.E3DvXD/_old 2019-12-23 22:44:04.605992961 +0100
+++ /var/tmp/diff_new_pack.E3DvXD/_new 2019-12-23 22:44:04.617992967 +0100
@@ -36,7 +36,7 @@
%define piddir /run
Name: unbound
-Version: 1.9.5
+Version: 1.9.6
Release: 0
#
#
@@ -67,7 +67,7 @@
# until we figured something else out for the unbound-anchor part in the
systemd unit file
Requires: sudo
%if %{with systemd}
-BuildRequires: systemd-devel
+BuildRequires: pkgconfig(libsystemd)
%{?systemd_requires}
%endif
#
++++++ unbound-1.9.5.tar.gz -> unbound-1.9.6.tar.gz ++++++
++++ 15768 lines of diff (skipped)
