-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
Unbound 1.2.0 is released. http://unbound.nlnetlabs.nl/downloads/unbound-1.2.0.tar.gz SHA1 2c1cef70669dcfa13f4db4306cd7b8eeca6892aa SHA256 88e480bdfb23855656a70cb879b231414d2322fb6c0b7dd594628c7482358784 It has a long list of changes. The new featureset is small, but there are important, security related, fixes. Maintainers, bug#228 is fixed in this release, as well as an iana portlist update, compared to the 1.2.0rc1 sent out to package maintainers last week. Features * Wildcard support for trusted-keys-file: "/etc/keys/*.key" * unbound-control status command. * extended statistics has a number of ipv6 queries counter. contrib/unbound_munin_ was updated to draw ipv6 in the hits graph. * SElinux policy files in contrib/selinux for the unbound daemon, by Paul Wouters and Adam Tkac. Bug Fixes * The long standing bug with libevent use is fixed. It turns out to be a race condition in the calls to libevent that only causes harm when very busy. The builtin mini-event did not have a problem being called like this, but libevent and libev usage is now fixed. Libevent 1.1 is reported to still give problems, but 1.4.5 and 1.4.8 seem fine. * Certain packets could cause an assertion failure. Resulting in a denial-of-service vector if the server was compiled with --enable-debug (assertions enabled). This is fixed. * fixed bug reported by Duane Wessels: error in DLV lookup, would make some zones that had correct DLV keys as insecure. * [bugzilla: 228 ] fix lame marking. security fix that resolves denial of service that could be triggered by an unusual configuration. Thanks to Mark Zealey for reporting. Other Bug Fixes * [bugzilla: 224 ] no more race condition in makefile during built with high -j inside included libldns version. * iana portlist updated to most recent, avoids allocated ports. * L root server AAAA record added to builtin root hints. * removed possible race condition in unit test for race conditions. * fixup reported problem with transparent local-zone data where queries with different type could get nxdomain. Now queries with a different name get resolved normally, with different type get a correct NOERROR/NODATA answer. * HINFO no longer downcased for validation, making unbound compatible with bind and ldns. * fix reading included config files when chrooted. Give full path names for include files. Relative path names work if the start dir equals the working dir. * fix libunbound message transport when no packet buffer is available. * fixup getaddrinfo failure handling for remote control port. * fixup so it works with libev-3.51 from http://dist.schmorp.de/libev/ * ldns tarball updated with 1.4.1rc for DLV unit test. * fixup BSD port for infra host storage. It hashed wrongly. * follow ldns rc makedist name generation. * snapshot version uses _ not - to help rpm distinguish the version number. * do not reopen syslog to avoid dev/log dependency. This makes chroot environments easier. * [bugzilla: 219 ] better fix for bug #219: use LOG_NDELAY with openlog() call. Thanks to Tamas Tevesz. * [bugzilla: 221 ] fixed: unbound checkconf checks if key files exist if remote control is enabled. Also fixed NULL printf when not chrooted. * Fix problem reported by Jaco Engelbrecht where unbound-control stats freezes up unbound if this was compiled without threading, and was using multiple processes. * test for remote control with interprocess communication. * created command distribution mechanism so that remote control commands other than 'stats' work on all processes in a nonthreaded compiled version. dump/load cache work, on the first process. * fixup remote control local_data addition memory corruption bug. * [bugzilla: 220 ] configure complains when --without-ssl is given, fixed. * blacklisted servers are polled at a low rate (1%) to see if they come back up. But not if there is some other working server. * documented that the user of the server daemon needs read privileges on the keys and certificates generated by unbound-control-setup. This is different per system or distribution, usually, running the script under the same username as the server uses suffices. i.e. sudo -u unbound unbound-control-setup * unbound-control-setup.sh removes read/write permissions other from the keys it creates (as suggested by Dmitriy Demidov). * fixed tcp accept, errors were printed when they should not. * fixup fatal error due to faulty error checking after tcp accept. * add check in rlimit code to avoid integer underflow. * rlimit check with new formula; better estimate for number interfaces. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkltndsACgkQkDLqNwOhpPhGfgCfRDIZe0v2nP3Rp5ThiLZp2Ged /G4An2pJmaMHLUf0VYV0xXtGLPg1NkYu =DNqs -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
