-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
Unbound 1.4.14 is release, get it here: http://unbound.net/downloads/unbound-1.4.14.tar.gz sha1 1435029abe63d0106213acb9f173b885183cf1d7 sha256 c15b85145e3175f3d933837071b4ffaae8da4a394139ac0e7f3dfee11712e7d3 It contains a patch for VU#209659 CVE-2011-4528: Unbound denial of service vulnerabilities from nonstandard redirection and denial of existence. http://www.unbound.net/downloads/CVE-2011-4528.txt Therefore, 1.4.14 does not equal 1.4.14rc1, it has code changes (this patch and some other fixes found during the review process). Major changes are a new BSD-compatible makefile (with BSD-make). SSL-wrapped query support (for dnssec-trigger, passing firewalls, it does *not* check the actual SSL certificate at this time). It stores timeouts per-zonename, for compatibility with servers that drop out-of-served-zone queries. It attempts EDNS1480 (or 12xx on ip6) probes in case EDNS0 fails to workaround fragmentation issues more easily. Features - - Makefile changed for BSD make compatibility. - - dns over ssl support as a client, ssl-upstream yes turns it on. It performs an SSL transaction for every DNS query. - - dns over ssl support as a server, ssl-service-pem and ssl-service-key files can be given and then TCP queries are serviced wrapped in SSL. - - lame-ttl and lame-size options no longer exist, it is integrated with the host info. They are ignored (with verbose warning) if encountered to keep the config file backwards compatible. - - TCP-upstream calculates tcp-ping so server selection works if there are alternatives. - - Unbound probes at EDNS1480 if there an EDNS0 timeout. Bug Fixes - - Fix for VU#209659 CVE-2011-4528: Unbound denial of service vulnerabilities from nonstandard redirection and denial of existence http://www.unbound.net/downloads/CVE-2011-4528.txt - - Fix for tcp-upstream and ssl-upstream for if a laptop sleeps, causes SERVFAILs. Also fixed for UDP (but less likely). - - Fix quartile time estimate, it was too low, (thanks Jan Komissar). - - Fix double free in unbound-host, reported by Steve Grubb. - - fix -flto detection on Lion for llvm-gcc. - - [bugzilla: 416 ] Infra cache stores information about ping and lameness per IP, zone. - - [bugzilla: 415 ] Fix resolve of partners.extranet.microsoft.com with a fix for the server selection for choosing out of a (particular) list of bad choices. - - Fix make_new_space function so that the incoming query is not overwritten if a jostled out query causes a waiting query to be resumed that then fails and sends an error message. (Thanks to Matthew Lee). - - fix unbound-anchor for broken strptime on OSX lion, detected in configure. - - Detect if GOST really works, openssl1.0 on OSX fails. - - Implement ipv6%interface notation for scope_id usage. - - better documentation for inform_super (Thanks Yang Zhe). - - Fix for out-of-memory condition in libunbound (thanks Robert Fleischman). - - Fix --enable-allsymbols, it depended on link specifics of the target platform, or fptr_wlist assertion failures could occur. The feature is disabled on windows. - - updated contrib/unbound_munin_ to family=auto so that it works with munin-node-configure automatically (if installed as /usr/local/share/munin/plugins/unbound_munin_ ). - - unbound.exe -w windows option for start and stop service. - - Fix classification of NS set in answer section, where there is a parent-child server, and the answer has the AA flag for dir.slb.com. Thanks to Amanda Constant from Secure64. - - [bugzilla: 408 ] accept patch from Steve Snyder that comments out unused functions in lookup3.c. - - fix various compiler warnings (reported by Paul Wouters). - - max sent count. EDNS1480 only for rtt < 5000. No promiscuous fetch if sentcount > 3, stop query if sentcount > 16. Count is reset when referral or CNAME happens. This makes unbound better at managing large NS sets, they are explored when there is continued interest (in the form of queries). - - remove uninit warning from cachedump code. - - Fix parse error on negative SOA RRSIGs if badly ordered in the packet. - - fix infra cache comparison. - - Fix to constrain signer_name to be a parent of the lookupname. - - robust checks for next-closer NSEC3s. - - iana portlist updated. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJO7x+RAAoJEJ9vHC1+BF+N790P+QGSMUXF5Lr7AR+TVKRXI8d0 aCtiwFu5XI4PUKAqxUguCTSTNlHcFPyrC7UtrW06NTFCuC1TZocMHS3rV5iccbdI iFVK0xFkyHoCoiXHJ+SnquW3RkDSKkuJtrRzrHvsxyHlCgaXnwVrqgbq0QcY/n6M 5HgNOJvwnP1n1vfXde2PtpkhWicAj+1+QrO2NNx+dcFsLob4PC+7P+XNMxvtXiU8 DdM8kp2VV/QtKlqmlbe8IHCoHBflRx92iu/NTVp3ghIXz7bavJBr4qkKOxB2N+zn jX+6NYlLpgJmtIUe6iBCW36dpG09z8w6TcMPq2n9BL5CfCKWlaetNI7H6Cz9kXxg G0Rs95Gd4f8Hepqhl2v2XFClI9908gtArhoHlulAR/SqpuG1oM/gW/MSBU6sCDKo BqXGnaOMjK0gx1uLZWwFmkjzMI+OHCa7C/ZJetoj++czOCXN58H0QUAHIT4Qo5fl 2S/Wl6fAgch4w8VV25LA6MZ3BGHNRNahtx57GlUdmaoZblBP9z9T59z7Lpf2xzBs cBcfJl6Q4nfKLrzEusPAXrBl9qJTuh5+lqVxSBTAVLuSkfsjZzRkumtBx+9WrfgS pa95LjpUYA6G8R/2hXt42WBAFLNKms1lGUU9aLpHtr1BfudKQGJcsn5XK9DgCTwJ xiRPZQCQh6LymGrSd4Q/ =c5PG -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
