Hi, Unbound 1.6.4rc2 release candidate 2 is available: https://unbound.net/downloads/unbound-1.6.4rc2.tar.gz sha256 c9839f7292af75eda5b72d53ef2ea241dadc4bdba0369f9d91f8162cba7946ca pgp https://unbound.net/downloads/unbound-1.6.4rc2.tar.gz.asc
This release candidate fixes a recently found heap overflow, and adds a contrib patch for fastrpz. Best regards, Wouter On 20/06/17 10:58, W.C.A. Wijngaards wrote: > Hi, > > Unbound 1.6.4rc1 release candidate 1 is available: > https://unbound.net/downloads/unbound-1.6.4rc1.tar.gz > sha256 54dd9bc2bedc8f171dcad69cb1a64c5b5590ae04284c2eed3515993d86a46dc1 > pgp https://unbound.net/downloads/unbound-1.6.4rc1.tar.gz.asc > > > This release contains key tag signaling RFC8145 support. B root is > renumbered in the default root hints. The dnscrypt code supports the > chacha cipher. The Unbound DNSSEC validator supports the ED25519 > algorithm. The redirect-bogus patch in contrib can send validation > failure users to a landing page. > > > Features: > - Implemented trust anchor signaling using key tag query. > - unbound-checkconf -o allows query of dnstap config variables. > Also unbound-control get_option. Also for dnscrypt. > - unbound.h exports the shm stats structures. They use > type long long and no ifdefs, and ub_ before the typenames. > - Implemented opportunistic IPsec support module (ipsecmod). > - Added redirect-bogus.patch to contrib directory. > - Support for the ED25519 algorithm with openssl (from openssl 1.1.1). > - renumbering B-Root's IPv6 address to 2001:500:200::b. > - Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher. > - Fix #1277: disable domain ratelimit by setting value to 0. > > Bug Fixes: > - Added ECS unit test (from Manu Bretelle). > - ECS documentation fix (from Manu Bretelle). > - Fix #1252: more indentation inconsistencies. > - Fix #1253: unused variable in edns-subnet/addrtree.c:getbit(). > - Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle). > - iana portlist update > - Based on #1257: check parse limit before t increment in sldns RR > string parse routine. > - Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start. > and fix that 64bit getting installed in C:\Program Files (x86). > - Fix #1259: "--disable-ecdsa" argument overwritten > by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c". > - iana portlist update > - Added test for leak of stub information. > - Fix sldns wire2str printout of RR type CAA tags. > - Fix sldns int16_data parse. > - Fix sldns parse and printout of TSIG RRs. > - sldns SMIMEA and AVC definitions, same as getdns definitions. > - Fix tcp-mss failure printout text. > - Set SO_REUSEADDR on outgoing tcp connections to fix the bind before > connect limited tcp connections. With the option tcp connections > can share the same source port (for different destinations). > - Add 'c' to getopt() in testbound. > - Adjust servfail by iterator to not store in cache when serve-expired > is enabled, to avoid overwriting useful information there. > - Fix queries for nameservers under a stub leaking to the internet. > - document trust-anchor-signaling in example config file. > - updated configure, dependencies and flex output. > - better module memory lookup, fix of unbound-control shm names for > module memory printout of statistics. > - Fix type AVC sldns rrdef. > - Some whitespace fixup. > - Fix #1265: contrib/unbound.service contains hardcoded path. > - Fix #1265 to use /bin/kill. > - Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs, > and compatibility with BoringSSL. > - Fix #1268: SIGSEGV after log_reopen. > - exec_prefix is by default equal to prefix. > - printout localzone for duplicate local-zone warnings. > - Fix assertion for low buffer size and big edns payload when worker > overrides udpsize. > - Support for openssl EVP_DigestVerify. > - Fix #1269: inconsistent use of built-in local zones with views. > - Add defaults for new local-zone trees added to views using > unbound-control. > - Fix #1273: cachedb.c doesn't compile with -Wextra. > - If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write. > - Also use global local-zones when there is a matching view that does > not have any local-zone specified. > - Fix fastopen EPIPE fallthrough to perform connect. > - Fix #1274: automatically trim chroot path from dnscrypt key/cert paths > (from Manu Bretelle). > - Fix #1275: cached data in cachedb is never used. > - Fix that unbound-control can set val_clean_additional and > val_permissive_mode. > - Add dnscrypt XChaCha20 tests. > - Detect chacha for dnscrypt at configure time. > - dnscrypt unit tests with chacha. > - Added domain name based ECS whitelist. > - Fix #1278: Incomplete wildcard proof. > - Fix #1279: Memory leak on reload when python module is enabled. > - Fix #1280: Unbound fails assert when response from authoritative > contains malformed qname. When 0x20 caps-for-id is enabled, when > assertions are not enabled the malformed qname is handled correctly. > - More fixes in depth for buffer checks in 0x20 qname checks. > - Fix stub zone queries leaking to the internet for > harden-referral-path ns checks. > - Fix query for refetch_glue of stub leaking to internet. > - Fix #1301: memory leak in respip and tests. > - Free callback in edns-subnetmod on exit and restart. > - Fix memory leak in sldns_buffer_new_frm_data. > - Fix memory leak in dnscrypt config read. > - Fix dnscrypt chacha cert support ifdefs. > - Fix dnscrypt chacha cert unit test escapes in grep. > - Fix to unlock view in view test. > - Fix warning in pythonmod under clang compiler. > > > Best regards, Wouter > > > > _______________________________________________ > maintainers mailing list > [email protected] > https://nlnetlabs.nl/mailman/listinfo/maintainers >
signature.asc
Description: OpenPGP digital signature
