import unbound-1.7.3-14.el8

2020-11-03 07:03:49 -05:00 · 2020-11-03 07:03:49 -05:00 · 5094f4a75d
commit 5094f4a75d
parent 94c6057bab
8 changed files with 145 additions and 11 deletions
--- a/SOURCES/root.anchor
+++ b/SOURCES/root.anchor
@ -1,2 +1 @@
 .       172800  IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
-.	98799	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}
--- a/SOURCES/root.key
+++ b/SOURCES/root.key
@ -2,7 +2,4 @@
 ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
 trusted-keys {
 "." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
-
-"." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; // key id = 19036
-
 };
--- a/SOURCES/tmpfiles-unbound.conf
+++ b/SOURCES/tmpfiles-unbound.conf
@ -1 +1 @@
-D /var/run/unbound 0755 unbound unbound -
+D /run/unbound 0755 unbound unbound -
--- a/SOURCES/unbound-1.7.3-DNS-over-TLS-memory-leak.patch
+++ b/SOURCES/unbound-1.7.3-DNS-over-TLS-memory-leak.patch
@ -0,0 +1,36 @@
+From 377d5b426a30fc915cf7905786f93c0ec89845b7 Mon Sep 17 00:00:00 2001
+From: Wouter Wijngaards <wouter@nlnetlabs.nl>
+Date: Tue, 25 Sep 2018 09:01:13 +0000
+Subject: [PATCH] - Add SSL cleanup for tcp timeout.
+
+git-svn-id: file:///svn/unbound/trunk@4915 be551aaa-1e26-0410-a405-d3ace91eadb9
+---
+ services/outside_network.c | 11 +++++++++++
+ 1 files changed, 9 insertions(+)
+diff --git a/services/outside_network.c b/services/outside_network.c
+index 5700ef8..b52cdab 100644
+--- a/services/outside_network.c
+++ b/services/outside_network.c
+@@ -373,6 +373,8 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
+                         if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) {
+                                 log_err("SSL_set1_host failed");
+ 				pend->c->fd = s;
+				SSL_free(pend->c->ssl);
+				pend->c->ssl = NULL;
+ 				comm_point_close(pend->c);
+ 				return 0;
+ 			}
+@@ -1258,6 +1260,13 @@ outnet_tcptimer(void* arg)
+ 	} else {
+ 		/* it was in use */
+ 		struct pending_tcp* pend=(struct pending_tcp*)w->next_waiting;
+		if(pend->c->ssl) {
+#ifdef HAVE_SSL
+			SSL_shutdown(pend->c->ssl);
+			SSL_free(pend->c->ssl);
+			pend->c->ssl = NULL;
+#endif
+		}
+ 		comm_point_close(pend->c);
+ 		pend->query = NULL;
+ 		pend->next_free = outnet->tcp_free;
--- a/SOURCES/unbound-1.7.3-auth-callback.patch
+++ b/SOURCES/unbound-1.7.3-auth-callback.patch
@ -0,0 +1,65 @@
+--- a/services/authzone.c	2018-06-14 09:09:01.000000000 +0200
+++ b/services/authzone.c	2020-04-16 18:55:50.806693241 +0200
+@@ -5139,7 +5139,7 @@
+ 	log_assert(xfr->task_transfer);
+ 	lock_basic_lock(&xfr->lock);
+ 	env = xfr->task_transfer->env;
+-	if(env->outnet->want_to_quit) {
+	if(!env || env->outnet->want_to_quit) {
+ 		lock_basic_unlock(&xfr->lock);
+ 		return; /* stop on quit */
+ 	}
+@@ -5558,7 +5558,7 @@
+ 	log_assert(xfr->task_transfer);
+ 	lock_basic_lock(&xfr->lock);
+ 	env = xfr->task_transfer->env;
+-	if(env->outnet->want_to_quit) {
+	if(!env || env->outnet->want_to_quit) {
+ 		lock_basic_unlock(&xfr->lock);
+ 		return 0; /* stop on quit */
+ 	}
+@@ -5619,7 +5619,7 @@
+ 	log_assert(xfr->task_transfer);
+ 	lock_basic_lock(&xfr->lock);
+ 	env = xfr->task_transfer->env;
+-	if(env->outnet->want_to_quit) {
+	if(!env || env->outnet->want_to_quit) {
+ 		lock_basic_unlock(&xfr->lock);
+ 		return 0; /* stop on quit */
+ 	}
+@@ -5798,7 +5798,7 @@
+ 	log_assert(xfr->task_probe);
+ 	lock_basic_lock(&xfr->lock);
+ 	env = xfr->task_probe->env;
+-	if(env->outnet->want_to_quit) {
+	if(!env || env->outnet->want_to_quit) {
+ 		lock_basic_unlock(&xfr->lock);
+ 		return; /* stop on quit */
+ 	}
+@@ -5829,7 +5829,7 @@
+ 	log_assert(xfr->task_probe);
+ 	lock_basic_lock(&xfr->lock);
+ 	env = xfr->task_probe->env;
+-	if(env->outnet->want_to_quit) {
+	if(!env || env->outnet->want_to_quit) {
+ 		lock_basic_unlock(&xfr->lock);
+ 		return 0; /* stop on quit */
+ 	}
+@@ -6030,7 +6030,7 @@
+ 	log_assert(xfr->task_probe);
+ 	lock_basic_lock(&xfr->lock);
+ 	env = xfr->task_probe->env;
+-	if(env->outnet->want_to_quit) {
+	if(!env || env->outnet->want_to_quit) {
+ 		lock_basic_unlock(&xfr->lock);
+ 		return; /* stop on quit */
+ 	}
+@@ -6089,7 +6089,7 @@
+ 	log_assert(xfr->task_nextprobe);
+ 	lock_basic_lock(&xfr->lock);
+ 	env = xfr->task_nextprobe->env;
+-	if(env->outnet->want_to_quit) {
+	if(!env || env->outnet->want_to_quit) {
+ 		lock_basic_unlock(&xfr->lock);
+ 		return; /* stop on quit */
+ 	}
--- a/SOURCES/unbound-1.7.3-ksk-2010-revoked.patch
+++ b/SOURCES/unbound-1.7.3-ksk-2010-revoked.patch
@ -0,0 +1,14 @@
+diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
+index 2bf5b3ab..a30523c7 100644
+--- a/smallapp/unbound-anchor.c
+++ b/smallapp/unbound-anchor.c
+@@ -246,9 +246,7 @@ get_builtin_ds(void)
+ 	return
+ /* The anchors must start on a new line with ". IN DS and end with \n"[;]
+  * because the makedist script greps on the source here */
+-/* anchor 19036 is from 2010 */
+ /* anchor 20326 is from 2017 */
+-". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"
+ ". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
+ }
+ 
--- a/SOURCES/unbound.conf
+++ b/SOURCES/unbound.conf
@ -334,7 +334,7 @@ server:
 	# log-replies: no

 	# the pid file. Can be an absolute path outside of chroot/work dir.
-	pidfile: "/var/run/unbound/unbound.pid"
+	pidfile: "/run/unbound/unbound.pid"

 	# file to read root hints from.
 	# get one from https://www.internic.net/domain/named.cache
--- a/SPECS/unbound.spec
+++ b/SPECS/unbound.spec
@ -34,7 +34,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.7.3
-Release: 11%{?extra_version:.%{extra_version}}%{?dist}
+Release: 14%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://www.unbound.net/
 Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@ -61,7 +61,10 @@ Patch4: unbound-1.7.3-anchor-fallback.patch
 Patch5: unbound-1.7.3-host-any.patch
 Patch6: unbound-1.7.3-use-basic-lock.patch
 Patch7: unbound-1.7.3-ipsec-hook.patch
-Patch8: unbound-1.7.3-amplifying-an-incoming-query.patch
+Patch8: unbound-1.7.3-auth-callback.patch
+Patch9: unbound-1.7.3-ksk-2010-revoked.patch
+Patch10: unbound-1.7.3-DNS-over-TLS-memory-leak.patch
+Patch11: unbound-1.7.3-amplifying-an-incoming-query.patch

 BuildRequires: gcc, make
 BuildRequires: flex, openssl-devel
@ -163,7 +166,10 @@ pushd %{pkgname}
 %patch5 -p1 -b .host-any
 %patch6 -p1 -b .use-basic-lock
 %patch7 -p1 -b .ipsec-hook
-%patch8 -p1 -b .amplifying-an-incoming-query
+%patch8 -p1 -b .auth-callback
+%patch9 -p1 -b .ksk-2010-revoked
+%patch10 -p1 -b .DNS-over-TLS-memory-leak
+%patch11 -p1 -b .amplifying-an-incoming-query

 # only for snapshots
 # autoreconf -iv
@ -435,9 +441,26 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key

 %changelog
-* Wed May 27 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-11
+* Thu May 28 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-14
+- Fix unbound-1.7.3-amplifying-an-incoming-query.patch patch
+- Resolves: rhbz#1839178 (CVE-2020-12662)
+
+* Mon May 25 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-13
+- Fix two previous patches and add missing patch lines to %%prep
 - Fix amplifying an incoming query into a large number of queries directed to a target
- Resolves: rhbz#1839177 (CVE-2020-12662), rhbz#1840262 (CVE-2020-12663)
+- Resolves: rhbz#1839178 (CVE-2020-12662)
+
+* Tue Apr 21 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-12
+- Remove KSK-2010 from configuration files
+- Resolves: rhbz#1665502
+- Replace legacy directory /var/run/ with /run
+- Resolves: rhbz#1766463
+- Resolves: rhbz#1805978
+- Fix memory leak when DNS over TLS forwarding is configured
+- Resolves: rhbz#1819870
+
+* Thu Apr 16 2020 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-11
+- Resolves bz1818761. unbound crash fixed.

 * Tue Dec 10 2019 Tomas Korbar <tkorbar@redhat.com> - 1.7.3-10
 - Secure ipsec mode (#1772061)