import unbound-1.7.3-14.el8
This commit is contained in:
parent
94c6057bab
commit
5094f4a75d
@ -1,2 +1 @@
|
|||||||
. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
|
. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
|
||||||
. 98799 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}
|
|
||||||
|
@ -2,7 +2,4 @@
|
|||||||
; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
|
; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
|
||||||
trusted-keys {
|
trusted-keys {
|
||||||
"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
|
"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
|
||||||
|
|
||||||
"." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; // key id = 19036
|
|
||||||
|
|
||||||
};
|
};
|
||||||
|
@ -1 +1 @@
|
|||||||
D /var/run/unbound 0755 unbound unbound -
|
D /run/unbound 0755 unbound unbound -
|
||||||
|
36
SOURCES/unbound-1.7.3-DNS-over-TLS-memory-leak.patch
Normal file
36
SOURCES/unbound-1.7.3-DNS-over-TLS-memory-leak.patch
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
From 377d5b426a30fc915cf7905786f93c0ec89845b7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
|
||||||
|
Date: Tue, 25 Sep 2018 09:01:13 +0000
|
||||||
|
Subject: [PATCH] - Add SSL cleanup for tcp timeout.
|
||||||
|
|
||||||
|
git-svn-id: file:///svn/unbound/trunk@4915 be551aaa-1e26-0410-a405-d3ace91eadb9
|
||||||
|
---
|
||||||
|
services/outside_network.c | 11 +++++++++++
|
||||||
|
1 files changed, 9 insertions(+)
|
||||||
|
diff --git a/services/outside_network.c b/services/outside_network.c
|
||||||
|
index 5700ef8..b52cdab 100644
|
||||||
|
--- a/services/outside_network.c
|
||||||
|
+++ b/services/outside_network.c
|
||||||
|
@@ -373,6 +373,8 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
|
||||||
|
if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) {
|
||||||
|
log_err("SSL_set1_host failed");
|
||||||
|
pend->c->fd = s;
|
||||||
|
+ SSL_free(pend->c->ssl);
|
||||||
|
+ pend->c->ssl = NULL;
|
||||||
|
comm_point_close(pend->c);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
@@ -1258,6 +1260,13 @@ outnet_tcptimer(void* arg)
|
||||||
|
} else {
|
||||||
|
/* it was in use */
|
||||||
|
struct pending_tcp* pend=(struct pending_tcp*)w->next_waiting;
|
||||||
|
+ if(pend->c->ssl) {
|
||||||
|
+#ifdef HAVE_SSL
|
||||||
|
+ SSL_shutdown(pend->c->ssl);
|
||||||
|
+ SSL_free(pend->c->ssl);
|
||||||
|
+ pend->c->ssl = NULL;
|
||||||
|
+#endif
|
||||||
|
+ }
|
||||||
|
comm_point_close(pend->c);
|
||||||
|
pend->query = NULL;
|
||||||
|
pend->next_free = outnet->tcp_free;
|
65
SOURCES/unbound-1.7.3-auth-callback.patch
Normal file
65
SOURCES/unbound-1.7.3-auth-callback.patch
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
--- a/services/authzone.c 2018-06-14 09:09:01.000000000 +0200
|
||||||
|
+++ b/services/authzone.c 2020-04-16 18:55:50.806693241 +0200
|
||||||
|
@@ -5139,7 +5139,7 @@
|
||||||
|
log_assert(xfr->task_transfer);
|
||||||
|
lock_basic_lock(&xfr->lock);
|
||||||
|
env = xfr->task_transfer->env;
|
||||||
|
- if(env->outnet->want_to_quit) {
|
||||||
|
+ if(!env || env->outnet->want_to_quit) {
|
||||||
|
lock_basic_unlock(&xfr->lock);
|
||||||
|
return; /* stop on quit */
|
||||||
|
}
|
||||||
|
@@ -5558,7 +5558,7 @@
|
||||||
|
log_assert(xfr->task_transfer);
|
||||||
|
lock_basic_lock(&xfr->lock);
|
||||||
|
env = xfr->task_transfer->env;
|
||||||
|
- if(env->outnet->want_to_quit) {
|
||||||
|
+ if(!env || env->outnet->want_to_quit) {
|
||||||
|
lock_basic_unlock(&xfr->lock);
|
||||||
|
return 0; /* stop on quit */
|
||||||
|
}
|
||||||
|
@@ -5619,7 +5619,7 @@
|
||||||
|
log_assert(xfr->task_transfer);
|
||||||
|
lock_basic_lock(&xfr->lock);
|
||||||
|
env = xfr->task_transfer->env;
|
||||||
|
- if(env->outnet->want_to_quit) {
|
||||||
|
+ if(!env || env->outnet->want_to_quit) {
|
||||||
|
lock_basic_unlock(&xfr->lock);
|
||||||
|
return 0; /* stop on quit */
|
||||||
|
}
|
||||||
|
@@ -5798,7 +5798,7 @@
|
||||||
|
log_assert(xfr->task_probe);
|
||||||
|
lock_basic_lock(&xfr->lock);
|
||||||
|
env = xfr->task_probe->env;
|
||||||
|
- if(env->outnet->want_to_quit) {
|
||||||
|
+ if(!env || env->outnet->want_to_quit) {
|
||||||
|
lock_basic_unlock(&xfr->lock);
|
||||||
|
return; /* stop on quit */
|
||||||
|
}
|
||||||
|
@@ -5829,7 +5829,7 @@
|
||||||
|
log_assert(xfr->task_probe);
|
||||||
|
lock_basic_lock(&xfr->lock);
|
||||||
|
env = xfr->task_probe->env;
|
||||||
|
- if(env->outnet->want_to_quit) {
|
||||||
|
+ if(!env || env->outnet->want_to_quit) {
|
||||||
|
lock_basic_unlock(&xfr->lock);
|
||||||
|
return 0; /* stop on quit */
|
||||||
|
}
|
||||||
|
@@ -6030,7 +6030,7 @@
|
||||||
|
log_assert(xfr->task_probe);
|
||||||
|
lock_basic_lock(&xfr->lock);
|
||||||
|
env = xfr->task_probe->env;
|
||||||
|
- if(env->outnet->want_to_quit) {
|
||||||
|
+ if(!env || env->outnet->want_to_quit) {
|
||||||
|
lock_basic_unlock(&xfr->lock);
|
||||||
|
return; /* stop on quit */
|
||||||
|
}
|
||||||
|
@@ -6089,7 +6089,7 @@
|
||||||
|
log_assert(xfr->task_nextprobe);
|
||||||
|
lock_basic_lock(&xfr->lock);
|
||||||
|
env = xfr->task_nextprobe->env;
|
||||||
|
- if(env->outnet->want_to_quit) {
|
||||||
|
+ if(!env || env->outnet->want_to_quit) {
|
||||||
|
lock_basic_unlock(&xfr->lock);
|
||||||
|
return; /* stop on quit */
|
||||||
|
}
|
14
SOURCES/unbound-1.7.3-ksk-2010-revoked.patch
Normal file
14
SOURCES/unbound-1.7.3-ksk-2010-revoked.patch
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
|
||||||
|
index 2bf5b3ab..a30523c7 100644
|
||||||
|
--- a/smallapp/unbound-anchor.c
|
||||||
|
+++ b/smallapp/unbound-anchor.c
|
||||||
|
@@ -246,9 +246,7 @@ get_builtin_ds(void)
|
||||||
|
return
|
||||||
|
/* The anchors must start on a new line with ". IN DS and end with \n"[;]
|
||||||
|
* because the makedist script greps on the source here */
|
||||||
|
-/* anchor 19036 is from 2010 */
|
||||||
|
/* anchor 20326 is from 2017 */
|
||||||
|
-". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"
|
||||||
|
". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
|
||||||
|
}
|
||||||
|
|
@ -334,7 +334,7 @@ server:
|
|||||||
# log-replies: no
|
# log-replies: no
|
||||||
|
|
||||||
# the pid file. Can be an absolute path outside of chroot/work dir.
|
# the pid file. Can be an absolute path outside of chroot/work dir.
|
||||||
pidfile: "/var/run/unbound/unbound.pid"
|
pidfile: "/run/unbound/unbound.pid"
|
||||||
|
|
||||||
# file to read root hints from.
|
# file to read root hints from.
|
||||||
# get one from https://www.internic.net/domain/named.cache
|
# get one from https://www.internic.net/domain/named.cache
|
||||||
|
@ -34,7 +34,7 @@
|
|||||||
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
||||||
Name: unbound
|
Name: unbound
|
||||||
Version: 1.7.3
|
Version: 1.7.3
|
||||||
Release: 11%{?extra_version:.%{extra_version}}%{?dist}
|
Release: 14%{?extra_version:.%{extra_version}}%{?dist}
|
||||||
License: BSD
|
License: BSD
|
||||||
Url: https://www.unbound.net/
|
Url: https://www.unbound.net/
|
||||||
Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
|
Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
|
||||||
@ -61,7 +61,10 @@ Patch4: unbound-1.7.3-anchor-fallback.patch
|
|||||||
Patch5: unbound-1.7.3-host-any.patch
|
Patch5: unbound-1.7.3-host-any.patch
|
||||||
Patch6: unbound-1.7.3-use-basic-lock.patch
|
Patch6: unbound-1.7.3-use-basic-lock.patch
|
||||||
Patch7: unbound-1.7.3-ipsec-hook.patch
|
Patch7: unbound-1.7.3-ipsec-hook.patch
|
||||||
Patch8: unbound-1.7.3-amplifying-an-incoming-query.patch
|
Patch8: unbound-1.7.3-auth-callback.patch
|
||||||
|
Patch9: unbound-1.7.3-ksk-2010-revoked.patch
|
||||||
|
Patch10: unbound-1.7.3-DNS-over-TLS-memory-leak.patch
|
||||||
|
Patch11: unbound-1.7.3-amplifying-an-incoming-query.patch
|
||||||
|
|
||||||
BuildRequires: gcc, make
|
BuildRequires: gcc, make
|
||||||
BuildRequires: flex, openssl-devel
|
BuildRequires: flex, openssl-devel
|
||||||
@ -163,7 +166,10 @@ pushd %{pkgname}
|
|||||||
%patch5 -p1 -b .host-any
|
%patch5 -p1 -b .host-any
|
||||||
%patch6 -p1 -b .use-basic-lock
|
%patch6 -p1 -b .use-basic-lock
|
||||||
%patch7 -p1 -b .ipsec-hook
|
%patch7 -p1 -b .ipsec-hook
|
||||||
%patch8 -p1 -b .amplifying-an-incoming-query
|
%patch8 -p1 -b .auth-callback
|
||||||
|
%patch9 -p1 -b .ksk-2010-revoked
|
||||||
|
%patch10 -p1 -b .DNS-over-TLS-memory-leak
|
||||||
|
%patch11 -p1 -b .amplifying-an-incoming-query
|
||||||
|
|
||||||
# only for snapshots
|
# only for snapshots
|
||||||
# autoreconf -iv
|
# autoreconf -iv
|
||||||
@ -435,9 +441,26 @@ popd
|
|||||||
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
|
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed May 27 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-11
|
* Thu May 28 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-14
|
||||||
|
- Fix unbound-1.7.3-amplifying-an-incoming-query.patch patch
|
||||||
|
- Resolves: rhbz#1839178 (CVE-2020-12662)
|
||||||
|
|
||||||
|
* Mon May 25 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-13
|
||||||
|
- Fix two previous patches and add missing patch lines to %%prep
|
||||||
- Fix amplifying an incoming query into a large number of queries directed to a target
|
- Fix amplifying an incoming query into a large number of queries directed to a target
|
||||||
- Resolves: rhbz#1839177 (CVE-2020-12662), rhbz#1840262 (CVE-2020-12663)
|
- Resolves: rhbz#1839178 (CVE-2020-12662)
|
||||||
|
|
||||||
|
* Tue Apr 21 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-12
|
||||||
|
- Remove KSK-2010 from configuration files
|
||||||
|
- Resolves: rhbz#1665502
|
||||||
|
- Replace legacy directory /var/run/ with /run
|
||||||
|
- Resolves: rhbz#1766463
|
||||||
|
- Resolves: rhbz#1805978
|
||||||
|
- Fix memory leak when DNS over TLS forwarding is configured
|
||||||
|
- Resolves: rhbz#1819870
|
||||||
|
|
||||||
|
* Thu Apr 16 2020 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-11
|
||||||
|
- Resolves bz1818761. unbound crash fixed.
|
||||||
|
|
||||||
* Tue Dec 10 2019 Tomas Korbar <tkorbar@redhat.com> - 1.7.3-10
|
* Tue Dec 10 2019 Tomas Korbar <tkorbar@redhat.com> - 1.7.3-10
|
||||||
- Secure ipsec mode (#1772061)
|
- Secure ipsec mode (#1772061)
|
||||||
|
Loading…
Reference in New Issue
Block a user