import unbound-1.7.3-14.el8

This commit is contained in:
CentOS Sources 2020-11-03 07:03:49 -05:00 committed by Andrew Lukoshko
parent 94c6057bab
commit 5094f4a75d
8 changed files with 145 additions and 11 deletions

View File

@ -1,2 +1 @@
. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
. 98799 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}

View File

@ -2,7 +2,4 @@
; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
trusted-keys { trusted-keys {
"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 "." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
"." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; // key id = 19036
}; };

View File

@ -1 +1 @@
D /var/run/unbound 0755 unbound unbound - D /run/unbound 0755 unbound unbound -

View File

@ -0,0 +1,36 @@
From 377d5b426a30fc915cf7905786f93c0ec89845b7 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 25 Sep 2018 09:01:13 +0000
Subject: [PATCH] - Add SSL cleanup for tcp timeout.
git-svn-id: file:///svn/unbound/trunk@4915 be551aaa-1e26-0410-a405-d3ace91eadb9
---
services/outside_network.c | 11 +++++++++++
1 files changed, 9 insertions(+)
diff --git a/services/outside_network.c b/services/outside_network.c
index 5700ef8..b52cdab 100644
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -373,6 +373,8 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) {
log_err("SSL_set1_host failed");
pend->c->fd = s;
+ SSL_free(pend->c->ssl);
+ pend->c->ssl = NULL;
comm_point_close(pend->c);
return 0;
}
@@ -1258,6 +1260,13 @@ outnet_tcptimer(void* arg)
} else {
/* it was in use */
struct pending_tcp* pend=(struct pending_tcp*)w->next_waiting;
+ if(pend->c->ssl) {
+#ifdef HAVE_SSL
+ SSL_shutdown(pend->c->ssl);
+ SSL_free(pend->c->ssl);
+ pend->c->ssl = NULL;
+#endif
+ }
comm_point_close(pend->c);
pend->query = NULL;
pend->next_free = outnet->tcp_free;

View File

@ -0,0 +1,65 @@
--- a/services/authzone.c 2018-06-14 09:09:01.000000000 +0200
+++ b/services/authzone.c 2020-04-16 18:55:50.806693241 +0200
@@ -5139,7 +5139,7 @@
log_assert(xfr->task_transfer);
lock_basic_lock(&xfr->lock);
env = xfr->task_transfer->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return; /* stop on quit */
}
@@ -5558,7 +5558,7 @@
log_assert(xfr->task_transfer);
lock_basic_lock(&xfr->lock);
env = xfr->task_transfer->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return 0; /* stop on quit */
}
@@ -5619,7 +5619,7 @@
log_assert(xfr->task_transfer);
lock_basic_lock(&xfr->lock);
env = xfr->task_transfer->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return 0; /* stop on quit */
}
@@ -5798,7 +5798,7 @@
log_assert(xfr->task_probe);
lock_basic_lock(&xfr->lock);
env = xfr->task_probe->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return; /* stop on quit */
}
@@ -5829,7 +5829,7 @@
log_assert(xfr->task_probe);
lock_basic_lock(&xfr->lock);
env = xfr->task_probe->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return 0; /* stop on quit */
}
@@ -6030,7 +6030,7 @@
log_assert(xfr->task_probe);
lock_basic_lock(&xfr->lock);
env = xfr->task_probe->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return; /* stop on quit */
}
@@ -6089,7 +6089,7 @@
log_assert(xfr->task_nextprobe);
lock_basic_lock(&xfr->lock);
env = xfr->task_nextprobe->env;
- if(env->outnet->want_to_quit) {
+ if(!env || env->outnet->want_to_quit) {
lock_basic_unlock(&xfr->lock);
return; /* stop on quit */
}

View File

@ -0,0 +1,14 @@
diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
index 2bf5b3ab..a30523c7 100644
--- a/smallapp/unbound-anchor.c
+++ b/smallapp/unbound-anchor.c
@@ -246,9 +246,7 @@ get_builtin_ds(void)
return
/* The anchors must start on a new line with ". IN DS and end with \n"[;]
* because the makedist script greps on the source here */
-/* anchor 19036 is from 2010 */
/* anchor 20326 is from 2017 */
-". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"
". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
}

View File

@ -334,7 +334,7 @@ server:
# log-replies: no # log-replies: no
# the pid file. Can be an absolute path outside of chroot/work dir. # the pid file. Can be an absolute path outside of chroot/work dir.
pidfile: "/var/run/unbound/unbound.pid" pidfile: "/run/unbound/unbound.pid"
# file to read root hints from. # file to read root hints from.
# get one from https://www.internic.net/domain/named.cache # get one from https://www.internic.net/domain/named.cache

View File

@ -34,7 +34,7 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound Name: unbound
Version: 1.7.3 Version: 1.7.3
Release: 11%{?extra_version:.%{extra_version}}%{?dist} Release: 14%{?extra_version:.%{extra_version}}%{?dist}
License: BSD License: BSD
Url: https://www.unbound.net/ Url: https://www.unbound.net/
Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@ -61,7 +61,10 @@ Patch4: unbound-1.7.3-anchor-fallback.patch
Patch5: unbound-1.7.3-host-any.patch Patch5: unbound-1.7.3-host-any.patch
Patch6: unbound-1.7.3-use-basic-lock.patch Patch6: unbound-1.7.3-use-basic-lock.patch
Patch7: unbound-1.7.3-ipsec-hook.patch Patch7: unbound-1.7.3-ipsec-hook.patch
Patch8: unbound-1.7.3-amplifying-an-incoming-query.patch Patch8: unbound-1.7.3-auth-callback.patch
Patch9: unbound-1.7.3-ksk-2010-revoked.patch
Patch10: unbound-1.7.3-DNS-over-TLS-memory-leak.patch
Patch11: unbound-1.7.3-amplifying-an-incoming-query.patch
BuildRequires: gcc, make BuildRequires: gcc, make
BuildRequires: flex, openssl-devel BuildRequires: flex, openssl-devel
@ -163,7 +166,10 @@ pushd %{pkgname}
%patch5 -p1 -b .host-any %patch5 -p1 -b .host-any
%patch6 -p1 -b .use-basic-lock %patch6 -p1 -b .use-basic-lock
%patch7 -p1 -b .ipsec-hook %patch7 -p1 -b .ipsec-hook
%patch8 -p1 -b .amplifying-an-incoming-query %patch8 -p1 -b .auth-callback
%patch9 -p1 -b .ksk-2010-revoked
%patch10 -p1 -b .DNS-over-TLS-memory-leak
%patch11 -p1 -b .amplifying-an-incoming-query
# only for snapshots # only for snapshots
# autoreconf -iv # autoreconf -iv
@ -435,9 +441,26 @@ popd
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
%changelog %changelog
* Wed May 27 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-11 * Thu May 28 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-14
- Fix unbound-1.7.3-amplifying-an-incoming-query.patch patch
- Resolves: rhbz#1839178 (CVE-2020-12662)
* Mon May 25 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-13
- Fix two previous patches and add missing patch lines to %%prep
- Fix amplifying an incoming query into a large number of queries directed to a target - Fix amplifying an incoming query into a large number of queries directed to a target
- Resolves: rhbz#1839177 (CVE-2020-12662), rhbz#1840262 (CVE-2020-12663) - Resolves: rhbz#1839178 (CVE-2020-12662)
* Tue Apr 21 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-12
- Remove KSK-2010 from configuration files
- Resolves: rhbz#1665502
- Replace legacy directory /var/run/ with /run
- Resolves: rhbz#1766463
- Resolves: rhbz#1805978
- Fix memory leak when DNS over TLS forwarding is configured
- Resolves: rhbz#1819870
* Thu Apr 16 2020 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-11
- Resolves bz1818761. unbound crash fixed.
* Tue Dec 10 2019 Tomas Korbar <tkorbar@redhat.com> - 1.7.3-10 * Tue Dec 10 2019 Tomas Korbar <tkorbar@redhat.com> - 1.7.3-10
- Secure ipsec mode (#1772061) - Secure ipsec mode (#1772061)