import CS unbound-1.16.2-8.el9

2024-09-30 16:45:01 +00:00 · 2024-09-30 16:45:01 +00:00 · 98b69e4e61
commit 98b69e4e61
parent 25d2471444
7 changed files with 2353 additions and 7 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1 @@
 SOURCES/icannbundle.pem
 SOURCES/unbound-1.16.2.tar.gz
--- a/.unbound.metadata
+++ b/.unbound.metadata
@ -1,2 +1 @@
 9a2f73302a13f38dbf7cb3c5e34eb1665d2f156f SOURCES/icannbundle.pem
 9aea0e923b9d6779b5bc360094e24a4017e2bb25 SOURCES/unbound-1.16.2.tar.gz
--- a/SOURCES/icannbundle.pem
+++ b/SOURCES/icannbundle.pem
@ -0,0 +1,21 @@
 -----BEGIN CERTIFICATE-----
 MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
 TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
 BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX
 DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O
 IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB
 MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb
 cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S
 G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg
 ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2
 paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7
 MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29
 iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B
 Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3
 DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH
 6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD
 2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h
 15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF
 0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg
 j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk
 -----END CERTIFICATE-----
--- a/SOURCES/remote-control.conf
+++ b/SOURCES/remote-control.conf
@ -0,0 +1,9 @@
 # Remote control config section update.
 # Previous defaults allowed any process to change settings, CVE-2024-1488
 remote-control:
    # set to an absolute path to use a unix local name pipe, certificates
    # are not used for that, so key and cert files need not be present.
    control-interface: "/run/unbound/control"
    # For local sockets this option is ignored, and TLS is not used.
    control-use-cert: "yes"
--- a/SOURCES/unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
+++ b/SOURCES/unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
--- a/SOURCES/unbound.conf
+++ b/SOURCES/unbound.conf
@ -989,6 +989,7 @@ remote-control:
 	# Set to no and use an absolute path as control-interface to use
 	# a unix local named pipe for unbound-control.
 	# For local sockets this option is ignored, and TLS is not used.
 	# control-use-cert: yes
 	# what interfaces are listened to for remote control.
@ -997,14 +998,11 @@ remote-control:
 	# are not used for that, so key and cert files need not be present.
 	# control-interface: 127.0.0.1
 	# control-interface: ::1
 	# moved to /etc/unbound/conf.d/remote-control.conf
 	# port number for remote control operations.
 	# control-port: 8953
 	# for localhost, you can disable use of TLS by setting this to "no"
 	# For local sockets this option is ignored, and TLS is not used.
 	control-use-cert: "no"
 	# Unbound server key file.
 	server-key-file: "/etc/unbound/unbound_server.key"
--- a/SPECS/unbound.spec
+++ b/SPECS/unbound.spec
@ -30,7 +30,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.16.2
-Release: 3%{?extra_version:.%{extra_version}}%{?dist}
+Release: 8%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://nlnetlabs.nl/projects/unbound/
 Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@ -52,9 +52,12 @@ Source16: unbound-munin.README
 Source17: unbound-anchor.service
 Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
 Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
 Source21: remote-control.conf
 # https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554
 Patch1: unbound-1.16-CVE-2022-3204.patch
 # https://nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff
 Patch4: unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
 BuildRequires: gcc, make
 BuildRequires: flex, openssl-devel
@ -315,6 +318,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
 install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
 install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
 install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 # Link unbound-control-setup.8 manpage to unbound-control.8
 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
@ -449,6 +453,18 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 %changelog
 * Mon Mar 11 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-8
 - Ensure group access correction reaches also updated configs (CVE-2024-1488)
 * Wed Feb 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-7
 - Ensure only unbound group can change configuration (CVE-2024-1488)
 * Fri Feb 16 2024 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-6
 - Fix KeyTrap - Extreme CPU consumption in DNSSEC validator CVE-2023-50387
 - Fix Preparing an NSEC3 closest encloser proof can exhaust CPU resources CVE-2023-50868
 - Resolves: RHEL-25671
 - Resolves: RHEL-25643
 * Tue Oct 11 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-3
 - Fix NRDelegation attack leading to uncontrolled resource consumption
  (CVE-2022-3204)
`@ -1,2 +1 @@`
	`SOURCES/icannbundle.pem`
	`SOURCES/unbound-1.16.2.tar.gz`	`SOURCES/unbound-1.16.2.tar.gz`
`@ -1,2 +1 @@`
	`9a2f73302a13f38dbf7cb3c5e34eb1665d2f156f SOURCES/icannbundle.pem`
	`9aea0e923b9d6779b5bc360094e24a4017e2bb25 SOURCES/unbound-1.16.2.tar.gz`	`9aea0e923b9d6779b5bc360094e24a4017e2bb25 SOURCES/unbound-1.16.2.tar.gz`