* Tue May 19 2020 Paul Wouters <pwouters@redhat.com> - 1.10.1-1

- Resolves: rhbz#1837279 unbound-1.10.1 is available
- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS
- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers
- Updated unbound.conf for new options in 1.10.1

.gitignore

@@ -57,3 +57,4 @@ unbound-1.4.5.tar.gz
 /unbound-1.9.6.tar.gz
 /unbound-1.10.0.tar.gz
 /unbound-1.10.0.tar.gz.asc
+/unbound-1.10.1.tar.gz

sources

@@ -1,2 +1 @@
-SHA512 (unbound-1.10.0.tar.gz) = a64514990f5d614d749045a11f5ce9bb33cf856cc31895b4db3503f2b05a98f1ca57945b17dd7ec5befbd0c356fc42a717d3e2bae3d3510a0507d0445b1f6d59
-SHA512 (unbound-1.10.0.tar.gz.asc) = e5fb047d9e5313e512e7d09e309f8467389c4887a1886446cb6eb7e26c97d9f3351a430d8c44bcac0cb405f3ce44ec71e1fa616e988c8f961016ec7f09c450a4
+SHA512 (unbound-1.10.1.tar.gz) = d07f3ac0e751c17a3ff7d99518c22529cf6856861218564a2ca073422905525cb9ddaf76c9600187946fadb7324343bcd85c34ff06bd322e0ea621a2d258bb85

unbound.conf

@@ -601,6 +601,16 @@ server:
 	# for it.
 	# serve-expired-ttl-reset: no
 
+	# TTL value to use when replying with expired data.
+	# serve-expired-reply-ttl: 30
+	#
+	# Time in milliseconds before replying to the client with expired data.
+	# This essentially enables the serve-stale behavior as specified in
+	# draft-ietf-dnsop-serve-stale-10 that first tries to resolve before
+	# immediately responding with expired data.  0 disables this behavior.
+	# A recommended value is 1800.
+	# serve-expired-client-timeout: 0
+
 	# Have the validator log failed validations for your diagnosis.
 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
 	val-log-level: 1
@@ -1057,3 +1067,20 @@ auth-zone:
 #     name-v6: "list-v6"
 #
 
+# Response Policy Zones
+# RPZ policies. Applied in order of configuration. QNAME and Response IP
+# Address trigger are the only supported triggers. Supported actions are:
+# NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from
+# file, using zone transfer, or using HTTP. The respip module needs to be added
+# to the module-config, e.g.: module-config: "respip validator iterator".
+# rpz:
+#     name: "rpz.example.com"
+#     zonefile: "rpz.example.com"
+#     master: 192.0.2.0
+#     allow-notify: 192.0.2.0/32
+#     url: http://www.example.com/rpz.example.org.zone
+#     rpz-action-override: cname
+#     rpz-cname-override: www.example.org
+#     rpz-log: yes
+#     rpz-log-name: "example policy"
+#     tags: "example"

unbound.spec

@@ -35,8 +35,8 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.10.0
-Release: 3%{?extra_version:.%{extra_version}}%{?dist}
+Version: 1.10.1
+Release: 1%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://nlnetlabs.nl/projects/unbound/
 Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@@ -448,6 +448,12 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 
 %changelog
+* Tue May 19 2020 Paul Wouters <pwouters@redhat.com> - 1.10.1-1
+- Resolves: rhbz#1837279 unbound-1.10.1 is available
+- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS
+- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers
+- Updated unbound.conf for new options in 1.10.1
+
 * Wed Apr 29 2020 Paul Wouters <pwouters@redhat.com> - 1.10.0-3
 - Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000.