From b2855b7bff586ee8402aca1175822a881acb920a Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 19 May 2020 15:07:41 -0400 Subject: [PATCH] * Tue May 19 2020 Paul Wouters - 1.10.1-1 - Resolves: rhbz#1837279 unbound-1.10.1 is available - Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS - Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers - Updated unbound.conf for new options in 1.10.1 --- .gitignore | 1 + sources | 3 +-- unbound.conf | 27 +++++++++++++++++++++++++++ unbound.spec | 10 ++++++++-- 4 files changed, 37 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 513eec6..bd711c5 100644 --- a/.gitignore +++ b/.gitignore @@ -57,3 +57,4 @@ unbound-1.4.5.tar.gz /unbound-1.9.6.tar.gz /unbound-1.10.0.tar.gz /unbound-1.10.0.tar.gz.asc +/unbound-1.10.1.tar.gz diff --git a/sources b/sources index 427fe5c..f5b7bd7 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (unbound-1.10.0.tar.gz) = a64514990f5d614d749045a11f5ce9bb33cf856cc31895b4db3503f2b05a98f1ca57945b17dd7ec5befbd0c356fc42a717d3e2bae3d3510a0507d0445b1f6d59 -SHA512 (unbound-1.10.0.tar.gz.asc) = e5fb047d9e5313e512e7d09e309f8467389c4887a1886446cb6eb7e26c97d9f3351a430d8c44bcac0cb405f3ce44ec71e1fa616e988c8f961016ec7f09c450a4 +SHA512 (unbound-1.10.1.tar.gz) = d07f3ac0e751c17a3ff7d99518c22529cf6856861218564a2ca073422905525cb9ddaf76c9600187946fadb7324343bcd85c34ff06bd322e0ea621a2d258bb85 diff --git a/unbound.conf b/unbound.conf index 8f7d9f6..b130f9b 100644 --- a/unbound.conf +++ b/unbound.conf @@ -601,6 +601,16 @@ server: # for it. # serve-expired-ttl-reset: no + # TTL value to use when replying with expired data. + # serve-expired-reply-ttl: 30 + # + # Time in milliseconds before replying to the client with expired data. + # This essentially enables the serve-stale behavior as specified in + # draft-ietf-dnsop-serve-stale-10 that first tries to resolve before + # immediately responding with expired data. 0 disables this behavior. + # A recommended value is 1800. + # serve-expired-client-timeout: 0 + # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. val-log-level: 1 @@ -1057,3 +1067,20 @@ auth-zone: # name-v6: "list-v6" # +# Response Policy Zones +# RPZ policies. Applied in order of configuration. QNAME and Response IP +# Address trigger are the only supported triggers. Supported actions are: +# NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from +# file, using zone transfer, or using HTTP. The respip module needs to be added +# to the module-config, e.g.: module-config: "respip validator iterator". +# rpz: +# name: "rpz.example.com" +# zonefile: "rpz.example.com" +# master: 192.0.2.0 +# allow-notify: 192.0.2.0/32 +# url: http://www.example.com/rpz.example.org.zone +# rpz-action-override: cname +# rpz-cname-override: www.example.org +# rpz-log: yes +# rpz-log-name: "example policy" +# tags: "example" diff --git a/unbound.spec b/unbound.spec index e65ce30..3b2e492 100644 --- a/unbound.spec +++ b/unbound.spec @@ -35,8 +35,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.10.0 -Release: 3%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.10.1 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -448,6 +448,12 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue May 19 2020 Paul Wouters - 1.10.1-1 +- Resolves: rhbz#1837279 unbound-1.10.1 is available +- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS +- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers +- Updated unbound.conf for new options in 1.10.1 + * Wed Apr 29 2020 Paul Wouters - 1.10.0-3 - Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000.