Update to 1.25.1
This release contains fixes for 11 CVEs. See https://nlnetlabs.nl/projects/unbound/security-advisories/ for additional information. Resolves: RHEL-177800 Resolves: RHEL-177821 Resolves: RHEL-177919 Resolves: RHEL-184834 Resolves: RHEL-186687 Resolves: RHEL-187093 Resolves: RHEL-187343 Resolves: RHEL-191732 Resolves: RHEL-191734 Resolves: RHEL-191737 Resolves: RHEL-191739 Resolves-Vulnerability: CVE-2026-42959 Resolves-Vulnerability: CVE-2026-33278 Resolves-Vulnerability: CVE-2026-42944 Resolves-Vulnerability: CVE-2026-40622 Resolves-Vulnerability: CVE-2026-44390 Resolves-Vulnerability: CVE-2026-42534 Resolves-Vulnerability: CVE-2026-41292 Resolves-Vulnerability: CVE-2026-32792 Resolves-Vulnerability: CVE-2026-42923 Resolves-Vulnerability: CVE-2026-42960 Resolves-Vulnerability: CVE-2026-44608
This commit is contained in:
parent
11dcfbaa1a
commit
c80eb42b5f
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (unbound-1.24.2.tar.gz) = 655d63ec5305323e84d82691425d74d98c332d0028517bd729d191e5f968ce9481b49ec7447d4c4906dce7997a998a115db36e911a59d2d877da5840c2080261
|
||||
SHA512 (unbound-1.24.2.tar.gz.asc) = 66a3e569a606cc3ed7dac9b411fba347da150728427619bdbf12ac57a5d7db1fc17963b1ba052a95d6c6fed67a6f0c1b5920318f6cd34e5091750626dd63fb21
|
||||
SHA512 (unbound-1.25.1.tar.gz) = a536ff1d9b637e4ffa46ab498919ddf089b4498e65c748748c4920a6da52e1f5bacfbba9ac1dc47798d168e2ea64a7ae7ea2a581464d1fcabae241a6e38c8d13
|
||||
SHA512 (unbound-1.25.1.tar.gz.asc) = 307ce54a35c47e19dda75154424fe8e35382605cb3541ab2c16f567e28c44cfcace5aa14ca8c18d272647b8ef70cfc75f51c27cb0587bc51bd82d074380825aa
|
||||
|
||||
@ -1,61 +0,0 @@
|
||||
From 87e5c3ccad91c72166ed72c7366d8681308d84a8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Mon, 9 Feb 2026 15:40:51 +0100
|
||||
Subject: [PATCH] Add a new build-time option for system TLS
|
||||
|
||||
We want to use crypto-policy provided configuration always in our
|
||||
builds. Allow changing the default of tls-use-system-policy-versions at
|
||||
build time by a simple configure parameter.
|
||||
---
|
||||
unbound-1.24.2/configure.ac | 11 +++++++++++
|
||||
unbound-1.24.2/util/config_file.c | 5 ++++-
|
||||
2 files changed, 15 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/unbound-1.24.2/configure.ac b/unbound-1.24.2/configure.ac
|
||||
index 6a43fd5..13c910f 100644
|
||||
--- a/unbound-1.24.2/configure.ac
|
||||
+++ b/unbound-1.24.2/configure.ac
|
||||
@@ -2067,6 +2067,17 @@ case "$enable_ipsecmod" in
|
||||
;;
|
||||
esac
|
||||
|
||||
+# check for system TLS preference if requested
|
||||
+AC_ARG_ENABLE(system-tls, AS_HELP_STRING([--enable-system-tls],[Enable preference of system configured TLS socket options]))
|
||||
+case "$enable_system_tls" in
|
||||
+ yes)
|
||||
+ AC_DEFINE([USE_SYSTEM_TLS], [1], [Define to 1 to prefer TLS crypto settings from the system.])
|
||||
+ ;;
|
||||
+ no|*)
|
||||
+ # nothing
|
||||
+ ;;
|
||||
+esac
|
||||
+
|
||||
# check for ipset if requested
|
||||
AC_ARG_ENABLE(ipset, AS_HELP_STRING([--enable-ipset],[enable ipset module]))
|
||||
case "$enable_ipset" in
|
||||
diff --git a/unbound-1.24.2/util/config_file.c b/unbound-1.24.2/util/config_file.c
|
||||
index 1565b05..8079ec9 100644
|
||||
--- a/unbound-1.24.2/util/config_file.c
|
||||
+++ b/unbound-1.24.2/util/config_file.c
|
||||
@@ -71,6 +71,9 @@
|
||||
#ifdef HAVE_PWD_H
|
||||
#include <pwd.h>
|
||||
#endif
|
||||
+#ifndef USE_SYSTEM_TLS
|
||||
+#define USE_SYSTEM_TLS 0
|
||||
+#endif
|
||||
|
||||
/** from cfg username, after daemonize setup performed */
|
||||
uid_t cfg_uid = (uid_t)-1;
|
||||
@@ -129,7 +132,7 @@ config_create(void)
|
||||
cfg->tls_cert_bundle = NULL;
|
||||
cfg->tls_win_cert = 0;
|
||||
cfg->tls_use_sni = 1;
|
||||
- cfg->tls_use_system_policy_versions = 0;
|
||||
+ cfg->tls_use_system_policy_versions = USE_SYSTEM_TLS;
|
||||
cfg->https_port = UNBOUND_DNS_OVER_HTTPS_PORT;
|
||||
if(!(cfg->http_endpoint = strdup("/dns-query"))) goto error_exit;
|
||||
cfg->http_max_streams = 100;
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -1,483 +0,0 @@
|
||||
From 315d29b33f9766e7ecb91fcfd4c1238d92aefd9e Mon Sep 17 00:00:00 2001
|
||||
From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
|
||||
Date: Mon, 22 Sep 2025 18:22:36 +0200
|
||||
Subject: [PATCH] - Fix #1346: [FR] Please allow back TLS 1.2.
|
||||
'tls-use-system-policy-versions' is introduced to allow Unbound to use any
|
||||
system available TLS version when serving TLS.
|
||||
|
||||
---
|
||||
unbound-1.24.2/daemon/remote.c | 2 +-
|
||||
unbound-1.24.2/daemon/unbound.c | 2 +-
|
||||
unbound-1.24.2/dnstap/unbound-dnstap-socket.c | 2 +-
|
||||
unbound-1.24.2/doc/example.conf.in | 26 ++++++---
|
||||
unbound-1.24.2/doc/unbound.conf.5.in | 55 ++++++++++++++-----
|
||||
unbound-1.24.2/doc/unbound.conf.rst | 32 ++++++++---
|
||||
unbound-1.24.2/util/config_file.c | 3 +
|
||||
unbound-1.24.2/util/config_file.h | 2 +
|
||||
unbound-1.24.2/util/configlexer.lex | 1 +
|
||||
unbound-1.24.2/util/configparser.y | 11 ++++
|
||||
unbound-1.24.2/util/net_help.c | 54 +++++++++---------
|
||||
unbound-1.24.2/util/net_help.h | 8 ++-
|
||||
unbound-1.24.2/winrc/win_svc.c | 4 +-
|
||||
13 files changed, 138 insertions(+), 64 deletions(-)
|
||||
|
||||
diff --git a/unbound-1.24.2/daemon/remote.c b/unbound-1.24.2/daemon/remote.c
|
||||
index d8ee7fa..06d1d34 100644
|
||||
--- a/unbound-1.24.2/daemon/remote.c
|
||||
+++ b/unbound-1.24.2/daemon/remote.c
|
||||
@@ -153,7 +153,7 @@ remote_setup_ctx(struct daemon_remote* rc, struct config_file* cfg)
|
||||
log_crypto_err("could not SSL_CTX_new");
|
||||
return 0;
|
||||
}
|
||||
- if(!listen_sslctx_setup(rc->ctx)) {
|
||||
+ if(!listen_sslctx_setup(rc->ctx, cfg->tls_use_system_policy_versions)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff --git a/unbound-1.24.2/daemon/unbound.c b/unbound-1.24.2/daemon/unbound.c
|
||||
index 164d0fb..6888047 100644
|
||||
--- a/unbound-1.24.2/daemon/unbound.c
|
||||
+++ b/unbound-1.24.2/daemon/unbound.c
|
||||
@@ -473,7 +473,7 @@ setup_listen_sslctx(void** ctx, int is_dot, int is_doh, struct config_file* cfg)
|
||||
cfg->tls_ciphers, cfg->tls_ciphersuites,
|
||||
(cfg->tls_session_ticket_keys.first &&
|
||||
cfg->tls_session_ticket_keys.first->str[0] != 0),
|
||||
- is_dot, is_doh))) {
|
||||
+ is_dot, is_doh, cfg->tls_use_system_policy_versions))) {
|
||||
fatal_exit("could not set up listen SSL_CTX");
|
||||
}
|
||||
}
|
||||
diff --git a/unbound-1.24.2/dnstap/unbound-dnstap-socket.c b/unbound-1.24.2/dnstap/unbound-dnstap-socket.c
|
||||
index a01627d..c0d344c 100644
|
||||
--- a/unbound-1.24.2/dnstap/unbound-dnstap-socket.c
|
||||
+++ b/unbound-1.24.2/dnstap/unbound-dnstap-socket.c
|
||||
@@ -347,7 +347,7 @@ static struct tap_socket* tap_socket_new_tlsaccept(char* ip,
|
||||
s->ev_cb = ev_cb;
|
||||
s->data = data;
|
||||
s->sslctx = listen_sslctx_create(server_key, server_cert, verifypem,
|
||||
- NULL, NULL, 0, 0, 0);
|
||||
+ NULL, NULL, 0, 0, 0, 0);
|
||||
if(!s->sslctx) {
|
||||
log_err("could not create ssl context");
|
||||
free(s->ip);
|
||||
diff --git a/unbound-1.24.2/doc/example.conf.in b/unbound-1.24.2/doc/example.conf.in
|
||||
index cf10b85..ecdc65c 100644
|
||||
--- a/unbound-1.24.2/doc/example.conf.in
|
||||
+++ b/unbound-1.24.2/doc/example.conf.in
|
||||
@@ -950,21 +950,26 @@ server:
|
||||
# https-port: 443
|
||||
# quic-port: 853
|
||||
|
||||
+ # Also serve tls on these port numbers (eg. 443, ...), by listing
|
||||
+ # tls-additional-port: portno for each of the port numbers.
|
||||
+
|
||||
# cipher setting for TLSv1.2
|
||||
# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
|
||||
# cipher setting for TLSv1.3
|
||||
# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
|
||||
|
||||
- # Pad responses to padded queries received over TLS
|
||||
- # pad-responses: yes
|
||||
-
|
||||
- # Padded responses will be padded to the closest multiple of this size.
|
||||
- # pad-responses-block-size: 468
|
||||
-
|
||||
# Use the SNI extension for TLS connections. Default is yes.
|
||||
# Changing the value requires a reload.
|
||||
# tls-use-sni: yes
|
||||
|
||||
+ # Allow general-purpose version-flexible TLS server configuration that
|
||||
+ # may be further restricted by the system's policy.
|
||||
+ # Use only if you want to support legacy TLS client connections.
|
||||
+ # Default is no and Unbound will only use the latest available TLS
|
||||
+ # version.
|
||||
+ # Changing the value requires a reload.
|
||||
+ # tls-use-system-policy-versions: no
|
||||
+
|
||||
# Add the secret file for TLS Session Ticket.
|
||||
# Secret file must be 80 bytes of random data.
|
||||
# First key use to encrypt and decrypt TLS session tickets.
|
||||
@@ -985,15 +990,18 @@ server:
|
||||
# and on other systems, the default openssl certificates
|
||||
# tls-system-cert: no
|
||||
|
||||
+ # Pad responses to padded queries received over TLS
|
||||
+ # pad-responses: yes
|
||||
+
|
||||
+ # Padded responses will be padded to the closest multiple of this size.
|
||||
+ # pad-responses-block-size: 468
|
||||
+
|
||||
# Pad queries over TLS upstreams
|
||||
# pad-queries: yes
|
||||
|
||||
# Padded queries will be padded to the closest multiple of this size.
|
||||
# pad-queries-block-size: 128
|
||||
|
||||
- # Also serve tls on these port numbers (eg. 443, ...), by listing
|
||||
- # tls-additional-port: portno for each of the port numbers.
|
||||
-
|
||||
# HTTP endpoint to provide DNS-over-HTTPS service on.
|
||||
# http-endpoint: "/dns-query"
|
||||
|
||||
diff --git a/unbound-1.24.2/doc/unbound.conf.5.in b/unbound-1.24.2/doc/unbound.conf.5.in
|
||||
index a5857ac..7ec7860 100644
|
||||
--- a/unbound-1.24.2/doc/unbound.conf.5.in
|
||||
+++ b/unbound-1.24.2/doc/unbound.conf.5.in
|
||||
@@ -1218,6 +1218,47 @@ Default: \(dq\(dq
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
+.B tls\-use\-sni: \fI<yes or no>\fP
|
||||
+Enable or disable sending the SNI extension on TLS connections.
|
||||
+.sp
|
||||
+\fBNOTE:\fP
|
||||
+.INDENT 7.0
|
||||
+.INDENT 3.5
|
||||
+Changing the value requires a reload.
|
||||
+.UNINDENT
|
||||
+.UNINDENT
|
||||
+.sp
|
||||
+Default: yes
|
||||
+.UNINDENT
|
||||
+.INDENT 0.0
|
||||
+.TP
|
||||
+.B tls\-use\-system\-policy\-versions: \fI<yes or no>\fP
|
||||
+Enable or disable general\-puspose version\-flexible TLS server configuration
|
||||
+when serving TLS.
|
||||
+This will allow the whole list of available TLS versions provided by the
|
||||
+crypto library, which may have been further restricted by the system\(aqs
|
||||
+crypto policy.
|
||||
+.sp
|
||||
+By default Unbound only uses the latest available TLS version.
|
||||
+.sp
|
||||
+\fBCAUTION:\fP
|
||||
+.INDENT 7.0
|
||||
+.INDENT 3.5
|
||||
+Use only if you want to support legacy TLS client connections.
|
||||
+.UNINDENT
|
||||
+.UNINDENT
|
||||
+.sp
|
||||
+\fBNOTE:\fP
|
||||
+.INDENT 7.0
|
||||
+.INDENT 3.5
|
||||
+Changing the value requires a reload.
|
||||
+.UNINDENT
|
||||
+.UNINDENT
|
||||
+.sp
|
||||
+Default: no
|
||||
+.UNINDENT
|
||||
+.INDENT 0.0
|
||||
+.TP
|
||||
.B pad\-responses: \fI<yes or no>\fP
|
||||
If enabled, TLS serviced queries that contained an EDNS Padding option will
|
||||
cause responses padded to the closest multiple of the size specified in
|
||||
@@ -1251,20 +1292,6 @@ Default: 128
|
||||
.UNINDENT
|
||||
.INDENT 0.0
|
||||
.TP
|
||||
-.B tls\-use\-sni: \fI<yes or no>\fP
|
||||
-Enable or disable sending the SNI extension on TLS connections.
|
||||
-.sp
|
||||
-\fBNOTE:\fP
|
||||
-.INDENT 7.0
|
||||
-.INDENT 3.5
|
||||
-Changing the value requires a reload.
|
||||
-.UNINDENT
|
||||
-.UNINDENT
|
||||
-.sp
|
||||
-Default: yes
|
||||
-.UNINDENT
|
||||
-.INDENT 0.0
|
||||
-.TP
|
||||
.B https\-port: \fI<number>\fP
|
||||
The port number on which to provide DNS\-over\-HTTPS service.
|
||||
Only interfaces configured with that port number as @number get the HTTPS
|
||||
diff --git a/unbound-1.24.2/doc/unbound.conf.rst b/unbound-1.24.2/doc/unbound.conf.rst
|
||||
index d83816c..555b1c8 100644
|
||||
--- a/unbound-1.24.2/doc/unbound.conf.rst
|
||||
+++ b/unbound-1.24.2/doc/unbound.conf.rst
|
||||
@@ -1103,6 +1103,30 @@ These options are part of the **server:** clause.
|
||||
Default: ""
|
||||
|
||||
|
||||
+@@UAHL@unbound.conf@tls-use-sni@@: *<yes or no>*
|
||||
+ Enable or disable sending the SNI extension on TLS connections.
|
||||
+
|
||||
+ .. note:: Changing the value requires a reload.
|
||||
+
|
||||
+ Default: yes
|
||||
+
|
||||
+
|
||||
+@@UAHL@unbound.conf@tls-use-system-policy-versions@@: *<yes or no>*
|
||||
+ Enable or disable general-puspose version-flexible TLS server configuration
|
||||
+ when serving TLS.
|
||||
+ This will allow the whole list of available TLS versions provided by the
|
||||
+ crypto library, which may have been further restricted by the system's
|
||||
+ crypto policy.
|
||||
+
|
||||
+ By default Unbound only uses the latest available TLS version.
|
||||
+
|
||||
+ .. caution:: Use only if you want to support legacy TLS client connections.
|
||||
+
|
||||
+ .. note:: Changing the value requires a reload.
|
||||
+
|
||||
+ Default: no
|
||||
+
|
||||
+
|
||||
@@UAHL@unbound.conf@pad-responses@@: *<yes or no>*
|
||||
If enabled, TLS serviced queries that contained an EDNS Padding option will
|
||||
cause responses padded to the closest multiple of the size specified in
|
||||
@@ -1132,14 +1156,6 @@ These options are part of the **server:** clause.
|
||||
Default: 128
|
||||
|
||||
|
||||
-@@UAHL@unbound.conf@tls-use-sni@@: *<yes or no>*
|
||||
- Enable or disable sending the SNI extension on TLS connections.
|
||||
-
|
||||
- .. note:: Changing the value requires a reload.
|
||||
-
|
||||
- Default: yes
|
||||
-
|
||||
-
|
||||
@@UAHL@unbound.conf@https-port@@: *<number>*
|
||||
The port number on which to provide DNS-over-HTTPS service.
|
||||
Only interfaces configured with that port number as @number get the HTTPS
|
||||
diff --git a/unbound-1.24.2/util/config_file.c b/unbound-1.24.2/util/config_file.c
|
||||
index 25c2b3e..1565b05 100644
|
||||
--- a/unbound-1.24.2/util/config_file.c
|
||||
+++ b/unbound-1.24.2/util/config_file.c
|
||||
@@ -129,6 +129,7 @@ config_create(void)
|
||||
cfg->tls_cert_bundle = NULL;
|
||||
cfg->tls_win_cert = 0;
|
||||
cfg->tls_use_sni = 1;
|
||||
+ cfg->tls_use_system_policy_versions = 0;
|
||||
cfg->https_port = UNBOUND_DNS_OVER_HTTPS_PORT;
|
||||
if(!(cfg->http_endpoint = strdup("/dns-query"))) goto error_exit;
|
||||
cfg->http_max_streams = 100;
|
||||
@@ -629,6 +630,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
else S_STR("tls-ciphers:", tls_ciphers)
|
||||
else S_STR("tls-ciphersuites:", tls_ciphersuites)
|
||||
else S_YNO("tls-use-sni:", tls_use_sni)
|
||||
+ else S_YNO("tls-use-system-policy-versions:", tls_use_system_policy_versions)
|
||||
else S_NUMBER_NONZERO("https-port:", https_port)
|
||||
else S_STR("http-endpoint:", http_endpoint)
|
||||
else S_NUMBER_NONZERO("http-max-streams:", http_max_streams)
|
||||
@@ -1181,6 +1183,7 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_STR(opt, "tls-ciphers", tls_ciphers)
|
||||
else O_STR(opt, "tls-ciphersuites", tls_ciphersuites)
|
||||
else O_YNO(opt, "tls-use-sni", tls_use_sni)
|
||||
+ else O_YNO(opt, "tls-use-system-policy-versions", tls_use_system_policy_versions)
|
||||
else O_DEC(opt, "https-port", https_port)
|
||||
else O_STR(opt, "http-endpoint", http_endpoint)
|
||||
else O_UNS(opt, "http-max-streams", http_max_streams)
|
||||
diff --git a/unbound-1.24.2/util/config_file.h b/unbound-1.24.2/util/config_file.h
|
||||
index f77538b..59b4ae5 100644
|
||||
--- a/unbound-1.24.2/util/config_file.h
|
||||
+++ b/unbound-1.24.2/util/config_file.h
|
||||
@@ -148,6 +148,8 @@ struct config_file {
|
||||
char* tls_ciphersuites;
|
||||
/** if SNI is to be used */
|
||||
int tls_use_sni;
|
||||
+ /** if all TLS versions can be used; based on system policy (if any) */
|
||||
+ int tls_use_system_policy_versions;
|
||||
|
||||
/** port on which to provide DNS over HTTPS service */
|
||||
int https_port;
|
||||
diff --git a/unbound-1.24.2/util/configlexer.lex b/unbound-1.24.2/util/configlexer.lex
|
||||
index 0ba8d60..22f98e4 100644
|
||||
--- a/unbound-1.24.2/util/configlexer.lex
|
||||
+++ b/unbound-1.24.2/util/configlexer.lex
|
||||
@@ -262,6 +262,7 @@ tls-session-ticket-keys{COLON} { YDVAR(1, VAR_TLS_SESSION_TICKET_KEYS) }
|
||||
tls-ciphers{COLON} { YDVAR(1, VAR_TLS_CIPHERS) }
|
||||
tls-ciphersuites{COLON} { YDVAR(1, VAR_TLS_CIPHERSUITES) }
|
||||
tls-use-sni{COLON} { YDVAR(1, VAR_TLS_USE_SNI) }
|
||||
+tls-use-system-policy-versions{COLON} { YDVAR(1, VAR_TLS_USE_SYSTEM_POLICY_VERSIONS) }
|
||||
https-port{COLON} { YDVAR(1, VAR_HTTPS_PORT) }
|
||||
http-endpoint{COLON} { YDVAR(1, VAR_HTTP_ENDPOINT) }
|
||||
http-max-streams{COLON} { YDVAR(1, VAR_HTTP_MAX_STREAMS) }
|
||||
diff --git a/unbound-1.24.2/util/configparser.y b/unbound-1.24.2/util/configparser.y
|
||||
index bef1fd3..bf9c196 100644
|
||||
--- a/unbound-1.24.2/util/configparser.y
|
||||
+++ b/unbound-1.24.2/util/configparser.y
|
||||
@@ -199,6 +199,7 @@ extern struct config_parser_state* cfg_parser;
|
||||
%token VAR_DISCARD_TIMEOUT VAR_WAIT_LIMIT VAR_WAIT_LIMIT_COOKIE
|
||||
%token VAR_WAIT_LIMIT_NETBLOCK VAR_WAIT_LIMIT_COOKIE_NETBLOCK
|
||||
%token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES VAR_TLS_USE_SNI
|
||||
+%token VAR_TLS_USE_SYSTEM_POLICY_VERSIONS
|
||||
%token VAR_IPSET VAR_IPSET_NAME_V4 VAR_IPSET_NAME_V6
|
||||
%token VAR_TLS_SESSION_TICKET_KEYS VAR_RPZ VAR_TAGS VAR_RPZ_ACTION_OVERRIDE
|
||||
%token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME
|
||||
@@ -347,6 +348,7 @@ content_server: server_num_threads | server_verbosity | server_port |
|
||||
server_tls_ciphersuites | server_tls_session_ticket_keys |
|
||||
server_answer_cookie | server_cookie_secret | server_ip_ratelimit_cookie |
|
||||
server_tls_use_sni | server_edns_client_string |
|
||||
+ server_tls_use_system_policy_versions |
|
||||
server_edns_client_string_opcode | server_nsid |
|
||||
server_zonemd_permissive_mode | server_max_reuse_tcp_queries |
|
||||
server_tcp_reuse_timeout | server_tcp_auth_query_timeout |
|
||||
@@ -1155,6 +1157,15 @@ server_tls_use_sni: VAR_TLS_USE_SNI STRING_ARG
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
+server_tls_use_system_policy_versions: VAR_TLS_USE_SYSTEM_POLICY_VERSIONS STRING_ARG
|
||||
+ {
|
||||
+ OUTYY(("P(server_tls_use_system_policy_versions:%s)\n", $2));
|
||||
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
+ yyerror("expected yes or no.");
|
||||
+ else cfg_parser->cfg->tls_use_system_policy_versions = (strcmp($2, "yes")==0);
|
||||
+ free($2);
|
||||
+ }
|
||||
+ ;
|
||||
server_https_port: VAR_HTTPS_PORT STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_https_port:%s)\n", $2));
|
||||
diff --git a/unbound-1.24.2/util/net_help.c b/unbound-1.24.2/util/net_help.c
|
||||
index 6ce0d91..426ace9 100644
|
||||
--- a/unbound-1.24.2/util/net_help.c
|
||||
+++ b/unbound-1.24.2/util/net_help.c
|
||||
@@ -1226,7 +1226,7 @@ setup_ticket_keys_cb(void* sslctx)
|
||||
#endif /* HAVE_SSL */
|
||||
|
||||
int
|
||||
-listen_sslctx_setup(void* ctxt)
|
||||
+listen_sslctx_setup(void* ctxt, int use_system_versions)
|
||||
{
|
||||
#ifdef HAVE_SSL
|
||||
SSL_CTX* ctx = (SSL_CTX*)ctxt;
|
||||
@@ -1238,35 +1238,37 @@ listen_sslctx_setup(void* ctxt)
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
- if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
|
||||
- != SSL_OP_NO_SSLv3){
|
||||
- log_crypto_err("could not set SSL_OP_NO_SSLv3");
|
||||
- return 0;
|
||||
- }
|
||||
+ if(!use_system_versions) {
|
||||
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
|
||||
+ != SSL_OP_NO_SSLv3){
|
||||
+ log_crypto_err("could not set SSL_OP_NO_SSLv3");
|
||||
+ return 0;
|
||||
+ }
|
||||
#if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1)
|
||||
- /* if we have tls 1.1 disable 1.0 */
|
||||
- if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
|
||||
- != SSL_OP_NO_TLSv1){
|
||||
- log_crypto_err("could not set SSL_OP_NO_TLSv1");
|
||||
- return 0;
|
||||
- }
|
||||
+ /* if we have tls 1.1 disable 1.0 */
|
||||
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
|
||||
+ != SSL_OP_NO_TLSv1){
|
||||
+ log_crypto_err("could not set SSL_OP_NO_TLSv1");
|
||||
+ return 0;
|
||||
+ }
|
||||
#endif
|
||||
#if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
|
||||
- /* if we have tls 1.2 disable 1.1 */
|
||||
- if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
|
||||
- != SSL_OP_NO_TLSv1_1){
|
||||
- log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
|
||||
- return 0;
|
||||
- }
|
||||
+ /* if we have tls 1.2 disable 1.1 */
|
||||
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
|
||||
+ != SSL_OP_NO_TLSv1_1){
|
||||
+ log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
|
||||
+ return 0;
|
||||
+ }
|
||||
#endif
|
||||
#if defined(SSL_OP_NO_TLSv1_2) && defined(SSL_OP_NO_TLSv1_3)
|
||||
- /* if we have tls 1.3 disable 1.2 */
|
||||
- if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2) & SSL_OP_NO_TLSv1_2)
|
||||
- != SSL_OP_NO_TLSv1_2){
|
||||
- log_crypto_err("could not set SSL_OP_NO_TLSv1_2");
|
||||
- return 0;
|
||||
- }
|
||||
+ /* if we have tls 1.3 disable 1.2 */
|
||||
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2) & SSL_OP_NO_TLSv1_2)
|
||||
+ != SSL_OP_NO_TLSv1_2){
|
||||
+ log_crypto_err("could not set SSL_OP_NO_TLSv1_2");
|
||||
+ return 0;
|
||||
+ }
|
||||
#endif
|
||||
+ }
|
||||
#if defined(SSL_OP_NO_RENEGOTIATION)
|
||||
/* disable client renegotiation */
|
||||
if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
|
||||
@@ -1341,7 +1343,7 @@ listen_sslctx_setup_2(void* ctxt)
|
||||
void* listen_sslctx_create(const char* key, const char* pem,
|
||||
const char* verifypem, const char* tls_ciphers,
|
||||
const char* tls_ciphersuites, int set_ticket_keys_cb,
|
||||
- int is_dot, int is_doh)
|
||||
+ int is_dot, int is_doh, int use_system_versions)
|
||||
{
|
||||
#ifdef HAVE_SSL
|
||||
SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
|
||||
@@ -1359,7 +1361,7 @@ void* listen_sslctx_create(const char* key, const char* pem,
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
- if(!listen_sslctx_setup(ctx)) {
|
||||
+ if(!listen_sslctx_setup(ctx, use_system_versions)) {
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
diff --git a/unbound-1.24.2/util/net_help.h b/unbound-1.24.2/util/net_help.h
|
||||
index 278e370..7b8a206 100644
|
||||
--- a/unbound-1.24.2/util/net_help.h
|
||||
+++ b/unbound-1.24.2/util/net_help.h
|
||||
@@ -478,9 +478,11 @@ void log_cert(unsigned level, const char* str, void* cert);
|
||||
/**
|
||||
* Set SSL_OP_NOxxx options on SSL context to disable bad crypto
|
||||
* @param ctxt: SSL_CTX*
|
||||
+ * @param use_system_versions: rely on the system policy (if any) for allowed
|
||||
+ * TLS versions
|
||||
* @return false on failure.
|
||||
*/
|
||||
-int listen_sslctx_setup(void* ctxt);
|
||||
+int listen_sslctx_setup(void* ctxt, int use_system_versions);
|
||||
|
||||
/**
|
||||
* Further setup of listening SSL context, after keys loaded.
|
||||
@@ -499,12 +501,14 @@ void listen_sslctx_setup_2(void* ctxt);
|
||||
* to be set.
|
||||
* @param is_dot: if the TLS connection is for DoT to set the appropriate ALPN.
|
||||
* @param is_doh: if the TLS connection is for DoH to set the appropriate ALPN.
|
||||
+ * @param use_system_versions: rely on the system policy (if any) for allowed
|
||||
+ * TLS versions
|
||||
* return SSL_CTX* or NULL on failure (logged).
|
||||
*/
|
||||
void* listen_sslctx_create(const char* key, const char* pem,
|
||||
const char* verifypem, const char* tls_ciphers,
|
||||
const char* tls_ciphersuites, int set_ticket_keys_cb,
|
||||
- int is_dot, int is_doh);
|
||||
+ int is_dot, int is_doh, int use_system_versions);
|
||||
|
||||
/**
|
||||
* create SSL connect context
|
||||
diff --git a/unbound-1.24.2/winrc/win_svc.c b/unbound-1.24.2/winrc/win_svc.c
|
||||
index 429b045..6fca0c7 100644
|
||||
--- a/unbound-1.24.2/winrc/win_svc.c
|
||||
+++ b/unbound-1.24.2/winrc/win_svc.c
|
||||
@@ -369,7 +369,7 @@ service_init(int r, struct daemon** d, struct config_file** c)
|
||||
cfg->tls_ciphers, cfg->tls_ciphersuites,
|
||||
(cfg->tls_session_ticket_keys.first &&
|
||||
cfg->tls_session_ticket_keys.first->str[0] != 0),
|
||||
- 1, 0))) {
|
||||
+ 1, 0, cfg->tls_use_system_policy_versions))) {
|
||||
fatal_exit("could not set up listen SSL_CTX");
|
||||
}
|
||||
#ifdef HAVE_NGHTTP2_NGHTTP2_H
|
||||
@@ -379,7 +379,7 @@ service_init(int r, struct daemon** d, struct config_file** c)
|
||||
cfg->tls_ciphers, cfg->tls_ciphersuites,
|
||||
(cfg->tls_session_ticket_keys.first &&
|
||||
cfg->tls_session_ticket_keys.first->str[0] != 0),
|
||||
- 0, 1))) {
|
||||
+ 0, 1, cfg->tls_use_system_policy_versions))) {
|
||||
fatal_exit("could not set up listen doh SSL_CTX");
|
||||
}
|
||||
}
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -1,39 +0,0 @@
|
||||
From 9be04e6fac3f4ee8fa08d3671dac41d2156d2ced Mon Sep 17 00:00:00 2001
|
||||
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
|
||||
Date: Thu, 27 Sep 2018 08:19:29 +0000
|
||||
Subject: [PATCH] - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL,
|
||||
fixes qname minimisation with a forwarder when connectivity has issues
|
||||
from rejecting responses.
|
||||
|
||||
git-svn-id: file:///svn/unbound/trunk@4916 be551aaa-1e26-0410-a405-d3ace91eadb9
|
||||
---
|
||||
iterator/iterator.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/iterator/iterator.c b/iterator/iterator.c
|
||||
index 7baf92b7..2f26bd33 100644
|
||||
--- a/iterator/iterator.c
|
||||
+++ b/iterator/iterator.c
|
||||
@@ -2174,7 +2174,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
return 0;
|
||||
}
|
||||
|
||||
- if(iq->minimisation_state == INIT_MINIMISE_STATE) {
|
||||
+ if(iq->minimisation_state == INIT_MINIMISE_STATE
|
||||
+ && !(iq->chase_flags & BIT_RD)) {
|
||||
/* (Re)set qinfo_out to (new) delegation point, except when
|
||||
* qinfo_out is already a subdomain of dp. This happens when
|
||||
* increasing by more than one label at once (QNAMEs with more
|
||||
@@ -2715,7 +2716,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
sock_list_insert(&qstate->reply_origin,
|
||||
&qstate->reply->addr, qstate->reply->addrlen,
|
||||
qstate->region);
|
||||
- if(iq->minimisation_state != DONOT_MINIMISE_STATE) {
|
||||
+ if(iq->minimisation_state != DONOT_MINIMISE_STATE
|
||||
+ && !(iq->chase_flags & BIT_RD)) {
|
||||
if(FLAGS_GET_RCODE(iq->response->rep->flags) !=
|
||||
LDNS_RCODE_NOERROR) {
|
||||
if(qstate->env->cfg->qname_minimisation_strict)
|
||||
--
|
||||
2.14.4
|
||||
|
||||
@ -1,29 +0,0 @@
|
||||
From 6429b5c298b10b96feb6b90c111948df97269f40 Mon Sep 17 00:00:00 2001
|
||||
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
|
||||
Date: Mon, 22 Oct 2018 10:07:13 +0000
|
||||
Subject: [PATCH] - Fix #4192: unbound-control-setup generates keys not
|
||||
readable by group.
|
||||
|
||||
git-svn-id: file:///svn/unbound/trunk@4942 be551aaa-1e26-0410-a405-d3ace91eadb9
|
||||
---
|
||||
smallapp/unbound-control-setup.sh.in | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/smallapp/unbound-control-setup.sh.in b/smallapp/unbound-control-setup.sh.in
|
||||
index 0d759f44..f4024b43 100644
|
||||
--- a/smallapp/unbound-control-setup.sh.in
|
||||
+++ b/smallapp/unbound-control-setup.sh.in
|
||||
@@ -148,8 +148,8 @@ test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
|
||||
# echo "empty password is used, simply click OK on the password dialog box."
|
||||
# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
|
||||
|
||||
-# remove unused permissions
|
||||
-chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
|
||||
+# set desired permissions
|
||||
+chmod 0640 $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
|
||||
|
||||
# remove crap
|
||||
rm -f request.cfg
|
||||
--
|
||||
2.14.4
|
||||
|
||||
@ -1,13 +0,0 @@
|
||||
diff --git a/dns64/dns64.c b/dns64/dns64.c
|
||||
index 6c81192..77e6890 100644
|
||||
--- a/dns64/dns64.c
|
||||
+++ b/dns64/dns64.c
|
||||
@@ -925,7 +925,7 @@ dns64_inform_super(struct module_qstate* qstate, int id,
|
||||
* successful or not. This lets the state machine terminate.
|
||||
*/
|
||||
if(!super_dq) {
|
||||
- super_dq = (struct dns64_qstate*)regional_alloc(qstate->region,
|
||||
+ super_dq = (struct dns64_qstate*)regional_alloc(super->region,
|
||||
sizeof(*super_dq));
|
||||
super->minfo[id] = super_dq;
|
||||
memset(super_dq, 0, sizeof(*super_dq));
|
||||
@ -1,4 +1,4 @@
|
||||
From a8be97bada623287cdd911c7a4549bbceef9fea0 Mon Sep 17 00:00:00 2001
|
||||
From b57a1fbfb38399a40f6bde25dd49c82468e97298 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Korbar <tkorbar@redhat.com>
|
||||
Date: Tue, 4 Feb 2025 09:48:12 +0100
|
||||
Subject: [PATCH] Customize unbound.conf for Fedora defaults
|
||||
@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By
|
||||
patching upstream provided config file we would not need to manually
|
||||
update external copy in source RPM.
|
||||
---
|
||||
unbound-1.24.2/doc/example.conf.in | 33 ++++++++++++++++++++++++++++--
|
||||
doc/example.conf.in | 33 +++++++++++++++++++++++++++++++--
|
||||
1 file changed, 31 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/unbound-1.24.2/doc/example.conf.in b/unbound-1.24.2/doc/example.conf.in
|
||||
index fda565c..cf10b85 100644
|
||||
--- a/unbound-1.24.2/doc/example.conf.in
|
||||
+++ b/unbound-1.24.2/doc/example.conf.in
|
||||
diff --git a/unbound-1.25.1/doc/example.conf.in b/unbound-1.25.1/doc/example.conf.in
|
||||
index 2c6d63409..d722fc4dd 100644
|
||||
--- a/unbound-1.25.1/doc/example.conf.in
|
||||
+++ b/unbound-1.25.1/doc/example.conf.in
|
||||
@@ -51,11 +51,19 @@ server:
|
||||
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
|
||||
# specify every interface[@port] on a new 'interface:' labelled line.
|
||||
@ -23,7 +23,7 @@ index fda565c..cf10b85 100644
|
||||
# interface: 192.0.2.153
|
||||
# interface: 192.0.2.154
|
||||
# interface: 192.0.2.154@5003
|
||||
# interface: 2001:DB8::5
|
||||
# interface: 2001:db8::5
|
||||
# interface: eth0@5003
|
||||
+ #
|
||||
+ # for dns over tls and raw dns over port 80
|
||||
@ -34,7 +34,7 @@ index fda565c..cf10b85 100644
|
||||
|
||||
# enable this feature to copy the source address of queries to reply.
|
||||
# Socket options are not supported on all platforms. experimental.
|
||||
@@ -295,6 +303,8 @@ server:
|
||||
@@ -298,6 +306,8 @@ server:
|
||||
# nat64-prefix: 64:ff9b::0/96
|
||||
|
||||
# Enable UDP, "yes" or "no".
|
||||
@ -43,7 +43,7 @@ index fda565c..cf10b85 100644
|
||||
# do-udp: yes
|
||||
|
||||
# Enable TCP, "yes" or "no".
|
||||
@@ -330,6 +340,9 @@ server:
|
||||
@@ -333,6 +343,9 @@ server:
|
||||
# can be dropped. Default is 0, disabled. In seconds, such as 3.
|
||||
# sock-queue-timeout: 0
|
||||
|
||||
@ -53,7 +53,7 @@ index fda565c..cf10b85 100644
|
||||
# Use systemd socket activation for UDP, TCP, and control sockets.
|
||||
# use-systemd: no
|
||||
|
||||
@@ -919,6 +932,8 @@ server:
|
||||
@@ -927,6 +940,8 @@ server:
|
||||
# you need to do the reverse notation yourself.
|
||||
# local-data-ptr: "192.0.2.3 www.example.com"
|
||||
|
||||
@ -62,7 +62,7 @@ index fda565c..cf10b85 100644
|
||||
# tag a localzone with a list of tag names (in "" with spaces between)
|
||||
# local-zone-tag: "example.com" "tag2 tag3"
|
||||
|
||||
@@ -929,8 +944,8 @@ server:
|
||||
@@ -953,8 +968,8 @@ server:
|
||||
# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
|
||||
# Give the certificate to use and private key.
|
||||
# default is "" (disabled). requires restart to take effect.
|
||||
@ -73,7 +73,7 @@ index fda565c..cf10b85 100644
|
||||
# tls-port: 853
|
||||
# https-port: 443
|
||||
# quic-port: 853
|
||||
@@ -1184,6 +1199,12 @@ remote-control:
|
||||
@@ -1212,6 +1227,12 @@ remote-control:
|
||||
# unbound-control certificate file.
|
||||
# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
|
||||
|
||||
@ -86,7 +86,7 @@ index fda565c..cf10b85 100644
|
||||
# Stub zones.
|
||||
# Create entries like below, to make all queries for 'example.com' and
|
||||
# 'example.org' go to the given list of nameservers. list zero or more
|
||||
@@ -1204,6 +1225,10 @@ remote-control:
|
||||
@@ -1232,6 +1253,10 @@ remote-control:
|
||||
# name: "example.org"
|
||||
# stub-host: ns.example.com.
|
||||
|
||||
@ -97,7 +97,7 @@ index fda565c..cf10b85 100644
|
||||
# Forward zones
|
||||
# Create entries like below, to make all queries for 'example.com' and
|
||||
# 'example.org' go to the given list of servers. These servers have to handle
|
||||
@@ -1221,6 +1246,10 @@ remote-control:
|
||||
@@ -1249,6 +1274,10 @@ remote-control:
|
||||
# forward-zone:
|
||||
# name: "example.org"
|
||||
# forward-host: fwd.example.com
|
||||
@ -109,5 +109,5 @@ index fda565c..cf10b85 100644
|
||||
# Authority zones
|
||||
# The data for these zones is kept locally, from a file or downloaded.
|
||||
--
|
||||
2.52.0
|
||||
2.54.0
|
||||
|
||||
|
||||
17
unbound.spec
17
unbound.spec
@ -30,8 +30,8 @@
|
||||
|
||||
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
||||
Name: unbound
|
||||
Version: 1.24.2
|
||||
Release: 3%{?extra_version:.%{extra_version}}%{?dist}
|
||||
Version: 1.25.1
|
||||
Release: 1%{?extra_version:.%{extra_version}}%{?dist}
|
||||
License: BSD
|
||||
Url: https://nlnetlabs.nl/projects/unbound/
|
||||
Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
|
||||
@ -63,11 +63,7 @@ Source26: unbound-as112-networks.conf
|
||||
Source27: tmpfiles-unbound-libs.conf
|
||||
|
||||
# Downstream configuration changes
|
||||
Patch1: unbound-fedora-config.patch
|
||||
# https://github.com/NLnetLabs/unbound/pull/1349
|
||||
Patch2: %{forgeurl}/pull/1349.patch#/unbound-1.25-tls-crypto-policy.patch
|
||||
# https://github.com/NLnetLabs/unbound/pull/1401
|
||||
Patch3: %{forgeurl}/pull/1401.patch#/unbound-1.25-tls-crypto-policy-default.patch
|
||||
Patch1: unbound-fedora-config.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: make
|
||||
@ -77,6 +73,7 @@ BuildRequires: openssl-devel
|
||||
BuildRequires: libevent-devel
|
||||
BuildRequires: expat-devel
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: gzip
|
||||
%if 0%{?fedora} || 0%{?rhel} >= 10
|
||||
BuildRequires: gnupg2
|
||||
%endif
|
||||
@ -271,6 +268,7 @@ pushd %{dir_secondary}
|
||||
popd
|
||||
%endif
|
||||
|
||||
gzip --best -k doc/Changelog
|
||||
|
||||
%install
|
||||
install -p -m 0644 %{SOURCE16} .
|
||||
@ -424,6 +422,7 @@ popd
|
||||
|
||||
%files
|
||||
%doc doc/CREDITS doc/FEATURES
|
||||
%doc doc/Changelog.*
|
||||
%{_unitdir}/%{name}.service
|
||||
%{_unitdir}/%{name}-keygen.service
|
||||
%attr(0775,unbound,root) %dir %{_rundir}/%{name}
|
||||
@ -509,6 +508,10 @@ popd
|
||||
%{_prefix}/lib/dracut/modules.d/99unbound
|
||||
|
||||
%changelog
|
||||
* Thu Jul 02 2026 Fedor Vorobev <fvorobev@redhat.com> - 1.25.1-1
|
||||
- Update to 1.25.1 (RHEL-187020)
|
||||
- Fixes 11 CVEs: 6 Important, 5 Moderate.
|
||||
|
||||
* Wed Feb 25 2026 Petr Menšík <pemensik@redhat.com> - 1.24.2-3
|
||||
- Install correct trust anchor source in Image Mode (RHEL-127540)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user