From c80eb42b5faf504b672e1fbabba30ca58db649fd Mon Sep 17 00:00:00 2001 From: Fedor Vorobev Date: Thu, 2 Jul 2026 12:39:22 +0200 Subject: [PATCH] Update to 1.25.1 This release contains fixes for 11 CVEs. See https://nlnetlabs.nl/projects/unbound/security-advisories/ for additional information. Resolves: RHEL-177800 Resolves: RHEL-177821 Resolves: RHEL-177919 Resolves: RHEL-184834 Resolves: RHEL-186687 Resolves: RHEL-187093 Resolves: RHEL-187343 Resolves: RHEL-191732 Resolves: RHEL-191734 Resolves: RHEL-191737 Resolves: RHEL-191739 Resolves-Vulnerability: CVE-2026-42959 Resolves-Vulnerability: CVE-2026-33278 Resolves-Vulnerability: CVE-2026-42944 Resolves-Vulnerability: CVE-2026-40622 Resolves-Vulnerability: CVE-2026-44390 Resolves-Vulnerability: CVE-2026-42534 Resolves-Vulnerability: CVE-2026-41292 Resolves-Vulnerability: CVE-2026-32792 Resolves-Vulnerability: CVE-2026-42923 Resolves-Vulnerability: CVE-2026-42960 Resolves-Vulnerability: CVE-2026-44608 --- sources | 4 +- unbound-1.25-tls-crypto-policy-default.patch | 61 --- unbound-1.25-tls-crypto-policy.patch | 483 ------------------- unbound-1.8.0-rh1633874.patch | 39 -- unbound-1.8.1-keygen-group-rights.patch | 29 -- unbound-1.8.2-dns64.patch | 13 - unbound-fedora-config.patch | 30 +- unbound.spec | 17 +- 8 files changed, 27 insertions(+), 649 deletions(-) delete mode 100644 unbound-1.25-tls-crypto-policy-default.patch delete mode 100644 unbound-1.25-tls-crypto-policy.patch delete mode 100644 unbound-1.8.0-rh1633874.patch delete mode 100644 unbound-1.8.1-keygen-group-rights.patch delete mode 100644 unbound-1.8.2-dns64.patch diff --git a/sources b/sources index 7d4806d..e5856eb 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (unbound-1.24.2.tar.gz) = 655d63ec5305323e84d82691425d74d98c332d0028517bd729d191e5f968ce9481b49ec7447d4c4906dce7997a998a115db36e911a59d2d877da5840c2080261 -SHA512 (unbound-1.24.2.tar.gz.asc) = 66a3e569a606cc3ed7dac9b411fba347da150728427619bdbf12ac57a5d7db1fc17963b1ba052a95d6c6fed67a6f0c1b5920318f6cd34e5091750626dd63fb21 +SHA512 (unbound-1.25.1.tar.gz) = a536ff1d9b637e4ffa46ab498919ddf089b4498e65c748748c4920a6da52e1f5bacfbba9ac1dc47798d168e2ea64a7ae7ea2a581464d1fcabae241a6e38c8d13 +SHA512 (unbound-1.25.1.tar.gz.asc) = 307ce54a35c47e19dda75154424fe8e35382605cb3541ab2c16f567e28c44cfcace5aa14ca8c18d272647b8ef70cfc75f51c27cb0587bc51bd82d074380825aa diff --git a/unbound-1.25-tls-crypto-policy-default.patch b/unbound-1.25-tls-crypto-policy-default.patch deleted file mode 100644 index 7b532eb..0000000 --- a/unbound-1.25-tls-crypto-policy-default.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 87e5c3ccad91c72166ed72c7366d8681308d84a8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Mon, 9 Feb 2026 15:40:51 +0100 -Subject: [PATCH] Add a new build-time option for system TLS - -We want to use crypto-policy provided configuration always in our -builds. Allow changing the default of tls-use-system-policy-versions at -build time by a simple configure parameter. ---- - unbound-1.24.2/configure.ac | 11 +++++++++++ - unbound-1.24.2/util/config_file.c | 5 ++++- - 2 files changed, 15 insertions(+), 1 deletion(-) - -diff --git a/unbound-1.24.2/configure.ac b/unbound-1.24.2/configure.ac -index 6a43fd5..13c910f 100644 ---- a/unbound-1.24.2/configure.ac -+++ b/unbound-1.24.2/configure.ac -@@ -2067,6 +2067,17 @@ case "$enable_ipsecmod" in - ;; - esac - -+# check for system TLS preference if requested -+AC_ARG_ENABLE(system-tls, AS_HELP_STRING([--enable-system-tls],[Enable preference of system configured TLS socket options])) -+case "$enable_system_tls" in -+ yes) -+ AC_DEFINE([USE_SYSTEM_TLS], [1], [Define to 1 to prefer TLS crypto settings from the system.]) -+ ;; -+ no|*) -+ # nothing -+ ;; -+esac -+ - # check for ipset if requested - AC_ARG_ENABLE(ipset, AS_HELP_STRING([--enable-ipset],[enable ipset module])) - case "$enable_ipset" in -diff --git a/unbound-1.24.2/util/config_file.c b/unbound-1.24.2/util/config_file.c -index 1565b05..8079ec9 100644 ---- a/unbound-1.24.2/util/config_file.c -+++ b/unbound-1.24.2/util/config_file.c -@@ -71,6 +71,9 @@ - #ifdef HAVE_PWD_H - #include - #endif -+#ifndef USE_SYSTEM_TLS -+#define USE_SYSTEM_TLS 0 -+#endif - - /** from cfg username, after daemonize setup performed */ - uid_t cfg_uid = (uid_t)-1; -@@ -129,7 +132,7 @@ config_create(void) - cfg->tls_cert_bundle = NULL; - cfg->tls_win_cert = 0; - cfg->tls_use_sni = 1; -- cfg->tls_use_system_policy_versions = 0; -+ cfg->tls_use_system_policy_versions = USE_SYSTEM_TLS; - cfg->https_port = UNBOUND_DNS_OVER_HTTPS_PORT; - if(!(cfg->http_endpoint = strdup("/dns-query"))) goto error_exit; - cfg->http_max_streams = 100; --- -2.52.0 - diff --git a/unbound-1.25-tls-crypto-policy.patch b/unbound-1.25-tls-crypto-policy.patch deleted file mode 100644 index 7f6f911..0000000 --- a/unbound-1.25-tls-crypto-policy.patch +++ /dev/null @@ -1,483 +0,0 @@ -From 315d29b33f9766e7ecb91fcfd4c1238d92aefd9e Mon Sep 17 00:00:00 2001 -From: Yorgos Thessalonikefs -Date: Mon, 22 Sep 2025 18:22:36 +0200 -Subject: [PATCH] - Fix #1346: [FR] Please allow back TLS 1.2. - 'tls-use-system-policy-versions' is introduced to allow Unbound to use any - system available TLS version when serving TLS. - ---- - unbound-1.24.2/daemon/remote.c | 2 +- - unbound-1.24.2/daemon/unbound.c | 2 +- - unbound-1.24.2/dnstap/unbound-dnstap-socket.c | 2 +- - unbound-1.24.2/doc/example.conf.in | 26 ++++++--- - unbound-1.24.2/doc/unbound.conf.5.in | 55 ++++++++++++++----- - unbound-1.24.2/doc/unbound.conf.rst | 32 ++++++++--- - unbound-1.24.2/util/config_file.c | 3 + - unbound-1.24.2/util/config_file.h | 2 + - unbound-1.24.2/util/configlexer.lex | 1 + - unbound-1.24.2/util/configparser.y | 11 ++++ - unbound-1.24.2/util/net_help.c | 54 +++++++++--------- - unbound-1.24.2/util/net_help.h | 8 ++- - unbound-1.24.2/winrc/win_svc.c | 4 +- - 13 files changed, 138 insertions(+), 64 deletions(-) - -diff --git a/unbound-1.24.2/daemon/remote.c b/unbound-1.24.2/daemon/remote.c -index d8ee7fa..06d1d34 100644 ---- a/unbound-1.24.2/daemon/remote.c -+++ b/unbound-1.24.2/daemon/remote.c -@@ -153,7 +153,7 @@ remote_setup_ctx(struct daemon_remote* rc, struct config_file* cfg) - log_crypto_err("could not SSL_CTX_new"); - return 0; - } -- if(!listen_sslctx_setup(rc->ctx)) { -+ if(!listen_sslctx_setup(rc->ctx, cfg->tls_use_system_policy_versions)) { - return 0; - } - -diff --git a/unbound-1.24.2/daemon/unbound.c b/unbound-1.24.2/daemon/unbound.c -index 164d0fb..6888047 100644 ---- a/unbound-1.24.2/daemon/unbound.c -+++ b/unbound-1.24.2/daemon/unbound.c -@@ -473,7 +473,7 @@ setup_listen_sslctx(void** ctx, int is_dot, int is_doh, struct config_file* cfg) - cfg->tls_ciphers, cfg->tls_ciphersuites, - (cfg->tls_session_ticket_keys.first && - cfg->tls_session_ticket_keys.first->str[0] != 0), -- is_dot, is_doh))) { -+ is_dot, is_doh, cfg->tls_use_system_policy_versions))) { - fatal_exit("could not set up listen SSL_CTX"); - } - } -diff --git a/unbound-1.24.2/dnstap/unbound-dnstap-socket.c b/unbound-1.24.2/dnstap/unbound-dnstap-socket.c -index a01627d..c0d344c 100644 ---- a/unbound-1.24.2/dnstap/unbound-dnstap-socket.c -+++ b/unbound-1.24.2/dnstap/unbound-dnstap-socket.c -@@ -347,7 +347,7 @@ static struct tap_socket* tap_socket_new_tlsaccept(char* ip, - s->ev_cb = ev_cb; - s->data = data; - s->sslctx = listen_sslctx_create(server_key, server_cert, verifypem, -- NULL, NULL, 0, 0, 0); -+ NULL, NULL, 0, 0, 0, 0); - if(!s->sslctx) { - log_err("could not create ssl context"); - free(s->ip); -diff --git a/unbound-1.24.2/doc/example.conf.in b/unbound-1.24.2/doc/example.conf.in -index cf10b85..ecdc65c 100644 ---- a/unbound-1.24.2/doc/example.conf.in -+++ b/unbound-1.24.2/doc/example.conf.in -@@ -950,21 +950,26 @@ server: - # https-port: 443 - # quic-port: 853 - -+ # Also serve tls on these port numbers (eg. 443, ...), by listing -+ # tls-additional-port: portno for each of the port numbers. -+ - # cipher setting for TLSv1.2 - # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" - # cipher setting for TLSv1.3 - # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" - -- # Pad responses to padded queries received over TLS -- # pad-responses: yes -- -- # Padded responses will be padded to the closest multiple of this size. -- # pad-responses-block-size: 468 -- - # Use the SNI extension for TLS connections. Default is yes. - # Changing the value requires a reload. - # tls-use-sni: yes - -+ # Allow general-purpose version-flexible TLS server configuration that -+ # may be further restricted by the system's policy. -+ # Use only if you want to support legacy TLS client connections. -+ # Default is no and Unbound will only use the latest available TLS -+ # version. -+ # Changing the value requires a reload. -+ # tls-use-system-policy-versions: no -+ - # Add the secret file for TLS Session Ticket. - # Secret file must be 80 bytes of random data. - # First key use to encrypt and decrypt TLS session tickets. -@@ -985,15 +990,18 @@ server: - # and on other systems, the default openssl certificates - # tls-system-cert: no - -+ # Pad responses to padded queries received over TLS -+ # pad-responses: yes -+ -+ # Padded responses will be padded to the closest multiple of this size. -+ # pad-responses-block-size: 468 -+ - # Pad queries over TLS upstreams - # pad-queries: yes - - # Padded queries will be padded to the closest multiple of this size. - # pad-queries-block-size: 128 - -- # Also serve tls on these port numbers (eg. 443, ...), by listing -- # tls-additional-port: portno for each of the port numbers. -- - # HTTP endpoint to provide DNS-over-HTTPS service on. - # http-endpoint: "/dns-query" - -diff --git a/unbound-1.24.2/doc/unbound.conf.5.in b/unbound-1.24.2/doc/unbound.conf.5.in -index a5857ac..7ec7860 100644 ---- a/unbound-1.24.2/doc/unbound.conf.5.in -+++ b/unbound-1.24.2/doc/unbound.conf.5.in -@@ -1218,6 +1218,47 @@ Default: \(dq\(dq - .UNINDENT - .INDENT 0.0 - .TP -+.B tls\-use\-sni: \fI\fP -+Enable or disable sending the SNI extension on TLS connections. -+.sp -+\fBNOTE:\fP -+.INDENT 7.0 -+.INDENT 3.5 -+Changing the value requires a reload. -+.UNINDENT -+.UNINDENT -+.sp -+Default: yes -+.UNINDENT -+.INDENT 0.0 -+.TP -+.B tls\-use\-system\-policy\-versions: \fI\fP -+Enable or disable general\-puspose version\-flexible TLS server configuration -+when serving TLS. -+This will allow the whole list of available TLS versions provided by the -+crypto library, which may have been further restricted by the system\(aqs -+crypto policy. -+.sp -+By default Unbound only uses the latest available TLS version. -+.sp -+\fBCAUTION:\fP -+.INDENT 7.0 -+.INDENT 3.5 -+Use only if you want to support legacy TLS client connections. -+.UNINDENT -+.UNINDENT -+.sp -+\fBNOTE:\fP -+.INDENT 7.0 -+.INDENT 3.5 -+Changing the value requires a reload. -+.UNINDENT -+.UNINDENT -+.sp -+Default: no -+.UNINDENT -+.INDENT 0.0 -+.TP - .B pad\-responses: \fI\fP - If enabled, TLS serviced queries that contained an EDNS Padding option will - cause responses padded to the closest multiple of the size specified in -@@ -1251,20 +1292,6 @@ Default: 128 - .UNINDENT - .INDENT 0.0 - .TP --.B tls\-use\-sni: \fI\fP --Enable or disable sending the SNI extension on TLS connections. --.sp --\fBNOTE:\fP --.INDENT 7.0 --.INDENT 3.5 --Changing the value requires a reload. --.UNINDENT --.UNINDENT --.sp --Default: yes --.UNINDENT --.INDENT 0.0 --.TP - .B https\-port: \fI\fP - The port number on which to provide DNS\-over\-HTTPS service. - Only interfaces configured with that port number as @number get the HTTPS -diff --git a/unbound-1.24.2/doc/unbound.conf.rst b/unbound-1.24.2/doc/unbound.conf.rst -index d83816c..555b1c8 100644 ---- a/unbound-1.24.2/doc/unbound.conf.rst -+++ b/unbound-1.24.2/doc/unbound.conf.rst -@@ -1103,6 +1103,30 @@ These options are part of the **server:** clause. - Default: "" - - -+@@UAHL@unbound.conf@tls-use-sni@@: ** -+ Enable or disable sending the SNI extension on TLS connections. -+ -+ .. note:: Changing the value requires a reload. -+ -+ Default: yes -+ -+ -+@@UAHL@unbound.conf@tls-use-system-policy-versions@@: ** -+ Enable or disable general-puspose version-flexible TLS server configuration -+ when serving TLS. -+ This will allow the whole list of available TLS versions provided by the -+ crypto library, which may have been further restricted by the system's -+ crypto policy. -+ -+ By default Unbound only uses the latest available TLS version. -+ -+ .. caution:: Use only if you want to support legacy TLS client connections. -+ -+ .. note:: Changing the value requires a reload. -+ -+ Default: no -+ -+ - @@UAHL@unbound.conf@pad-responses@@: ** - If enabled, TLS serviced queries that contained an EDNS Padding option will - cause responses padded to the closest multiple of the size specified in -@@ -1132,14 +1156,6 @@ These options are part of the **server:** clause. - Default: 128 - - --@@UAHL@unbound.conf@tls-use-sni@@: ** -- Enable or disable sending the SNI extension on TLS connections. -- -- .. note:: Changing the value requires a reload. -- -- Default: yes -- -- - @@UAHL@unbound.conf@https-port@@: ** - The port number on which to provide DNS-over-HTTPS service. - Only interfaces configured with that port number as @number get the HTTPS -diff --git a/unbound-1.24.2/util/config_file.c b/unbound-1.24.2/util/config_file.c -index 25c2b3e..1565b05 100644 ---- a/unbound-1.24.2/util/config_file.c -+++ b/unbound-1.24.2/util/config_file.c -@@ -129,6 +129,7 @@ config_create(void) - cfg->tls_cert_bundle = NULL; - cfg->tls_win_cert = 0; - cfg->tls_use_sni = 1; -+ cfg->tls_use_system_policy_versions = 0; - cfg->https_port = UNBOUND_DNS_OVER_HTTPS_PORT; - if(!(cfg->http_endpoint = strdup("/dns-query"))) goto error_exit; - cfg->http_max_streams = 100; -@@ -629,6 +630,7 @@ int config_set_option(struct config_file* cfg, const char* opt, - else S_STR("tls-ciphers:", tls_ciphers) - else S_STR("tls-ciphersuites:", tls_ciphersuites) - else S_YNO("tls-use-sni:", tls_use_sni) -+ else S_YNO("tls-use-system-policy-versions:", tls_use_system_policy_versions) - else S_NUMBER_NONZERO("https-port:", https_port) - else S_STR("http-endpoint:", http_endpoint) - else S_NUMBER_NONZERO("http-max-streams:", http_max_streams) -@@ -1181,6 +1183,7 @@ config_get_option(struct config_file* cfg, const char* opt, - else O_STR(opt, "tls-ciphers", tls_ciphers) - else O_STR(opt, "tls-ciphersuites", tls_ciphersuites) - else O_YNO(opt, "tls-use-sni", tls_use_sni) -+ else O_YNO(opt, "tls-use-system-policy-versions", tls_use_system_policy_versions) - else O_DEC(opt, "https-port", https_port) - else O_STR(opt, "http-endpoint", http_endpoint) - else O_UNS(opt, "http-max-streams", http_max_streams) -diff --git a/unbound-1.24.2/util/config_file.h b/unbound-1.24.2/util/config_file.h -index f77538b..59b4ae5 100644 ---- a/unbound-1.24.2/util/config_file.h -+++ b/unbound-1.24.2/util/config_file.h -@@ -148,6 +148,8 @@ struct config_file { - char* tls_ciphersuites; - /** if SNI is to be used */ - int tls_use_sni; -+ /** if all TLS versions can be used; based on system policy (if any) */ -+ int tls_use_system_policy_versions; - - /** port on which to provide DNS over HTTPS service */ - int https_port; -diff --git a/unbound-1.24.2/util/configlexer.lex b/unbound-1.24.2/util/configlexer.lex -index 0ba8d60..22f98e4 100644 ---- a/unbound-1.24.2/util/configlexer.lex -+++ b/unbound-1.24.2/util/configlexer.lex -@@ -262,6 +262,7 @@ tls-session-ticket-keys{COLON} { YDVAR(1, VAR_TLS_SESSION_TICKET_KEYS) } - tls-ciphers{COLON} { YDVAR(1, VAR_TLS_CIPHERS) } - tls-ciphersuites{COLON} { YDVAR(1, VAR_TLS_CIPHERSUITES) } - tls-use-sni{COLON} { YDVAR(1, VAR_TLS_USE_SNI) } -+tls-use-system-policy-versions{COLON} { YDVAR(1, VAR_TLS_USE_SYSTEM_POLICY_VERSIONS) } - https-port{COLON} { YDVAR(1, VAR_HTTPS_PORT) } - http-endpoint{COLON} { YDVAR(1, VAR_HTTP_ENDPOINT) } - http-max-streams{COLON} { YDVAR(1, VAR_HTTP_MAX_STREAMS) } -diff --git a/unbound-1.24.2/util/configparser.y b/unbound-1.24.2/util/configparser.y -index bef1fd3..bf9c196 100644 ---- a/unbound-1.24.2/util/configparser.y -+++ b/unbound-1.24.2/util/configparser.y -@@ -199,6 +199,7 @@ extern struct config_parser_state* cfg_parser; - %token VAR_DISCARD_TIMEOUT VAR_WAIT_LIMIT VAR_WAIT_LIMIT_COOKIE - %token VAR_WAIT_LIMIT_NETBLOCK VAR_WAIT_LIMIT_COOKIE_NETBLOCK - %token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES VAR_TLS_USE_SNI -+%token VAR_TLS_USE_SYSTEM_POLICY_VERSIONS - %token VAR_IPSET VAR_IPSET_NAME_V4 VAR_IPSET_NAME_V6 - %token VAR_TLS_SESSION_TICKET_KEYS VAR_RPZ VAR_TAGS VAR_RPZ_ACTION_OVERRIDE - %token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME -@@ -347,6 +348,7 @@ content_server: server_num_threads | server_verbosity | server_port | - server_tls_ciphersuites | server_tls_session_ticket_keys | - server_answer_cookie | server_cookie_secret | server_ip_ratelimit_cookie | - server_tls_use_sni | server_edns_client_string | -+ server_tls_use_system_policy_versions | - server_edns_client_string_opcode | server_nsid | - server_zonemd_permissive_mode | server_max_reuse_tcp_queries | - server_tcp_reuse_timeout | server_tcp_auth_query_timeout | -@@ -1155,6 +1157,15 @@ server_tls_use_sni: VAR_TLS_USE_SNI STRING_ARG - free($2); - } - ; -+server_tls_use_system_policy_versions: VAR_TLS_USE_SYSTEM_POLICY_VERSIONS STRING_ARG -+ { -+ OUTYY(("P(server_tls_use_system_policy_versions:%s)\n", $2)); -+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) -+ yyerror("expected yes or no."); -+ else cfg_parser->cfg->tls_use_system_policy_versions = (strcmp($2, "yes")==0); -+ free($2); -+ } -+ ; - server_https_port: VAR_HTTPS_PORT STRING_ARG - { - OUTYY(("P(server_https_port:%s)\n", $2)); -diff --git a/unbound-1.24.2/util/net_help.c b/unbound-1.24.2/util/net_help.c -index 6ce0d91..426ace9 100644 ---- a/unbound-1.24.2/util/net_help.c -+++ b/unbound-1.24.2/util/net_help.c -@@ -1226,7 +1226,7 @@ setup_ticket_keys_cb(void* sslctx) - #endif /* HAVE_SSL */ - - int --listen_sslctx_setup(void* ctxt) -+listen_sslctx_setup(void* ctxt, int use_system_versions) - { - #ifdef HAVE_SSL - SSL_CTX* ctx = (SSL_CTX*)ctxt; -@@ -1238,35 +1238,37 @@ listen_sslctx_setup(void* ctxt) - return 0; - } - #endif -- if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) -- != SSL_OP_NO_SSLv3){ -- log_crypto_err("could not set SSL_OP_NO_SSLv3"); -- return 0; -- } -+ if(!use_system_versions) { -+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) -+ != SSL_OP_NO_SSLv3){ -+ log_crypto_err("could not set SSL_OP_NO_SSLv3"); -+ return 0; -+ } - #if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1) -- /* if we have tls 1.1 disable 1.0 */ -- if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1) -- != SSL_OP_NO_TLSv1){ -- log_crypto_err("could not set SSL_OP_NO_TLSv1"); -- return 0; -- } -+ /* if we have tls 1.1 disable 1.0 */ -+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1) -+ != SSL_OP_NO_TLSv1){ -+ log_crypto_err("could not set SSL_OP_NO_TLSv1"); -+ return 0; -+ } - #endif - #if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2) -- /* if we have tls 1.2 disable 1.1 */ -- if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1) -- != SSL_OP_NO_TLSv1_1){ -- log_crypto_err("could not set SSL_OP_NO_TLSv1_1"); -- return 0; -- } -+ /* if we have tls 1.2 disable 1.1 */ -+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1) -+ != SSL_OP_NO_TLSv1_1){ -+ log_crypto_err("could not set SSL_OP_NO_TLSv1_1"); -+ return 0; -+ } - #endif - #if defined(SSL_OP_NO_TLSv1_2) && defined(SSL_OP_NO_TLSv1_3) -- /* if we have tls 1.3 disable 1.2 */ -- if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2) & SSL_OP_NO_TLSv1_2) -- != SSL_OP_NO_TLSv1_2){ -- log_crypto_err("could not set SSL_OP_NO_TLSv1_2"); -- return 0; -- } -+ /* if we have tls 1.3 disable 1.2 */ -+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2) & SSL_OP_NO_TLSv1_2) -+ != SSL_OP_NO_TLSv1_2){ -+ log_crypto_err("could not set SSL_OP_NO_TLSv1_2"); -+ return 0; -+ } - #endif -+ } - #if defined(SSL_OP_NO_RENEGOTIATION) - /* disable client renegotiation */ - if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) & -@@ -1341,7 +1343,7 @@ listen_sslctx_setup_2(void* ctxt) - void* listen_sslctx_create(const char* key, const char* pem, - const char* verifypem, const char* tls_ciphers, - const char* tls_ciphersuites, int set_ticket_keys_cb, -- int is_dot, int is_doh) -+ int is_dot, int is_doh, int use_system_versions) - { - #ifdef HAVE_SSL - SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method()); -@@ -1359,7 +1361,7 @@ void* listen_sslctx_create(const char* key, const char* pem, - SSL_CTX_free(ctx); - return NULL; - } -- if(!listen_sslctx_setup(ctx)) { -+ if(!listen_sslctx_setup(ctx, use_system_versions)) { - SSL_CTX_free(ctx); - return NULL; - } -diff --git a/unbound-1.24.2/util/net_help.h b/unbound-1.24.2/util/net_help.h -index 278e370..7b8a206 100644 ---- a/unbound-1.24.2/util/net_help.h -+++ b/unbound-1.24.2/util/net_help.h -@@ -478,9 +478,11 @@ void log_cert(unsigned level, const char* str, void* cert); - /** - * Set SSL_OP_NOxxx options on SSL context to disable bad crypto - * @param ctxt: SSL_CTX* -+ * @param use_system_versions: rely on the system policy (if any) for allowed -+ * TLS versions - * @return false on failure. - */ --int listen_sslctx_setup(void* ctxt); -+int listen_sslctx_setup(void* ctxt, int use_system_versions); - - /** - * Further setup of listening SSL context, after keys loaded. -@@ -499,12 +501,14 @@ void listen_sslctx_setup_2(void* ctxt); - * to be set. - * @param is_dot: if the TLS connection is for DoT to set the appropriate ALPN. - * @param is_doh: if the TLS connection is for DoH to set the appropriate ALPN. -+ * @param use_system_versions: rely on the system policy (if any) for allowed -+ * TLS versions - * return SSL_CTX* or NULL on failure (logged). - */ - void* listen_sslctx_create(const char* key, const char* pem, - const char* verifypem, const char* tls_ciphers, - const char* tls_ciphersuites, int set_ticket_keys_cb, -- int is_dot, int is_doh); -+ int is_dot, int is_doh, int use_system_versions); - - /** - * create SSL connect context -diff --git a/unbound-1.24.2/winrc/win_svc.c b/unbound-1.24.2/winrc/win_svc.c -index 429b045..6fca0c7 100644 ---- a/unbound-1.24.2/winrc/win_svc.c -+++ b/unbound-1.24.2/winrc/win_svc.c -@@ -369,7 +369,7 @@ service_init(int r, struct daemon** d, struct config_file** c) - cfg->tls_ciphers, cfg->tls_ciphersuites, - (cfg->tls_session_ticket_keys.first && - cfg->tls_session_ticket_keys.first->str[0] != 0), -- 1, 0))) { -+ 1, 0, cfg->tls_use_system_policy_versions))) { - fatal_exit("could not set up listen SSL_CTX"); - } - #ifdef HAVE_NGHTTP2_NGHTTP2_H -@@ -379,7 +379,7 @@ service_init(int r, struct daemon** d, struct config_file** c) - cfg->tls_ciphers, cfg->tls_ciphersuites, - (cfg->tls_session_ticket_keys.first && - cfg->tls_session_ticket_keys.first->str[0] != 0), -- 0, 1))) { -+ 0, 1, cfg->tls_use_system_policy_versions))) { - fatal_exit("could not set up listen doh SSL_CTX"); - } - } --- -2.52.0 - diff --git a/unbound-1.8.0-rh1633874.patch b/unbound-1.8.0-rh1633874.patch deleted file mode 100644 index 6740a66..0000000 --- a/unbound-1.8.0-rh1633874.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 9be04e6fac3f4ee8fa08d3671dac41d2156d2ced Mon Sep 17 00:00:00 2001 -From: Wouter Wijngaards -Date: Thu, 27 Sep 2018 08:19:29 +0000 -Subject: [PATCH] - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, - fixes qname minimisation with a forwarder when connectivity has issues - from rejecting responses. - -git-svn-id: file:///svn/unbound/trunk@4916 be551aaa-1e26-0410-a405-d3ace91eadb9 ---- - iterator/iterator.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/iterator/iterator.c b/iterator/iterator.c -index 7baf92b7..2f26bd33 100644 ---- a/iterator/iterator.c -+++ b/iterator/iterator.c -@@ -2174,7 +2174,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, - return 0; - } - -- if(iq->minimisation_state == INIT_MINIMISE_STATE) { -+ if(iq->minimisation_state == INIT_MINIMISE_STATE -+ && !(iq->chase_flags & BIT_RD)) { - /* (Re)set qinfo_out to (new) delegation point, except when - * qinfo_out is already a subdomain of dp. This happens when - * increasing by more than one label at once (QNAMEs with more -@@ -2715,7 +2716,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, - sock_list_insert(&qstate->reply_origin, - &qstate->reply->addr, qstate->reply->addrlen, - qstate->region); -- if(iq->minimisation_state != DONOT_MINIMISE_STATE) { -+ if(iq->minimisation_state != DONOT_MINIMISE_STATE -+ && !(iq->chase_flags & BIT_RD)) { - if(FLAGS_GET_RCODE(iq->response->rep->flags) != - LDNS_RCODE_NOERROR) { - if(qstate->env->cfg->qname_minimisation_strict) --- -2.14.4 - diff --git a/unbound-1.8.1-keygen-group-rights.patch b/unbound-1.8.1-keygen-group-rights.patch deleted file mode 100644 index daa9ee8..0000000 --- a/unbound-1.8.1-keygen-group-rights.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 6429b5c298b10b96feb6b90c111948df97269f40 Mon Sep 17 00:00:00 2001 -From: Wouter Wijngaards -Date: Mon, 22 Oct 2018 10:07:13 +0000 -Subject: [PATCH] - Fix #4192: unbound-control-setup generates keys not - readable by group. - -git-svn-id: file:///svn/unbound/trunk@4942 be551aaa-1e26-0410-a405-d3ace91eadb9 ---- - smallapp/unbound-control-setup.sh.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/smallapp/unbound-control-setup.sh.in b/smallapp/unbound-control-setup.sh.in -index 0d759f44..f4024b43 100644 ---- a/smallapp/unbound-control-setup.sh.in -+++ b/smallapp/unbound-control-setup.sh.in -@@ -148,8 +148,8 @@ test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem" - # echo "empty password is used, simply click OK on the password dialog box." - # openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate" - --# remove unused permissions --chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key -+# set desired permissions -+chmod 0640 $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key - - # remove crap - rm -f request.cfg --- -2.14.4 - diff --git a/unbound-1.8.2-dns64.patch b/unbound-1.8.2-dns64.patch deleted file mode 100644 index e811a3c..0000000 --- a/unbound-1.8.2-dns64.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/dns64/dns64.c b/dns64/dns64.c -index 6c81192..77e6890 100644 ---- a/dns64/dns64.c -+++ b/dns64/dns64.c -@@ -925,7 +925,7 @@ dns64_inform_super(struct module_qstate* qstate, int id, - * successful or not. This lets the state machine terminate. - */ - if(!super_dq) { -- super_dq = (struct dns64_qstate*)regional_alloc(qstate->region, -+ super_dq = (struct dns64_qstate*)regional_alloc(super->region, - sizeof(*super_dq)); - super->minfo[id] = super_dq; - memset(super_dq, 0, sizeof(*super_dq)); diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch index 6fc5649..d6cb0cd 100644 --- a/unbound-fedora-config.patch +++ b/unbound-fedora-config.patch @@ -1,4 +1,4 @@ -From a8be97bada623287cdd911c7a4549bbceef9fea0 Mon Sep 17 00:00:00 2001 +From b57a1fbfb38399a40f6bde25dd49c82468e97298 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Tue, 4 Feb 2025 09:48:12 +0100 Subject: [PATCH] Customize unbound.conf for Fedora defaults @@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By patching upstream provided config file we would not need to manually update external copy in source RPM. --- - unbound-1.24.2/doc/example.conf.in | 33 ++++++++++++++++++++++++++++-- + doc/example.conf.in | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) -diff --git a/unbound-1.24.2/doc/example.conf.in b/unbound-1.24.2/doc/example.conf.in -index fda565c..cf10b85 100644 ---- a/unbound-1.24.2/doc/example.conf.in -+++ b/unbound-1.24.2/doc/example.conf.in +diff --git a/unbound-1.25.1/doc/example.conf.in b/unbound-1.25.1/doc/example.conf.in +index 2c6d63409..d722fc4dd 100644 +--- a/unbound-1.25.1/doc/example.conf.in ++++ b/unbound-1.25.1/doc/example.conf.in @@ -51,11 +51,19 @@ server: # specify 0.0.0.0 and ::0 to bind to all available interfaces. # specify every interface[@port] on a new 'interface:' labelled line. @@ -23,7 +23,7 @@ index fda565c..cf10b85 100644 # interface: 192.0.2.153 # interface: 192.0.2.154 # interface: 192.0.2.154@5003 - # interface: 2001:DB8::5 + # interface: 2001:db8::5 # interface: eth0@5003 + # + # for dns over tls and raw dns over port 80 @@ -34,7 +34,7 @@ index fda565c..cf10b85 100644 # enable this feature to copy the source address of queries to reply. # Socket options are not supported on all platforms. experimental. -@@ -295,6 +303,8 @@ server: +@@ -298,6 +306,8 @@ server: # nat64-prefix: 64:ff9b::0/96 # Enable UDP, "yes" or "no". @@ -43,7 +43,7 @@ index fda565c..cf10b85 100644 # do-udp: yes # Enable TCP, "yes" or "no". -@@ -330,6 +340,9 @@ server: +@@ -333,6 +343,9 @@ server: # can be dropped. Default is 0, disabled. In seconds, such as 3. # sock-queue-timeout: 0 @@ -53,7 +53,7 @@ index fda565c..cf10b85 100644 # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no -@@ -919,6 +932,8 @@ server: +@@ -927,6 +940,8 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" @@ -62,7 +62,7 @@ index fda565c..cf10b85 100644 # tag a localzone with a list of tag names (in "" with spaces between) # local-zone-tag: "example.com" "tag2 tag3" -@@ -929,8 +944,8 @@ server: +@@ -953,8 +968,8 @@ server: # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. @@ -73,7 +73,7 @@ index fda565c..cf10b85 100644 # tls-port: 853 # https-port: 443 # quic-port: 853 -@@ -1184,6 +1199,12 @@ remote-control: +@@ -1212,6 +1227,12 @@ remote-control: # unbound-control certificate file. # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" @@ -86,7 +86,7 @@ index fda565c..cf10b85 100644 # Stub zones. # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of nameservers. list zero or more -@@ -1204,6 +1225,10 @@ remote-control: +@@ -1232,6 +1253,10 @@ remote-control: # name: "example.org" # stub-host: ns.example.com. @@ -97,7 +97,7 @@ index fda565c..cf10b85 100644 # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle -@@ -1221,6 +1246,10 @@ remote-control: +@@ -1249,6 +1274,10 @@ remote-control: # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -109,5 +109,5 @@ index fda565c..cf10b85 100644 # Authority zones # The data for these zones is kept locally, from a file or downloaded. -- -2.52.0 +2.54.0 diff --git a/unbound.spec b/unbound.spec index 360ad8a..8eefbc9 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,8 +30,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.24.2 -Release: 3%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.25.1 +Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -63,11 +63,7 @@ Source26: unbound-as112-networks.conf Source27: tmpfiles-unbound-libs.conf # Downstream configuration changes -Patch1: unbound-fedora-config.patch -# https://github.com/NLnetLabs/unbound/pull/1349 -Patch2: %{forgeurl}/pull/1349.patch#/unbound-1.25-tls-crypto-policy.patch -# https://github.com/NLnetLabs/unbound/pull/1401 -Patch3: %{forgeurl}/pull/1401.patch#/unbound-1.25-tls-crypto-policy-default.patch +Patch1: unbound-fedora-config.patch BuildRequires: gcc BuildRequires: make @@ -77,6 +73,7 @@ BuildRequires: openssl-devel BuildRequires: libevent-devel BuildRequires: expat-devel BuildRequires: pkgconfig +BuildRequires: gzip %if 0%{?fedora} || 0%{?rhel} >= 10 BuildRequires: gnupg2 %endif @@ -271,6 +268,7 @@ pushd %{dir_secondary} popd %endif +gzip --best -k doc/Changelog %install install -p -m 0644 %{SOURCE16} . @@ -424,6 +422,7 @@ popd %files %doc doc/CREDITS doc/FEATURES +%doc doc/Changelog.* %{_unitdir}/%{name}.service %{_unitdir}/%{name}-keygen.service %attr(0775,unbound,root) %dir %{_rundir}/%{name} @@ -509,6 +508,10 @@ popd %{_prefix}/lib/dracut/modules.d/99unbound %changelog +* Thu Jul 02 2026 Fedor Vorobev - 1.25.1-1 +- Update to 1.25.1 (RHEL-187020) +- Fixes 11 CVEs: 6 Important, 5 Moderate. + * Wed Feb 25 2026 Petr Menšík - 1.24.2-3 - Install correct trust anchor source in Image Mode (RHEL-127540)