rpms/unbound
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI unbound-1.20.0-15.el10_1

Browse Source
This commit is contained in:
eabdullin 2025-12-18 11:32:48 +00:00
parent a658676961
commit dd8fb0a745
2 changed files with 46 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
unbound-1.23-unbound-control-perms.patch Normal file
View File

@ -0,0 +1,31 @@
From bf85823eb03d749ef2beb7b22464d1d0bb9f5952 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 14 Jan 2025 13:55:10 +0100
Subject: [PATCH] Add unbound members group access to control key
Recent openssl genrsa does not use umask for generated keys. There is no
strong reason why every member of unbound group should be able read
server key. But control key would be quite useful to be group readable
and to allow control access to whole group. Allowing access to control
by group membership, not via sudo.
---
unbound-1.20.0/smallapp/unbound-control-setup.sh.in | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/unbound-1.20.0/smallapp/unbound-control-setup.sh.in b/unbound-1.20.0/smallapp/unbound-control-setup.sh.in
index eaf1d08..c38c186 100644
--- a/unbound-1.20.0/smallapp/unbound-control-setup.sh.in
+++ b/unbound-1.20.0/smallapp/unbound-control-setup.sh.in
@@ -200,7 +200,8 @@ fi
# remove unused permissions
chmod o-rw \
"$SVR_BASE.pem" \
- "$SVR_BASE.key" \
+ "$SVR_BASE.key"
+chmod g+r,o-rw \
"$CTL_BASE.pem" \
"$CTL_BASE.key"
--
2.49.0

17
unbound.spec
View File

@ -2,7 +2,7 @@
## (rpmautospec version 0.6.5)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
release_number = 13;
release_number = 15;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@ -79,6 +79,8 @@ Patch2: unbound-1.21-CVE-2024-8508.patch
# https://github.com/NLnetLabs/unbound/commit/5bf82f246481098a6473f296b21fc1229d276c0f
# https://github.com/NLnetLabs/unbound/commit/a1150078f29e14b36c8e4d9d05a263a5e6abbc5b
Patch3: unbound-1.23.1-CVE-2025-5994.patch
# https://github.com/NLnetLabs/unbound/pull/1220
Patch4: unbound-1.23-unbound-control-perms.patch
BuildRequires: gcc, make
BuildRequires: flex, openssl-devel
@ -440,6 +442,11 @@ fi
%postun anchor
%systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer
%triggerun -- unbound < 1.20.0-14
if [ "$(stat -c '%%a %%G' %{_sysconfdir}/%{name}/unbound_control.key 2>/dev/null)" = '600 unbound' ]; then
%{_bindir}/chmod g+r "%{_sysconfdir}/%{name}/unbound_control.key" || :
fi
%check
pushd %{dir_primary}
#pushd pythonmod
@ -476,7 +483,7 @@ popd
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
%ghost %attr(0600,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
%{_sbindir}/unbound
%{_sbindir}/unbound-checkconf
%{_sbindir}/unbound-control
@ -548,6 +555,12 @@ popd
%changelog
## START: Generated by rpmautospec
* Fri Aug 29 2025 Petr Menšík <pemensik@redhat.com> - 1.20.0-15
- Correct existing unbound_control.key permissions
* Fri Aug 29 2025 Petr Menšík <pemensik@redhat.com> - 1.20.0-14
- Fix permissions of created control and server key
* Mon Jul 28 2025 Tomas Korbar <tkorbar@redhat.com> - 1.20.0-13
- Fix RebirthDay Attack (CVE-2025-5994)