diff --git a/unbound-CVE-2011-1922.patch b/unbound-CVE-2011-1922.patch new file mode 100644 index 0000000..bdcacad --- /dev/null +++ b/unbound-CVE-2011-1922.patch @@ -0,0 +1,11 @@ +diff -Naur unbound-1.4.9/daemon/worker.c unbound-1.4.9-CVE-2011-1922/daemon/worker.c +--- unbound-1.4.9/daemon/worker.c 2010-11-04 08:35:39.000000000 -0400 ++++ unbound-1.4.9-CVE-2011-1922/daemon/worker.c 2011-05-25 15:14:04.888288236 -0400 +@@ -777,6 +777,7 @@ + qinfo.qtype == LDNS_RR_TYPE_IXFR) { + verbose(VERB_ALGO, "worker request: refused zone transfer."); + log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); ++ ldns_buffer_rewind(c->buffer); + LDNS_QR_SET(ldns_buffer_begin(c->buffer)); + LDNS_RCODE_SET(ldns_buffer_begin(c->buffer), + LDNS_RCODE_REFUSED); diff --git a/unbound.spec b/unbound.spec index 63e9d2f..975ae97 100644 --- a/unbound.spec +++ b/unbound.spec @@ -9,7 +9,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.4.9 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Url: http://www.nlnetlabs.nl/unbound/ Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz @@ -20,6 +20,7 @@ Source4: unbound_munin_ Source5: root.key Source6: dlv.isc.org.key Patch1: unbound-1.2-glob.patch +Patch2: unbound-CVE-2011-1922.patch Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -93,6 +94,7 @@ Python modules and extensions for unbound %prep %setup -q %patch1 -p1 +%patch2 -p1 %build %configure --with-ldns= --with-libevent --with-pthreads --with-ssl \ @@ -199,6 +201,9 @@ fi %postun libs -p /sbin/ldconfig %changelog +* Wed May 25 2011 Paul Wouters - 1.4.9-2 +- Applied patch for CVE-2011-1922 DoS vulnerability + * Sun Mar 27 2011 Paul Wouters - 1.4.9-1 - Updated to 1.4.9