From fd244ccdade4b9f4901c9f8cd3b58a3e56143b86 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 11 Apr 2024 13:19:56 +0000 Subject: [PATCH] import UBI unbound-1.16.2-5.el8_9.6 --- SOURCES/remote-control.conf | 9 +++++++++ SOURCES/unbound.conf | 6 ++---- SPECS/unbound.spec | 16 +++++++++++++++- 3 files changed, 26 insertions(+), 5 deletions(-) create mode 100644 SOURCES/remote-control.conf diff --git a/SOURCES/remote-control.conf b/SOURCES/remote-control.conf new file mode 100644 index 0000000..90072d3 --- /dev/null +++ b/SOURCES/remote-control.conf @@ -0,0 +1,9 @@ +# Remote control config section update. +# Previous defaults allowed any process to change settings, CVE-2024-1488 +remote-control: + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. + control-interface: "/run/unbound/control" + + # For local sockets this option is ignored, and TLS is not used. + control-use-cert: "yes" diff --git a/SOURCES/unbound.conf b/SOURCES/unbound.conf index 977d39f..18fad43 100644 --- a/SOURCES/unbound.conf +++ b/SOURCES/unbound.conf @@ -989,6 +989,7 @@ remote-control: # Set to no and use an absolute path as control-interface to use # a unix local named pipe for unbound-control. + # For local sockets this option is ignored, and TLS is not used. # control-use-cert: yes # what interfaces are listened to for remote control. @@ -997,14 +998,11 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 + # moved to /etc/unbound/conf.d/remote-control.conf # port number for remote control operations. # control-port: 8953 - # for localhost, you can disable use of TLS by setting this to "no" - # For local sockets this option is ignored, and TLS is not used. - control-use-cert: "no" - # Unbound server key file. server-key-file: "/etc/unbound/unbound_server.key" diff --git a/SPECS/unbound.spec b/SPECS/unbound.spec index b377c7e..3397bd1 100644 --- a/SPECS/unbound.spec +++ b/SPECS/unbound.spec @@ -34,7 +34,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.2 -Release: 5%{?extra_version:.%{extra_version}}%{?dist}.2 +Release: 5%{?extra_version:.%{extra_version}}%{?dist}.6 License: BSD Url: https://www.unbound.net/ Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz @@ -55,6 +55,7 @@ Source15: unbound-anchor.timer Source16: unbound-munin.README Source17: unbound-anchor.service Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc +Source21: remote-control.conf # Reverts ABI change done in version 1.8.0 (bz#2027735) # Makes possible backward binary compatibility with a new features @@ -286,6 +287,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ +install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 @@ -433,6 +435,18 @@ popd %verify(not md5 size mtime) %{_sharedstatedir}/%{name}/root.key %changelog +* Wed Apr 03 2024 Petr Menšík - 1.16.2-5.6 +- Rebuilt again with z-stream target + +* Wed Apr 03 2024 Petr Menšík - 1.16.2-5.5 +- Correct typo in new config file + +* Mon Mar 11 2024 Petr Menšík - 1.16.2-5.4 +- Ensure group access correction reaches also updated configs (CVE-2024-1488) + +* Wed Feb 28 2024 Petr Menšík - 1.16.2-5.3 +- Ensure only unbound group can change configuration (CVE-2024-1488) + * Mon Feb 19 2024 Tomas Korbar - 1.16.2-5.2 - Fix wrong entry in changelog - Resolves: RHEL-25634