import UBI unbound-1.16.2-5.el8_9.6

SOURCES/remote-control.conf

@@ -0,0 +1,9 @@
+# Remote control config section update.
+# Previous defaults allowed any process to change settings, CVE-2024-1488
+remote-control:
+    # set to an absolute path to use a unix local name pipe, certificates
+    # are not used for that, so key and cert files need not be present.
+    control-interface: "/run/unbound/control"
+
+    # For local sockets this option is ignored, and TLS is not used.
+    control-use-cert: "yes"

SOURCES/unbound.conf

@@ -989,6 +989,7 @@ remote-control:
 
 	# Set to no and use an absolute path as control-interface to use
 	# a unix local named pipe for unbound-control.
+	# For local sockets this option is ignored, and TLS is not used.
 	# control-use-cert: yes
 
 	# what interfaces are listened to for remote control.
@@ -997,14 +998,11 @@ remote-control:
 	# are not used for that, so key and cert files need not be present.
 	# control-interface: 127.0.0.1
 	# control-interface: ::1
+	# moved to /etc/unbound/conf.d/remote-control.conf
 
 	# port number for remote control operations.
 	# control-port: 8953
 
-	# for localhost, you can disable use of TLS by setting this to "no"
-	# For local sockets this option is ignored, and TLS is not used.
-	control-use-cert: "no"
-
 	# Unbound server key file.
 	server-key-file: "/etc/unbound/unbound_server.key"
 

SPECS/unbound.spec

@@ -34,7 +34,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.16.2
-Release: 5%{?extra_version:.%{extra_version}}%{?dist}.2
+Release: 5%{?extra_version:.%{extra_version}}%{?dist}.6
 License: BSD
 Url: https://www.unbound.net/
 Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@@ -55,6 +55,7 @@ Source15: unbound-anchor.timer
 Source16: unbound-munin.README
 Source17: unbound-anchor.service
 Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
+Source21: remote-control.conf
 
 # Reverts ABI change done in version 1.8.0 (bz#2027735)
 # Makes possible backward binary compatibility with a new features
@@ -286,6 +287,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
 install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
 install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
+install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 
 # Link unbound-control-setup.8 manpage to unbound-control.8
 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
@@ -433,6 +435,18 @@ popd
 %verify(not md5 size mtime) %{_sharedstatedir}/%{name}/root.key
 
 %changelog
+* Wed Apr 03 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.6
+- Rebuilt again with z-stream target
+
+* Wed Apr 03 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.5
+- Correct typo in new config file
+
+* Mon Mar 11 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.4
+- Ensure group access correction reaches also updated configs (CVE-2024-1488)
+
+* Wed Feb 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.3
+- Ensure only unbound group can change configuration (CVE-2024-1488)
+
 * Mon Feb 19 2024 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-5.2
 - Fix wrong entry in changelog
 - Resolves: RHEL-25634