Commit Graph

25 Commits

Author SHA1 Message Date
Petr Menšík
865df6a4ea Update to 0.16.2
Resolves: rhbz#2087120 CVE-2022-30698

https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-2
2022-08-09 13:03:05 +02:00
Petr Menšík
53ceffb423 Disable ED25519 and ED448 in FIPS mode
Those algorithms are not accepted by current FIPS mode. Disable them in
that mode, because they are not allowed. Might change once they are
added.

Resolves: rhbz#2079548
2022-07-08 20:05:09 +02:00
Petr Menšík
d10d20851e Do not keep keygen running, check certs each time
Rely on condition of unbound-keygen service. If it does stop after
generating them, then it will recreate also after restart later. That
might be the case if someone removes these certificates.

(cherry picked from commit 9cab78fef5)

Resolves: rhbz#2094336
2022-06-15 21:47:57 +02:00
Petr Menšík
b3c3c181b7 Update to 1.16.0
Adds basic support for EDE (RFC 8914).

https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-0
(cherry picked from commit 2c00b91a49)

Resolves: rhbz#2087120
2022-06-15 21:47:57 +02:00
Petr Menšík
2dae08f7e8 Update icann bundle, fix spec errors
rpmlint detects several errors, fix some detected issues.

(cherry picked from commit e00e1b55bb)

Related: rhbz#2087120
2022-06-15 21:41:14 +02:00
Petr Menšík
c5810ec4d9 Update to 1.15.0
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-15-0

- Fix #596: unset the RA bit when a query is blocked by an unbound RPZ nxdomain reply.
  The option rpz-signal-nxdomain-ra allows to signal that a domain is externally
  blocked to clients when it is blocked with NXDOMAIN by unsetting RA.
- Add rpz: for-downstream: yesno option, where the RPZ zone is authoritatively answered
  for, so the RPZ zone contents can be checked with DNS queries directed at the RPZ zone.
- Merge PR #616: Update ratelimit logic. It also introduces ratelimit-backoff and
  ip-ratelimit-backoff configuration options.
- Change aggressive-nsec default to yes.

(cherry picked from commit 84e89add4a)

Resolves: rhbz#2087120
2022-06-15 21:41:07 +02:00
Paul Wouters
faddb7371b - Resolves: rhbz#1992985 unbound-1.13.2 is available
- Use system-wide crypto policies

(cherry picked from commit 0ce96eb790)

Resolves: rhbz#2087120
2022-06-15 21:40:55 +02:00
Petr Menšík
40564c63f1 Export unbound-devel to CRB repository
Just make build and request moving to CRB.

Resolves: rhbz#2056116
2022-05-02 12:49:00 +02:00
Petr Menšík
68c0b5ca67 Stop creating wrong devel manual pages
Devel manual pages install correct manual pages with 3.gz suffix. But
there are also additional links just with .gz suffix. They are created
only in spec file. I think they were needed before unbound contained
proper installation of manuals for development. It is missing .3 suffix.
But it is not necessary anymore, because such recipe already exists in
upstream Makefile.in.

Resolves: rhbz#2071943
2022-04-26 17:48:18 +02:00
Petr Menšík
00a583016d Disable altogether SHA-1 support
Crypto policy DEFAULT and FIPS would never pass on any name signed by
RSASHA1 or under such zone. Make all those signatures insecure
regardless on policy. It would make it insecure even in cases where it
were not mandatory, but would not fail with SERVFAIL in any
crypto-policy setting.

Resolves: rhbz#2070495
2022-03-31 15:00:40 +02:00
Artem Egorenkov
7f41dcdd3a Fixed error in the patch
Resolves: rhbz#1977401
2022-02-11 16:17:18 +01:00
Artem Egorenkov
8f06fba292 regional_alloc() failure handled
Resolves: rhbz#1977401
2022-02-10 13:46:19 +01:00
Artem Egorenkov
0cf2f91dfc RESOURCE_LEAK fixed
Resolves: rhbz#1977400
2022-02-10 13:06:56 +01:00
Artem Egorenkov
25418ea245 Don't use delted OpenSSL macroses
Resolves: rhbz#1991005
2021-08-10 16:04:56 +02:00
Mohan Boddu
075aa2307f Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-08-10 01:11:40 +00:00
Mohan Boddu
04bdb829f4 Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-06-16 03:41:18 +00:00
Artem Egorenkov
8662668ac0 Changelog date fixed
Rebuild for new gating.yaml

Resolves: rhbz#1951923
2021-06-08 16:25:41 +02:00
Artem Egorenkov
a3d2774739 Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux
Resolves: rhbz#1952814
2021-04-26 13:40:42 +02:00
Artem Egorenkov
ed7d536b9a version bump
Resolves: rhbz#1951923
2021-04-21 15:20:11 +02:00
Artem Egorenkov
a0b3ac07c7 DISABLE_UNBOUND_ANCHOR == "yes" disable unbound-anchor on unbound.service startup
Resolves: rhbz#1951923
2021-04-21 15:12:12 +02:00
Mohan Boddu
1a6da12416 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-04-16 06:00:52 +00:00
DistroBaker
218baa837d Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/unbound.git#cf0e47e9b70b8c471b740bc51ede0a1ee2bfa0a6
2021-02-11 16:57:05 +00:00
DistroBaker
fe0201bcb3 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/unbound.git#4bc5d3058200e4f213d460ef1a520d1970ccd110
2021-02-04 21:40:37 +00:00
DistroBaker
087959bbbc Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/unbound.git#b29f943a4c335573eadbb8511cc76b34bd450b18
2020-12-10 01:48:09 +01:00
Troy Dawson
0ddc5a48dd RHEL 9.0.0 Alpha bootstrap
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/unbound#9bf72f2b9791186ed8cf9807178e945819d4f589
2020-10-15 13:12:18 -07:00