.gitignore

@@ -1 +1,2 @@
+SOURCES/icannbundle.pem
 SOURCES/unbound-1.16.2.tar.gz

.unbound.metadata

@@ -1 +1,2 @@
+9a2f73302a13f38dbf7cb3c5e34eb1665d2f156f SOURCES/icannbundle.pem
 9aea0e923b9d6779b5bc360094e24a4017e2bb25 SOURCES/unbound-1.16.2.tar.gz

SOURCES/icannbundle.pem

@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
-TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
-BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX
-DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O
-IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB
-MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb
-cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S
-G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg
-ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2
-paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7
-MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29
-iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B
-Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3
-DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH
-6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD
-2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h
-15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF
-0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg
-j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk
------END CERTIFICATE-----

SOURCES/remote-control.conf

@@ -1,9 +0,0 @@
-# Remote control config section update.
-# Previous defaults allowed any process to change settings, CVE-2024-1488
-remote-control:
-    # set to an absolute path to use a unix local name pipe, certificates
-    # are not used for that, so key and cert files need not be present.
-    control-interface: "/run/unbound/control"
-
-    # For local sockets this option is ignored, and TLS is not used.
-    control-use-cert: "yes"

SOURCES/unbound.conf

@@ -989,7 +989,6 @@ remote-control:
 
 	# Set to no and use an absolute path as control-interface to use
 	# a unix local named pipe for unbound-control.
-	# For local sockets this option is ignored, and TLS is not used.
 	# control-use-cert: yes
 
 	# what interfaces are listened to for remote control.
@@ -998,11 +997,14 @@ remote-control:
 	# are not used for that, so key and cert files need not be present.
 	# control-interface: 127.0.0.1
 	# control-interface: ::1
-	# moved to /etc/unbound/conf.d/remote-control.conf
 
 	# port number for remote control operations.
 	# control-port: 8953
 
+	# for localhost, you can disable use of TLS by setting this to "no"
+	# For local sockets this option is ignored, and TLS is not used.
+	control-use-cert: "no"
+
 	# Unbound server key file.
 	server-key-file: "/etc/unbound/unbound_server.key"
 

SPECS/unbound.spec

@@ -34,7 +34,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.16.2
-Release: 5%{?extra_version:.%{extra_version}}%{?dist}.6
+Release: 5%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://www.unbound.net/
 Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@@ -55,7 +55,6 @@ Source15: unbound-anchor.timer
 Source16: unbound-munin.README
 Source17: unbound-anchor.service
 Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
-Source21: remote-control.conf
 
 # Reverts ABI change done in version 1.8.0 (bz#2027735)
 # Makes possible backward binary compatibility with a new features
@@ -63,8 +62,6 @@ Patch1:   unbound-1.15-soversion2-compat.patch
 Patch2:   unbound-1.15-source-compat.patch
 # https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554
 Patch3:   unbound-1.16-CVE-2022-3204.patch
-# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff
-Patch4: unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
 
 BuildRequires: gdb
 BuildRequires: gcc, make
@@ -167,7 +164,6 @@ pushd %{pkgname}
 %patch1 -p2 -b .solib2-compat
 %patch2 -p1 -b .srccompat
 %patch3 -p2 -b .CVE-2022-3204
-%patch4 -p2 -b .CVE-2023-50387-CVE-2023-50868
 
 
 # copy common doc files - after here, since it may be patched
@@ -287,7 +283,6 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
 install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
 install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
-install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 
 # Link unbound-control-setup.8 manpage to unbound-control.8
 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
@@ -435,28 +430,6 @@ popd
 %verify(not md5 size mtime) %{_sharedstatedir}/%{name}/root.key
 
 %changelog
-* Wed Apr 03 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.6
-- Rebuilt again with z-stream target
-
-* Wed Apr 03 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.5
-- Correct typo in new config file
-
-* Mon Mar 11 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.4
-- Ensure group access correction reaches also updated configs (CVE-2024-1488)
-
-* Wed Feb 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.3
-- Ensure only unbound group can change configuration (CVE-2024-1488)
-
-* Mon Feb 19 2024 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-5.2
-- Fix wrong entry in changelog
-- Resolves: RHEL-25634
-
-* Fri Feb 16 2024 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-5.1
-- Fix KeyTrap - Extreme CPU consumption in DNSSEC validator CVE-2023-50387
-- Fix Preparing an NSEC3 closest encloser proof can exhaust CPU resources CVE-2023-50868
-- Resolves: RHEL-25660
-- Resolves: RHEL-25634
-
 * Sat Oct 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-5
 - Stop creating wrong devel manual pages (#2135322)