Compare commits

...

No commits in common. "c8" and "c8s-RHEL-64339" have entirely different histories.

37 changed files with 12 additions and 562 deletions

4
.gitignore vendored
View File

@ -1 +1,3 @@
SOURCES/unbound-1.16.2.tar.gz
/unbound-1.7.3.tar.gz
/unbound-1.16.0.tar.gz
/unbound-1.16.2.tar.gz

View File

@ -1 +0,0 @@
9aea0e923b9d6779b5bc360094e24a4017e2bb25 SOURCES/unbound-1.16.2.tar.gz

View File

@ -1,305 +0,0 @@
diff --git a/unbound-1.16.2/testdata/iter_ghost_ns_childapex.rpl b/unbound-1.16.2/testdata/iter_ghost_ns_childapex.rpl
new file mode 100644
index 0000000..2b046a8
--- /dev/null
+++ b/unbound-1.16.2/testdata/iter_ghost_ns_childapex.rpl
@@ -0,0 +1,299 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: no
+ minimal-responses: yes
+ log-servfail: yes
+ module-config: "iterator"
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test for ghost domain with a child apex NS query.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+tld. IN NS
+SECTION AUTHORITY
+tld. IN NS ns.tld.
+SECTION ADDITIONAL
+ns.tld. IN A 1.2.3.5
+ENTRY_END
+RANGE_END
+
+; ns.tld
+RANGE_BEGIN 0 15
+ ADDRESS 1.2.3.5
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+tld. IN NS
+SECTION ANSWER
+tld. IN NS ns.tld
+SECTION ADDITIONAL
+ns.tld. IN A 1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.tld. IN A
+SECTION ANSWER
+ns.tld. IN A 1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.tld. IN AAAA
+SECTION AUTHORITY
+tld. 3600 IN SOA ns.tld. host.tld. 20201 3600 1800 604800 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+mid.tld. IN NS
+SECTION AUTHORITY
+mid.tld. 5 IN NS ns.mid.tld.
+SECTION ADDITIONAL
+ns.mid.tld. 5 IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.tld
+RANGE_BEGIN 20 100
+ ADDRESS 1.2.3.5
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+tld. IN NS
+SECTION ANSWER
+tld. IN NS ns.tld
+SECTION ADDITIONAL
+ns.tld. IN A 1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.tld. IN A
+SECTION ANSWER
+ns.tld. IN A 1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.tld. IN AAAA
+SECTION AUTHORITY
+tld. 3600 IN SOA ns.tld. host.tld. 20201 3600 1800 604800 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+mid.tld. IN NS
+SECTION AUTHORITY
+tld. 3600 IN SOA ns.tld. host.tld. 20201 3600 1800 604800 3600
+ENTRY_END
+RANGE_END
+
+; ns.mid.tld.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+mid.tld. IN NS
+SECTION ANSWER
+mid.tld. 86400 IN NS ns.mid.tld.
+SECTION ADDITIONAL
+ns.mid.tld. 86400 IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.mid.tld. IN A
+SECTION ANSWER
+ns.mid.tld. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.mid.tld. IN AAAA
+SECTION AUTHORITY
+mid.tld. 3600 IN SOA ns.mid.tld. host.mid.tld. 20301 3600 1800 604800 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+sub.mid.tld. IN NS
+SECTION AUTHORITY
+sub.mid.tld. 3600 IN NS ns.sub.mid.tld.
+SECTION ADDITIONAL
+ns.sub.mid.tld. 3600 IN A 1.2.3.6
+ENTRY_END
+RANGE_END
+
+; ns.sub.mid.tld.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.6
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+sub.mid.tld. IN NS
+SECTION ANSWER
+sub.mid.tld. IN NS ns.sub.mid.tld.
+SECTION ADDITIONAL
+ns.sub.mid.tld. IN A 1.2.3.6
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.sub.mid.tld. IN A
+SECTION ANSWER
+ns.sub.mid.tld. IN A 1.2.3.6
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.sub.mid.tld. IN AAAA
+SECTION AUTHORITY
+sub.mid.tld. 3600 IN SOA ns.sub.mid.tld. host.sub.mid.tld. 20301 3600 1800 604800 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a.sub.mid.tld. IN A
+SECTION ANSWER
+a.sub.mid.tld. 3600 IN A 10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+b.sub.mid.tld. IN A
+SECTION ANSWER
+b.sub.mid.tld. 3600 IN A 10.20.30.41
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD NOERROR
+SECTION QUESTION
+a.sub.mid.tld. IN A
+ENTRY_END
+
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+a.sub.mid.tld. IN A
+SECTION ANSWER
+a.sub.mid.tld. 3600 IN A 10.20.30.40
+ENTRY_END
+
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD NOERROR
+SECTION QUESTION
+mid.tld. IN NS
+ENTRY_END
+
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+mid.tld. IN NS
+SECTION ANSWER
+mid.tld. 86400 IN NS ns.mid.tld.
+SECTION ADDITIONAL
+ns.mid.tld. 86400 IN A 1.2.3.4
+ENTRY_END
+
+STEP 20 TIME_PASSES ELAPSE 10
+; The authority for .tld switches to NXDOMAIN for mid.tld.
+
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD NOERROR
+SECTION QUESTION
+b.sub.mid.tld. IN A
+ENTRY_END
+
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+b.sub.mid.tld. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+tld. 3600 IN SOA ns.tld. host.tld. 20201 3600 1800 604800 3600
+ENTRY_END
+
+SCENARIO_END

View File

@ -1,36 +0,0 @@
diff --git a/unbound-1.16.2/services/cache/rrset.c b/unbound-1.16.2/services/cache/rrset.c
index 4e3d08b..b2c357f 100644
--- a/unbound-1.16.2/services/cache/rrset.c
+++ b/unbound-1.16.2/services/cache/rrset.c
@@ -143,6 +143,16 @@ need_to_update_rrset(void* nd, void* cd, time_t timenow, int equal, int ns)
if(equal && cached->ttl >= timenow &&
cached->security == sec_status_bogus)
return 0;
+ /* ghost-domain: never let an NS overwrite extend lifetime
+ * past the entry it replaces, regardless of trust. */
+ if(ns && !TTL_IS_EXPIRED(cached->ttl, timenow) &&
+ newd->ttl > cached->ttl) {
+ size_t i;
+ newd->ttl = cached->ttl;
+ for(i=0; i<(newd->count+newd->rrsig_count); i++)
+ if(newd->rr_ttl[i] > newd->ttl)
+ newd->rr_ttl[i] = newd->ttl;
+ }
return 1;
}
/* o item in cache has expired */
diff --git a/unbound-1.16.2/util/data/msgparse.h b/unbound-1.16.2/util/data/msgparse.h
index 0c458e6..f1319ff 100644
--- a/unbound-1.16.2/util/data/msgparse.h
+++ b/unbound-1.16.2/util/data/msgparse.h
@@ -92,6 +92,10 @@ extern time_t SERVE_EXPIRED_REPLY_TTL;
/** If we serve the original TTL or decrementing TTLs */
extern int SERVE_ORIGINAL_TTL;
+/** Check if TTL is expired. 0 TTL is considered expired.
+ * Used mainly to identify parts of the code that do this comparison. */
+#define TTL_IS_EXPIRED(ttl, now) ((ttl) <= (now))
+
/**
* Data stored in scratch pad memory during parsing.
* Stores the data that will enter into the msgreply and packet result.

View File

@ -1,64 +0,0 @@
diff --git a/unbound-1.16.2/util/data/msgparse.c b/unbound-1.16.2/util/data/msgparse.c
index 7a51441..0ffdb3d 100644
--- a/unbound-1.16.2/util/data/msgparse.c
+++ b/unbound-1.16.2/util/data/msgparse.c
@@ -50,6 +50,8 @@
#include "sldns/parseutil.h"
#include "sldns/wire2str.h"
+#define MAX_PARSED_EDNS_OPTIONS 100
+
/** smart comparison of (compressed, valid) dnames from packet */
static int
smart_compare(sldns_buffer* pkt, uint8_t* dnow,
@@ -957,7 +959,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
struct edns_data* edns, struct config_file* cfg, struct comm_point* c,
struct regional* region)
{
- int nsid_seen = 0, padding_seen = 0;
+ int i = 0, nsid_seen = 0, padding_seen = 0;
/* To respond with a Keepalive option, the client connection must have
* received one message with a TCP Keepalive EDNS option, and that
* option must have 0 length data. Subsequent messages sent on that
@@ -977,7 +979,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
/* while still more options, and have code+len to read */
/* ignores partial content (i.e. rdata len 3) */
- while(rdata_len >= 4) {
+ while(rdata_len >= 4 && i < MAX_PARSED_EDNS_OPTIONS) {
uint16_t opt_code = sldns_read_uint16(rdata_ptr);
uint16_t opt_len = sldns_read_uint16(rdata_ptr+2);
rdata_ptr += 4;
@@ -1054,6 +1056,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
}
rdata_ptr += opt_len;
rdata_len -= opt_len;
+ i++;
}
return LDNS_RCODE_NOERROR;
}
@@ -1068,6 +1071,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg,
struct rrset_parse* found_prev = 0;
size_t rdata_len;
uint8_t* rdata_ptr;
+ int i = 0;
/* since the class encodes the UDP size, we cannot use hash table to
* find the EDNS OPT record. Scan the packet. */
while(rrset) {
@@ -1125,7 +1129,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg,
/* while still more options, and have code+len to read */
/* ignores partial content (i.e. rdata len 3) */
- while(rdata_len >= 4) {
+ while(rdata_len >= 4 && i < MAX_PARSED_EDNS_OPTIONS) {
uint16_t opt_code = sldns_read_uint16(rdata_ptr);
uint16_t opt_len = sldns_read_uint16(rdata_ptr+2);
rdata_ptr += 4;
@@ -1140,6 +1144,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg,
}
rdata_ptr += opt_len;
rdata_len -= opt_len;
+ i++;
}
/* ignore rrsigs */
return LDNS_RCODE_NOERROR;

View File

@ -1,51 +0,0 @@
diff --git a/unbound-1.16.2/services/mesh.c b/unbound-1.16.2/services/mesh.c
index 30bcf7c..0f5a2a3 100644
--- a/unbound-1.16.2/services/mesh.c
+++ b/unbound-1.16.2/services/mesh.c
@@ -338,12 +338,14 @@ int mesh_make_new_space(struct mesh_area* mesh, sldns_buffer* qbuf)
if(mesh->num_reply_states < mesh->max_reply_states)
return 1;
/* try to kick out a jostle-list item */
- if(m && m->reply_list && m->list_select == mesh_jostle_list) {
+ if(m && m->list_select == mesh_jostle_list) {
/* how old is it? */
struct timeval age;
- timeval_subtract(&age, mesh->env->now_tv,
- &m->reply_list->start_time);
- if(timeval_smaller(&mesh->jostle_max, &age)) {
+ if(m->has_first_reply_time)
+ timeval_subtract(&age, mesh->env->now_tv,
+ &m->first_reply_time);
+ if(!m->has_first_reply_time ||
+ timeval_smaller(&mesh->jostle_max, &age)) {
/* its a goner */
log_nametypeclass(VERB_ALGO, "query jostled out to "
"make space for a new one",
@@ -1690,6 +1692,10 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
r->qid = qid;
r->qflags = qflags;
r->start_time = *s->s.env->now_tv;
+ if(s->reply_list == NULL && !s->has_first_reply_time) {
+ s->first_reply_time = r->start_time;
+ s->has_first_reply_time = 1;
+ }
r->next = s->reply_list;
r->qname = regional_alloc_init(s->s.region, qinfo->qname,
s->s.qinfo.qname_len);
diff --git a/unbound-1.16.2/services/mesh.h b/unbound-1.16.2/services/mesh.h
index 3be9b63..8194994 100644
--- a/unbound-1.16.2/services/mesh.h
+++ b/unbound-1.16.2/services/mesh.h
@@ -174,6 +174,12 @@ struct mesh_state {
struct module_qstate s;
/** the list of replies to clients for the results */
struct mesh_reply* reply_list;
+ /** if it has a first reply time */
+ int has_first_reply_time;
+ /** wall-clock time the first client reply was attached;
+ * used by mesh_make_new_space() so duplicate retransmits
+ * cannot reset jostle aging. */
+ struct timeval first_reply_time;
/** the list of callbacks for the results */
struct mesh_cb* cb_list;
/** set of superstates (that want this state's result)

View File

@ -1,34 +0,0 @@
diff --git a/unbound-1.16.2/util/data/msgparse.c b/unbound-1.16.2/util/data/msgparse.c
index 5bb69d6..7a51441 100644
--- a/unbound-1.16.2/util/data/msgparse.c
+++ b/unbound-1.16.2/util/data/msgparse.c
@@ -957,6 +957,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
struct edns_data* edns, struct config_file* cfg, struct comm_point* c,
struct regional* region)
{
+ int nsid_seen = 0, padding_seen = 0;
/* To respond with a Keepalive option, the client connection must have
* received one message with a TCP Keepalive EDNS option, and that
* option must have 0 length data. Subsequent messages sent on that
@@ -987,8 +988,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
/* handle parse time edns options here */
switch(opt_code) {
case LDNS_EDNS_NSID:
- if (!cfg || !cfg->nsid)
+ if (!cfg || !cfg->nsid || nsid_seen)
break;
+ nsid_seen = 1;
if(!edns_opt_list_append(&edns->opt_list_out,
LDNS_EDNS_NSID, cfg->nsid_len,
cfg->nsid, region)) {
@@ -1030,8 +1032,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
case LDNS_EDNS_PADDING:
if(!cfg || !cfg->pad_responses ||
- !c || c->type != comm_tcp ||!c->ssl)
+ !c || c->type != comm_tcp ||!c->ssl || padding_seen)
break;
+ padding_seen = 1;
if(!edns_opt_list_append(&edns->opt_list_out,
LDNS_EDNS_PADDING,
0, NULL, region)) {

View File

@ -1,17 +0,0 @@
diff --git a/unbound-1.24.2/validator/val_utils.c b/unbound-1.24.2/validator/val_utils.c
index 549264d..4495695 100644
--- a/unbound-1.24.2/validator/val_utils.c
+++ b/unbound-1.24.2/validator/val_utils.c
@@ -1066,10 +1066,10 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
if(query_dname_compare(name,
orig->rrsets[i]->rk.dname) == 0)
chase->rrsets[chase->an_numrrsets
- +orig->ns_numrrsets+chase->ar_numrrsets++]
+ +chase->ns_numrrsets+chase->ar_numrrsets++]
= orig->rrsets[i];
} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
- chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+
+ chase->rrsets[chase->an_numrrsets+chase->ns_numrrsets+
chase->ar_numrrsets++] = orig->rrsets[i];
}
}

View File

@ -1,20 +0,0 @@
diff --git a/unbound-1.16.2/util/data/msgencode.c b/unbound-1.16.2/util/data/msgencode.c
index f9e95e6..f60b359 100644
--- a/unbound-1.16.2/util/data/msgencode.c
+++ b/unbound-1.16.2/util/data/msgencode.c
@@ -352,7 +352,6 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
(p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
if(!write_compressed_dname(pkt, dname, labs, p))
return RETVAL_TRUNC;
- (*compress_count)++;
} else {
if(!dname_buffer_write(pkt, dname))
return RETVAL_TRUNC;
@@ -360,6 +359,7 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
!compress_tree_store(dname, labs, pos, region, p, insertpt))
return RETVAL_OUTMEM;
+ (*compress_count)++;
return RETVAL_OK;
}

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-8
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (unbound-1.16.2.tar.gz) = 0ea65ea63265be677441bd2a28df12098ec5e86c3372240c2874f9bd13752b8b818da81ae6076cf02cbeba3d36e397698a4c2b50570be1a6a8e47f57a0251572

View File

@ -34,7 +34,7 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
Version: 1.16.2
Release: 5.12%{?extra_version:.%{extra_version}}%{?dist}
Release: 5.10%{?extra_version:.%{extra_version}}%{?dist}
License: BSD
Url: https://www.unbound.net/
Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@ -78,21 +78,6 @@ Patch5: unbound-1.21-CVE-2024-8508.patch
Patch6: unbound-1.23.1-CVE-2025-5994.patch
# https://github.com/NLnetLabs/unbound/commit/f094f4ea3c943c5b5b2b6fa8bee0e7a8f3cfdc51
Patch7: unbound-1.20-unbound-anchor-key-38696.patch
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42944.diff
Patch8: unbound-1.25.1-CVE-2026-42944.patch
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42959.diff
Patch9: unbound-1.25.1-CVE-2026-42959.patch
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-40622.diff
Patch10: unbound-1.25.1-CVE-2026-40622.patch
# https://github.com/NLnetLabs/unbound/commit/b5f21f41658f65d6143df6a3208e8ccf1a01604d
Patch11: unbound-1.25.1-CVE-2026-40622-test.patch
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-44390.diff
Patch12: unbound-1.25.1-CVE-2026-44390.patch
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-41292.diff
Patch13: unbound-1.25.1-CVE-2026-41292.patch
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42534.diff
Patch14: unbound-1.25.1-CVE-2026-42534.patch
BuildRequires: gdb
BuildRequires: gcc, make
@ -199,13 +184,7 @@ pushd %{pkgname}
%patch5 -p2 -b .CVE-2024-8508
%patch6 -p2 -b .CVE-2025-5994
%patch7 -p2 -b .dnssec-ta-2024
%patch8 -p2 -b .CVE-2026-42944
%patch9 -p2 -b .CVE-2026-42959
%patch10 -p2 -b .CVE-2026-40622
%patch11 -p2 -b .CVE-2026-40622-test
%patch12 -p2 -b .CVE-2026-44390
%patch13 -p2 -b .CVE-2026-41292
%patch14 -p2 -b .CVE-2026-42534
# copy common doc files - after here, since it may be patched
cp -pr doc pythonmod libunbound ../
@ -472,16 +451,6 @@ popd
%verify(not md5 size mtime) %{_sharedstatedir}/%{name}/root.key
%changelog
* Tue Jun 23 2026 Fedor Vorobev <fvorobev@redhat.com> - 1.16.2-5.12
- Fix CVE-2026-40622 (RHEL-184832)
- Fix CVE-2026-44390 (RHEL-186680)
- Fix CVE-2026-41292 (RHEL-187346)
- Fix CVE-2026-42534 (RHEL-187081)
* Mon May 25 2026 Fedor Vorobev <fvorobev@redhat.com> - 1.16.2-5.11
- Fix CVE-2026-42944 (RHEL177909)
- Fix CVE-2026-42959 (RHEL-177809)
* Tue Nov 11 2025 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.10
- Add new root key 38696 (RHEL-131172)
- Update unbound-anchor built-in dnssec key