Compare commits
No commits in common. "c8" and "c8s-RHEL-64339" have entirely different histories.
c8
...
c8s-RHEL-6
4
.gitignore
vendored
4
.gitignore
vendored
@ -1 +1,3 @@
|
||||
SOURCES/unbound-1.16.2.tar.gz
|
||||
/unbound-1.7.3.tar.gz
|
||||
/unbound-1.16.0.tar.gz
|
||||
/unbound-1.16.2.tar.gz
|
||||
|
||||
@ -1 +0,0 @@
|
||||
9aea0e923b9d6779b5bc360094e24a4017e2bb25 SOURCES/unbound-1.16.2.tar.gz
|
||||
@ -1,305 +0,0 @@
|
||||
diff --git a/unbound-1.16.2/testdata/iter_ghost_ns_childapex.rpl b/unbound-1.16.2/testdata/iter_ghost_ns_childapex.rpl
|
||||
new file mode 100644
|
||||
index 0000000..2b046a8
|
||||
--- /dev/null
|
||||
+++ b/unbound-1.16.2/testdata/iter_ghost_ns_childapex.rpl
|
||||
@@ -0,0 +1,299 @@
|
||||
+; config options
|
||||
+server:
|
||||
+ target-fetch-policy: "0 0 0 0 0"
|
||||
+ qname-minimisation: no
|
||||
+ minimal-responses: yes
|
||||
+ log-servfail: yes
|
||||
+ module-config: "iterator"
|
||||
+
|
||||
+stub-zone:
|
||||
+ name: "."
|
||||
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
+CONFIG_END
|
||||
+
|
||||
+SCENARIO_BEGIN Test for ghost domain with a child apex NS query.
|
||||
+
|
||||
+; K.ROOT-SERVERS.NET.
|
||||
+RANGE_BEGIN 0 100
|
||||
+ ADDRESS 193.0.14.129
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR NOERROR
|
||||
+SECTION QUESTION
|
||||
+. IN NS
|
||||
+SECTION ANSWER
|
||||
+. IN NS K.ROOT-SERVERS.NET.
|
||||
+SECTION ADDITIONAL
|
||||
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode subdomain
|
||||
+ADJUST copy_id copy_query
|
||||
+REPLY QR NOERROR
|
||||
+SECTION QUESTION
|
||||
+tld. IN NS
|
||||
+SECTION AUTHORITY
|
||||
+tld. IN NS ns.tld.
|
||||
+SECTION ADDITIONAL
|
||||
+ns.tld. IN A 1.2.3.5
|
||||
+ENTRY_END
|
||||
+RANGE_END
|
||||
+
|
||||
+; ns.tld
|
||||
+RANGE_BEGIN 0 15
|
||||
+ ADDRESS 1.2.3.5
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+tld. IN NS
|
||||
+SECTION ANSWER
|
||||
+tld. IN NS ns.tld
|
||||
+SECTION ADDITIONAL
|
||||
+ns.tld. IN A 1.2.3.5
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+ns.tld. IN A
|
||||
+SECTION ANSWER
|
||||
+ns.tld. IN A 1.2.3.5
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+ns.tld. IN AAAA
|
||||
+SECTION AUTHORITY
|
||||
+tld. 3600 IN SOA ns.tld. host.tld. 20201 3600 1800 604800 3600
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode subdomain
|
||||
+ADJUST copy_id copy_query
|
||||
+REPLY QR NOERROR
|
||||
+SECTION QUESTION
|
||||
+mid.tld. IN NS
|
||||
+SECTION AUTHORITY
|
||||
+mid.tld. 5 IN NS ns.mid.tld.
|
||||
+SECTION ADDITIONAL
|
||||
+ns.mid.tld. 5 IN A 1.2.3.4
|
||||
+ENTRY_END
|
||||
+RANGE_END
|
||||
+
|
||||
+; ns.tld
|
||||
+RANGE_BEGIN 20 100
|
||||
+ ADDRESS 1.2.3.5
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+tld. IN NS
|
||||
+SECTION ANSWER
|
||||
+tld. IN NS ns.tld
|
||||
+SECTION ADDITIONAL
|
||||
+ns.tld. IN A 1.2.3.5
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+ns.tld. IN A
|
||||
+SECTION ANSWER
|
||||
+ns.tld. IN A 1.2.3.5
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+ns.tld. IN AAAA
|
||||
+SECTION AUTHORITY
|
||||
+tld. 3600 IN SOA ns.tld. host.tld. 20201 3600 1800 604800 3600
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode subdomain
|
||||
+ADJUST copy_id copy_query
|
||||
+REPLY QR AA NXDOMAIN
|
||||
+SECTION QUESTION
|
||||
+mid.tld. IN NS
|
||||
+SECTION AUTHORITY
|
||||
+tld. 3600 IN SOA ns.tld. host.tld. 20201 3600 1800 604800 3600
|
||||
+ENTRY_END
|
||||
+RANGE_END
|
||||
+
|
||||
+; ns.mid.tld.
|
||||
+RANGE_BEGIN 0 100
|
||||
+ ADDRESS 1.2.3.4
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR NOERROR
|
||||
+SECTION QUESTION
|
||||
+mid.tld. IN NS
|
||||
+SECTION ANSWER
|
||||
+mid.tld. 86400 IN NS ns.mid.tld.
|
||||
+SECTION ADDITIONAL
|
||||
+ns.mid.tld. 86400 IN A 1.2.3.4
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+ns.mid.tld. IN A
|
||||
+SECTION ANSWER
|
||||
+ns.mid.tld. IN A 1.2.3.4
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+ns.mid.tld. IN AAAA
|
||||
+SECTION AUTHORITY
|
||||
+mid.tld. 3600 IN SOA ns.mid.tld. host.mid.tld. 20301 3600 1800 604800 3600
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode subdomain
|
||||
+ADJUST copy_id copy_query
|
||||
+REPLY QR NOERROR
|
||||
+SECTION QUESTION
|
||||
+sub.mid.tld. IN NS
|
||||
+SECTION AUTHORITY
|
||||
+sub.mid.tld. 3600 IN NS ns.sub.mid.tld.
|
||||
+SECTION ADDITIONAL
|
||||
+ns.sub.mid.tld. 3600 IN A 1.2.3.6
|
||||
+ENTRY_END
|
||||
+RANGE_END
|
||||
+
|
||||
+; ns.sub.mid.tld.
|
||||
+RANGE_BEGIN 0 100
|
||||
+ ADDRESS 1.2.3.6
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR NOERROR
|
||||
+SECTION QUESTION
|
||||
+sub.mid.tld. IN NS
|
||||
+SECTION ANSWER
|
||||
+sub.mid.tld. IN NS ns.sub.mid.tld.
|
||||
+SECTION ADDITIONAL
|
||||
+ns.sub.mid.tld. IN A 1.2.3.6
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+ns.sub.mid.tld. IN A
|
||||
+SECTION ANSWER
|
||||
+ns.sub.mid.tld. IN A 1.2.3.6
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+ns.sub.mid.tld. IN AAAA
|
||||
+SECTION AUTHORITY
|
||||
+sub.mid.tld. 3600 IN SOA ns.sub.mid.tld. host.sub.mid.tld. 20301 3600 1800 604800 3600
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+a.sub.mid.tld. IN A
|
||||
+SECTION ANSWER
|
||||
+a.sub.mid.tld. 3600 IN A 10.20.30.40
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+b.sub.mid.tld. IN A
|
||||
+SECTION ANSWER
|
||||
+b.sub.mid.tld. 3600 IN A 10.20.30.41
|
||||
+ENTRY_END
|
||||
+RANGE_END
|
||||
+
|
||||
+STEP 1 QUERY
|
||||
+ENTRY_BEGIN
|
||||
+REPLY RD NOERROR
|
||||
+SECTION QUESTION
|
||||
+a.sub.mid.tld. IN A
|
||||
+ENTRY_END
|
||||
+
|
||||
+STEP 2 CHECK_ANSWER
|
||||
+ENTRY_BEGIN
|
||||
+MATCH all
|
||||
+REPLY QR RD RA NOERROR
|
||||
+SECTION QUESTION
|
||||
+a.sub.mid.tld. IN A
|
||||
+SECTION ANSWER
|
||||
+a.sub.mid.tld. 3600 IN A 10.20.30.40
|
||||
+ENTRY_END
|
||||
+
|
||||
+STEP 10 QUERY
|
||||
+ENTRY_BEGIN
|
||||
+REPLY RD NOERROR
|
||||
+SECTION QUESTION
|
||||
+mid.tld. IN NS
|
||||
+ENTRY_END
|
||||
+
|
||||
+STEP 11 CHECK_ANSWER
|
||||
+ENTRY_BEGIN
|
||||
+MATCH all
|
||||
+REPLY QR RD RA NOERROR
|
||||
+SECTION QUESTION
|
||||
+mid.tld. IN NS
|
||||
+SECTION ANSWER
|
||||
+mid.tld. 86400 IN NS ns.mid.tld.
|
||||
+SECTION ADDITIONAL
|
||||
+ns.mid.tld. 86400 IN A 1.2.3.4
|
||||
+ENTRY_END
|
||||
+
|
||||
+STEP 20 TIME_PASSES ELAPSE 10
|
||||
+; The authority for .tld switches to NXDOMAIN for mid.tld.
|
||||
+
|
||||
+STEP 30 QUERY
|
||||
+ENTRY_BEGIN
|
||||
+REPLY RD NOERROR
|
||||
+SECTION QUESTION
|
||||
+b.sub.mid.tld. IN A
|
||||
+ENTRY_END
|
||||
+
|
||||
+STEP 31 CHECK_ANSWER
|
||||
+ENTRY_BEGIN
|
||||
+MATCH all
|
||||
+REPLY QR RD RA NXDOMAIN
|
||||
+SECTION QUESTION
|
||||
+b.sub.mid.tld. IN A
|
||||
+SECTION ANSWER
|
||||
+SECTION AUTHORITY
|
||||
+tld. 3600 IN SOA ns.tld. host.tld. 20201 3600 1800 604800 3600
|
||||
+ENTRY_END
|
||||
+
|
||||
+SCENARIO_END
|
||||
@ -1,36 +0,0 @@
|
||||
diff --git a/unbound-1.16.2/services/cache/rrset.c b/unbound-1.16.2/services/cache/rrset.c
|
||||
index 4e3d08b..b2c357f 100644
|
||||
--- a/unbound-1.16.2/services/cache/rrset.c
|
||||
+++ b/unbound-1.16.2/services/cache/rrset.c
|
||||
@@ -143,6 +143,16 @@ need_to_update_rrset(void* nd, void* cd, time_t timenow, int equal, int ns)
|
||||
if(equal && cached->ttl >= timenow &&
|
||||
cached->security == sec_status_bogus)
|
||||
return 0;
|
||||
+ /* ghost-domain: never let an NS overwrite extend lifetime
|
||||
+ * past the entry it replaces, regardless of trust. */
|
||||
+ if(ns && !TTL_IS_EXPIRED(cached->ttl, timenow) &&
|
||||
+ newd->ttl > cached->ttl) {
|
||||
+ size_t i;
|
||||
+ newd->ttl = cached->ttl;
|
||||
+ for(i=0; i<(newd->count+newd->rrsig_count); i++)
|
||||
+ if(newd->rr_ttl[i] > newd->ttl)
|
||||
+ newd->rr_ttl[i] = newd->ttl;
|
||||
+ }
|
||||
return 1;
|
||||
}
|
||||
/* o item in cache has expired */
|
||||
diff --git a/unbound-1.16.2/util/data/msgparse.h b/unbound-1.16.2/util/data/msgparse.h
|
||||
index 0c458e6..f1319ff 100644
|
||||
--- a/unbound-1.16.2/util/data/msgparse.h
|
||||
+++ b/unbound-1.16.2/util/data/msgparse.h
|
||||
@@ -92,6 +92,10 @@ extern time_t SERVE_EXPIRED_REPLY_TTL;
|
||||
/** If we serve the original TTL or decrementing TTLs */
|
||||
extern int SERVE_ORIGINAL_TTL;
|
||||
|
||||
+/** Check if TTL is expired. 0 TTL is considered expired.
|
||||
+ * Used mainly to identify parts of the code that do this comparison. */
|
||||
+#define TTL_IS_EXPIRED(ttl, now) ((ttl) <= (now))
|
||||
+
|
||||
/**
|
||||
* Data stored in scratch pad memory during parsing.
|
||||
* Stores the data that will enter into the msgreply and packet result.
|
||||
@ -1,64 +0,0 @@
|
||||
diff --git a/unbound-1.16.2/util/data/msgparse.c b/unbound-1.16.2/util/data/msgparse.c
|
||||
index 7a51441..0ffdb3d 100644
|
||||
--- a/unbound-1.16.2/util/data/msgparse.c
|
||||
+++ b/unbound-1.16.2/util/data/msgparse.c
|
||||
@@ -50,6 +50,8 @@
|
||||
#include "sldns/parseutil.h"
|
||||
#include "sldns/wire2str.h"
|
||||
|
||||
+#define MAX_PARSED_EDNS_OPTIONS 100
|
||||
+
|
||||
/** smart comparison of (compressed, valid) dnames from packet */
|
||||
static int
|
||||
smart_compare(sldns_buffer* pkt, uint8_t* dnow,
|
||||
@@ -957,7 +959,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
|
||||
struct edns_data* edns, struct config_file* cfg, struct comm_point* c,
|
||||
struct regional* region)
|
||||
{
|
||||
- int nsid_seen = 0, padding_seen = 0;
|
||||
+ int i = 0, nsid_seen = 0, padding_seen = 0;
|
||||
/* To respond with a Keepalive option, the client connection must have
|
||||
* received one message with a TCP Keepalive EDNS option, and that
|
||||
* option must have 0 length data. Subsequent messages sent on that
|
||||
@@ -977,7 +979,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
|
||||
|
||||
/* while still more options, and have code+len to read */
|
||||
/* ignores partial content (i.e. rdata len 3) */
|
||||
- while(rdata_len >= 4) {
|
||||
+ while(rdata_len >= 4 && i < MAX_PARSED_EDNS_OPTIONS) {
|
||||
uint16_t opt_code = sldns_read_uint16(rdata_ptr);
|
||||
uint16_t opt_len = sldns_read_uint16(rdata_ptr+2);
|
||||
rdata_ptr += 4;
|
||||
@@ -1054,6 +1056,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
|
||||
}
|
||||
rdata_ptr += opt_len;
|
||||
rdata_len -= opt_len;
|
||||
+ i++;
|
||||
}
|
||||
return LDNS_RCODE_NOERROR;
|
||||
}
|
||||
@@ -1068,6 +1071,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg,
|
||||
struct rrset_parse* found_prev = 0;
|
||||
size_t rdata_len;
|
||||
uint8_t* rdata_ptr;
|
||||
+ int i = 0;
|
||||
/* since the class encodes the UDP size, we cannot use hash table to
|
||||
* find the EDNS OPT record. Scan the packet. */
|
||||
while(rrset) {
|
||||
@@ -1125,7 +1129,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg,
|
||||
|
||||
/* while still more options, and have code+len to read */
|
||||
/* ignores partial content (i.e. rdata len 3) */
|
||||
- while(rdata_len >= 4) {
|
||||
+ while(rdata_len >= 4 && i < MAX_PARSED_EDNS_OPTIONS) {
|
||||
uint16_t opt_code = sldns_read_uint16(rdata_ptr);
|
||||
uint16_t opt_len = sldns_read_uint16(rdata_ptr+2);
|
||||
rdata_ptr += 4;
|
||||
@@ -1140,6 +1144,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg,
|
||||
}
|
||||
rdata_ptr += opt_len;
|
||||
rdata_len -= opt_len;
|
||||
+ i++;
|
||||
}
|
||||
/* ignore rrsigs */
|
||||
return LDNS_RCODE_NOERROR;
|
||||
@ -1,51 +0,0 @@
|
||||
diff --git a/unbound-1.16.2/services/mesh.c b/unbound-1.16.2/services/mesh.c
|
||||
index 30bcf7c..0f5a2a3 100644
|
||||
--- a/unbound-1.16.2/services/mesh.c
|
||||
+++ b/unbound-1.16.2/services/mesh.c
|
||||
@@ -338,12 +338,14 @@ int mesh_make_new_space(struct mesh_area* mesh, sldns_buffer* qbuf)
|
||||
if(mesh->num_reply_states < mesh->max_reply_states)
|
||||
return 1;
|
||||
/* try to kick out a jostle-list item */
|
||||
- if(m && m->reply_list && m->list_select == mesh_jostle_list) {
|
||||
+ if(m && m->list_select == mesh_jostle_list) {
|
||||
/* how old is it? */
|
||||
struct timeval age;
|
||||
- timeval_subtract(&age, mesh->env->now_tv,
|
||||
- &m->reply_list->start_time);
|
||||
- if(timeval_smaller(&mesh->jostle_max, &age)) {
|
||||
+ if(m->has_first_reply_time)
|
||||
+ timeval_subtract(&age, mesh->env->now_tv,
|
||||
+ &m->first_reply_time);
|
||||
+ if(!m->has_first_reply_time ||
|
||||
+ timeval_smaller(&mesh->jostle_max, &age)) {
|
||||
/* its a goner */
|
||||
log_nametypeclass(VERB_ALGO, "query jostled out to "
|
||||
"make space for a new one",
|
||||
@@ -1690,6 +1692,10 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
|
||||
r->qid = qid;
|
||||
r->qflags = qflags;
|
||||
r->start_time = *s->s.env->now_tv;
|
||||
+ if(s->reply_list == NULL && !s->has_first_reply_time) {
|
||||
+ s->first_reply_time = r->start_time;
|
||||
+ s->has_first_reply_time = 1;
|
||||
+ }
|
||||
r->next = s->reply_list;
|
||||
r->qname = regional_alloc_init(s->s.region, qinfo->qname,
|
||||
s->s.qinfo.qname_len);
|
||||
diff --git a/unbound-1.16.2/services/mesh.h b/unbound-1.16.2/services/mesh.h
|
||||
index 3be9b63..8194994 100644
|
||||
--- a/unbound-1.16.2/services/mesh.h
|
||||
+++ b/unbound-1.16.2/services/mesh.h
|
||||
@@ -174,6 +174,12 @@ struct mesh_state {
|
||||
struct module_qstate s;
|
||||
/** the list of replies to clients for the results */
|
||||
struct mesh_reply* reply_list;
|
||||
+ /** if it has a first reply time */
|
||||
+ int has_first_reply_time;
|
||||
+ /** wall-clock time the first client reply was attached;
|
||||
+ * used by mesh_make_new_space() so duplicate retransmits
|
||||
+ * cannot reset jostle aging. */
|
||||
+ struct timeval first_reply_time;
|
||||
/** the list of callbacks for the results */
|
||||
struct mesh_cb* cb_list;
|
||||
/** set of superstates (that want this state's result)
|
||||
@ -1,34 +0,0 @@
|
||||
diff --git a/unbound-1.16.2/util/data/msgparse.c b/unbound-1.16.2/util/data/msgparse.c
|
||||
index 5bb69d6..7a51441 100644
|
||||
--- a/unbound-1.16.2/util/data/msgparse.c
|
||||
+++ b/unbound-1.16.2/util/data/msgparse.c
|
||||
@@ -957,6 +957,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
|
||||
struct edns_data* edns, struct config_file* cfg, struct comm_point* c,
|
||||
struct regional* region)
|
||||
{
|
||||
+ int nsid_seen = 0, padding_seen = 0;
|
||||
/* To respond with a Keepalive option, the client connection must have
|
||||
* received one message with a TCP Keepalive EDNS option, and that
|
||||
* option must have 0 length data. Subsequent messages sent on that
|
||||
@@ -987,8 +988,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
|
||||
/* handle parse time edns options here */
|
||||
switch(opt_code) {
|
||||
case LDNS_EDNS_NSID:
|
||||
- if (!cfg || !cfg->nsid)
|
||||
+ if (!cfg || !cfg->nsid || nsid_seen)
|
||||
break;
|
||||
+ nsid_seen = 1;
|
||||
if(!edns_opt_list_append(&edns->opt_list_out,
|
||||
LDNS_EDNS_NSID, cfg->nsid_len,
|
||||
cfg->nsid, region)) {
|
||||
@@ -1030,8 +1032,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
|
||||
|
||||
case LDNS_EDNS_PADDING:
|
||||
if(!cfg || !cfg->pad_responses ||
|
||||
- !c || c->type != comm_tcp ||!c->ssl)
|
||||
+ !c || c->type != comm_tcp ||!c->ssl || padding_seen)
|
||||
break;
|
||||
+ padding_seen = 1;
|
||||
if(!edns_opt_list_append(&edns->opt_list_out,
|
||||
LDNS_EDNS_PADDING,
|
||||
0, NULL, region)) {
|
||||
@ -1,17 +0,0 @@
|
||||
diff --git a/unbound-1.24.2/validator/val_utils.c b/unbound-1.24.2/validator/val_utils.c
|
||||
index 549264d..4495695 100644
|
||||
--- a/unbound-1.24.2/validator/val_utils.c
|
||||
+++ b/unbound-1.24.2/validator/val_utils.c
|
||||
@@ -1066,10 +1066,10 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
|
||||
if(query_dname_compare(name,
|
||||
orig->rrsets[i]->rk.dname) == 0)
|
||||
chase->rrsets[chase->an_numrrsets
|
||||
- +orig->ns_numrrsets+chase->ar_numrrsets++]
|
||||
+ +chase->ns_numrrsets+chase->ar_numrrsets++]
|
||||
= orig->rrsets[i];
|
||||
} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
|
||||
- chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+
|
||||
+ chase->rrsets[chase->an_numrrsets+chase->ns_numrrsets+
|
||||
chase->ar_numrrsets++] = orig->rrsets[i];
|
||||
}
|
||||
}
|
||||
@ -1,20 +0,0 @@
|
||||
diff --git a/unbound-1.16.2/util/data/msgencode.c b/unbound-1.16.2/util/data/msgencode.c
|
||||
index f9e95e6..f60b359 100644
|
||||
--- a/unbound-1.16.2/util/data/msgencode.c
|
||||
+++ b/unbound-1.16.2/util/data/msgencode.c
|
||||
@@ -352,7 +352,6 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
|
||||
(p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
|
||||
if(!write_compressed_dname(pkt, dname, labs, p))
|
||||
return RETVAL_TRUNC;
|
||||
- (*compress_count)++;
|
||||
} else {
|
||||
if(!dname_buffer_write(pkt, dname))
|
||||
return RETVAL_TRUNC;
|
||||
@@ -360,6 +359,7 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
|
||||
if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
|
||||
!compress_tree_store(dname, labs, pos, region, p, insertpt))
|
||||
return RETVAL_OUTMEM;
|
||||
+ (*compress_count)++;
|
||||
return RETVAL_OK;
|
||||
}
|
||||
|
||||
6
gating.yaml
Normal file
6
gating.yaml
Normal file
@ -0,0 +1,6 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-8
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
||||
1
sources
Normal file
1
sources
Normal file
@ -0,0 +1 @@
|
||||
SHA512 (unbound-1.16.2.tar.gz) = 0ea65ea63265be677441bd2a28df12098ec5e86c3372240c2874f9bd13752b8b818da81ae6076cf02cbeba3d36e397698a4c2b50570be1a6a8e47f57a0251572
|
||||
@ -34,7 +34,7 @@
|
||||
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
||||
Name: unbound
|
||||
Version: 1.16.2
|
||||
Release: 5.12%{?extra_version:.%{extra_version}}%{?dist}
|
||||
Release: 5.10%{?extra_version:.%{extra_version}}%{?dist}
|
||||
License: BSD
|
||||
Url: https://www.unbound.net/
|
||||
Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
|
||||
@ -78,21 +78,6 @@ Patch5: unbound-1.21-CVE-2024-8508.patch
|
||||
Patch6: unbound-1.23.1-CVE-2025-5994.patch
|
||||
# https://github.com/NLnetLabs/unbound/commit/f094f4ea3c943c5b5b2b6fa8bee0e7a8f3cfdc51
|
||||
Patch7: unbound-1.20-unbound-anchor-key-38696.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42944.diff
|
||||
Patch8: unbound-1.25.1-CVE-2026-42944.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42959.diff
|
||||
Patch9: unbound-1.25.1-CVE-2026-42959.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-40622.diff
|
||||
Patch10: unbound-1.25.1-CVE-2026-40622.patch
|
||||
# https://github.com/NLnetLabs/unbound/commit/b5f21f41658f65d6143df6a3208e8ccf1a01604d
|
||||
Patch11: unbound-1.25.1-CVE-2026-40622-test.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-44390.diff
|
||||
Patch12: unbound-1.25.1-CVE-2026-44390.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-41292.diff
|
||||
Patch13: unbound-1.25.1-CVE-2026-41292.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42534.diff
|
||||
Patch14: unbound-1.25.1-CVE-2026-42534.patch
|
||||
|
||||
|
||||
BuildRequires: gdb
|
||||
BuildRequires: gcc, make
|
||||
@ -199,13 +184,7 @@ pushd %{pkgname}
|
||||
%patch5 -p2 -b .CVE-2024-8508
|
||||
%patch6 -p2 -b .CVE-2025-5994
|
||||
%patch7 -p2 -b .dnssec-ta-2024
|
||||
%patch8 -p2 -b .CVE-2026-42944
|
||||
%patch9 -p2 -b .CVE-2026-42959
|
||||
%patch10 -p2 -b .CVE-2026-40622
|
||||
%patch11 -p2 -b .CVE-2026-40622-test
|
||||
%patch12 -p2 -b .CVE-2026-44390
|
||||
%patch13 -p2 -b .CVE-2026-41292
|
||||
%patch14 -p2 -b .CVE-2026-42534
|
||||
|
||||
|
||||
# copy common doc files - after here, since it may be patched
|
||||
cp -pr doc pythonmod libunbound ../
|
||||
@ -472,16 +451,6 @@ popd
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/%{name}/root.key
|
||||
|
||||
%changelog
|
||||
* Tue Jun 23 2026 Fedor Vorobev <fvorobev@redhat.com> - 1.16.2-5.12
|
||||
- Fix CVE-2026-40622 (RHEL-184832)
|
||||
- Fix CVE-2026-44390 (RHEL-186680)
|
||||
- Fix CVE-2026-41292 (RHEL-187346)
|
||||
- Fix CVE-2026-42534 (RHEL-187081)
|
||||
|
||||
* Mon May 25 2026 Fedor Vorobev <fvorobev@redhat.com> - 1.16.2-5.11
|
||||
- Fix CVE-2026-42944 (RHEL‑177909)
|
||||
- Fix CVE-2026-42959 (RHEL-177809)
|
||||
|
||||
* Tue Nov 11 2025 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.10
|
||||
- Add new root key 38696 (RHEL-131172)
|
||||
- Update unbound-anchor built-in dnssec key
|
||||
Loading…
Reference in New Issue
Block a user