Update unbound to version 1.16.0 / rev 55 via SR 983597

https://build.opensuse.org/request/show/983597
by user deadpoint + dimstar_suse

packages/u/unbound/.rev

@@ -460,4 +460,12 @@ Features
     <comment>update to 1.15.0 and switching to sysuser</comment>
     <requestid>974922</requestid>
   </revision>
+  <revision rev="55" vrev="1">
+    <srcmd5>84a261549d1a21852ea961f9f682b864</srcmd5>
+    <version>1.16.0</version>
+    <time>1655665846</time>
+    <user>dimstar_suse</user>
+    <comment></comment>
+    <requestid>983597</requestid>
+  </revision>
 </revisionlist>

packages/u/unbound/libunbound-devel-mini.changes

@@ -1,9 +1,178 @@
+-------------------------------------------------------------------
+Thu Jun  2 11:54:13 UTC 2022 - Michael Ströder <michael@stroeder.com>
+
+- update to 1.16.0
+  * Features
+    - Merge PR #604: Add basic support for EDE (RFC8914).
+  * Bug Fixes
+    - Fix #412: cache invalidation issue with CNAME+A.
+    - Fix that TCP interface does not use TLS when TLS is also configured.
+    - Fix #624: Unable to stop Unbound in Windows console (does not
+      respond to CTRL+C command).
+    - Fix #618: enabling interface-automatic disables DNS-over-TLS.
+      Adds the option to list interface-automatic-ports.
+    - Remove debug info from #618 fix.
+    - Fix #628: A rpz-passthru action is not ending RPZ zone processing.
+    - Fix for #628: fix rpz-passthru for qname trigger by localzone type.
+    - Fix that address not available is squelched from the logs for
+      udp connect failures. It is visible on verbosity 4 and more.
+    - Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
+      ERR_GET_REASON.
+    - Fix to detect that no IPv6 support means that IPv6 addresses are
+      useless for delegation point lookups.
+    - update Makefile dependencies.
+    - Fix check interface existence for support detection in remote lookup.
+    - Fix #633: Document unix domain socket support for unbound-control.
+    - Fix for #633: updated fix with new text.
+    - Fix edns client subnet to add the option based on the option list,
+      so that it is not state dependent, after the state fix of #605 for
+      double EDNS options.
+    - Fix for edns client subnet option add fix in removal code, from review.
+    - Fix #630: Unify the RPZ log messages.
+    - Merge #623 from rex4539: Fix typos.
+    - Fix pythonmod for change in iter_dp_is_useless function prototype.
+    - Fix compile warnings for printf ll format on mingw compile.
+    - Merge PR #632 from scottrw93: Match cnames in ipset.
+    - Various fixes for #632: variable initialisation, convert the qinfo
+      to str once, accept trailing dot in the local-zone ipset option.
+    - Fix #637: Integer Overflow in sldns_str2period function.
+    - Fix for #637: fix integer overflow checks in sldns_str2period.
+    - Fix configure for python to use sysutils, because distutils is
+      deprecated. It uses sysutils when available, distutils otherwise.
+    - Merge #644: Make `install-lib` make target install the pkg-config
+      file.
+    - Fix to ensure uniform handling of spaces and tabs when parsing RRs.
+    - Fix to describe auth-zone and other configuration at the local-zone
+      configuration option, to allow for more broadly view of the options.
+    - Merge PR #648 from eaglegai: fix -q doesn't work when use with
+      'unbound-control stats_shm'.
+    - Fix #651: [FR] Better logging for refused queries.
+    - Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
+    - Fix zonemd check to allow unsupported algorithms to load.
+      If there are only unsupported algorithms, or unsupported schemes,
+      and no failed or successful other ZONEMD records, or malformed
+      or bad ZONEMD records, the unsupported records allow the zone load.
+    - Fix zonemd unsupported algo check.
+    - Fix zonemd unsupported algo check reason to not copy to next record,
+      and check for success for debug printout.
+    - Fix zonemd unsupported algo check to print unsupported reason before
+      zeroing it.
+    - Fix zonemd unsupported algo check to set reason to NULL before the
+      check routine, but after malformed checks, to get the correct NULL
+      output when the digest matches.
+    - Fix #670: SERVFAIL problems with unbound 1.15.0 running on
+      OpenBSD 7.1.
+    - Fix Python build in non-source directory; based on patch by
+      Michael Tokarev.
+    - Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to
+      host.
+    - Merge #677: Allow using system certificates not only on Windows,
+      from pemensik.
+    - For #677: Added tls-system-cert to config parser and documentation.
+    - Fix #417: prefetch and ECS causing cache corruption when used
+      together.
+    - Fix #678: [FR] modify behaviour of unbound-control rpz_enable zone,
+      by updating unbound-control's documentation.
+    - Fix typos in config_set_option for the 'num-threads' and
+      'ede-serve-expired' options.
+    - Fix to silence test for ede error output to the console from the
+      test setup script.
+    - Fix ede test to not use default pidfile, and use local interface.
+    - Fix some lint type warnings.
+    - Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3
+      (and possibly other distributions)
+
 -------------------------------------------------------------------
 Tue Apr 19 15:46:25 UTC 2022 - Dirk Müller <dmueller@suse.com>
 
 - spec-cleaner
 - update to 1.15.0 
 
+-------------------------------------------------------------------
+Thu Feb 10 22:55:23 UTC 2022 - Michael Ströder <michael@stroeder.com>
+
+- update to 1.15.0
+
+Features
+- Fix #596: unset the RA bit when a query is blocked by an unbound
+  RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
+  signal that a domain is externally blocked to clients when it
+  is blocked with NXDOMAIN by unsetting RA.
+- Add rpz: for-downstream: yesno option, where the RPZ zone is
+  authoritatively answered for, so the RPZ zone contents can be
+  checked with DNS queries directed at the RPZ zone.
+- Merge PR #616: Update ratelimit logic. It also introduces
+  ratelimit-backoff and ip-ratelimit-backoff configuration options.
+- Change aggressive-nsec default to yes.
+
+Bug Fixes
+- Fix compile warning for if_nametoindex on windows 64bit.
+- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
+  warnings in rpz.
+- Fix validator debug output about DS support, print correct algorithm.
+- Add code similar to fix for ldns for tab between strings, for
+  consistency, the test case was not broken.
+- Allow local-data for classes other than IN to inherit a configured
+  local-zone's type if possible, instead of defaulting to type
+  transparent as per the implicit rule.
+- Fix to pick up other class local zone information before unlock.
+- Add missing configure flags for optional features in the
+  documentation.
+- Fix Unbound capitalization in the documentation.
+- Fix #591: Unbound-anchor manpage links to non-existent license file.
+- contrib/aaaa-filter-iterator.patch file renewed diff content to
+  apply cleanly to the current coderepo for the current code version.
+- Fix to add test for rpz-signal-nxdomain-ra.
+- Fix #596: only unset RA when NXDOMAIN is signalled.
+- Fix that RPZ does not set RD flag on replies, it should be copied
+  from the query.
+- Fix for #596: fix that rpz return message is returned and not just
+  the rcode from the iterator return path. This fixes signal unset RA
+  after a CNAME.
+- Fix unit tests for rpz now that the AA flag returns successfully from
+  the iterator loop.
+- Fix for #596: add unit test for nsdname trigger and signal unset RA.
+- Fix for #596: add unit test for nsip trigger and signal unset RA.
+- Fix #598: Fix unbound-checkconf fatal error: module conf
+  'respip dns64 validator iterator' is not known to work.
+- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
+  triggered operation.
+- Merge #600 from pemensik: Change file mode before changing file
+  owner.
+- Fix prematurely terminated TCP queries when a reply has the same ID.
+- For #602: Allow the module-config "subnetcache validator cachedb
+  iterator".
+- Fix EDNS to upstream where the same option could be attached
+  more than once.
+- Add a region to serviced_query for allocations.
+- For dnstap, do not wakeupnow right there. Instead zero the timer to
+  force the wakeup callback asap.
+- Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
+- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
+  serviced_udp_callback.
+- Merge PR #612: TCP race condition.
+- Test for NSID in SERVFAIL response due to DNSSEC bogus.
+- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
+  document.
+- Fix tls-* and ssl-* documented alternate syntax to also be available
+  through remote-control and unbound-checkconf.
+- Better cleanup on failed DoT/DoH listening socket creation.
+- iana portlist update.
+- Fix review comment for use-after-free when failing to send UDP out.
+- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
+  internals.
+- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
+- Merge PR #617: Update stub/forward-host notation to accept port and
+  tls-auth-name.
+- Update stream_ssl.tdir test to also use the new forward-host
+  notation.
+- Fix header comment for doxygen for authextstrtoaddr.
+- please clang analyzer for loop in test code.
+- Fix docker splint test to use more portable uname.
+- Update contrib/aaaa-filter-iterator.patch with diff for current
+  software version.
+- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
+
 -------------------------------------------------------------------
 Thu Dec  9 11:14:33 UTC 2021 - Michael Ströder <michael@stroeder.com>
 

packages/u/unbound/libunbound-devel-mini.spec

@@ -22,7 +22,7 @@
 %bcond_without hardened_build
 #
 Name:           libunbound-devel-mini
-Version:        1.15.0
+Version:        1.16.0
 Release:        0
 Summary:        Just a devel package for build loops
 License:        BSD-3-Clause
@@ -104,5 +104,6 @@ rm -rf %{buildroot}%{_mandir} %{buildroot}%{_libdir}/*.la
 %{_includedir}/unbound.h
 %{_includedir}/unbound-event.h
 %{_libdir}/libunbound.so
+%{_libdir}/pkgconfig/libunbound.pc
 
 %changelog

packages/u/unbound/unbound-1.16.0.tar.gz

@@ -0,0 +1 @@
+/ipfs/bafybeiaxdfcpc73x2kptqa6wzdyf3zq342vnoehrviqfxnqi4cs5fg2d5i

packages/u/unbound/unbound.changes

@@ -1,3 +1,87 @@
+-------------------------------------------------------------------
+Thu Jun  2 11:54:13 UTC 2022 - Michael Ströder <michael@stroeder.com>
+
+- update to 1.16.0
+  * Features
+    - Merge PR #604: Add basic support for EDE (RFC8914).
+  * Bug Fixes
+    - Fix #412: cache invalidation issue with CNAME+A.
+    - Fix that TCP interface does not use TLS when TLS is also configured.
+    - Fix #624: Unable to stop Unbound in Windows console (does not
+      respond to CTRL+C command).
+    - Fix #618: enabling interface-automatic disables DNS-over-TLS.
+      Adds the option to list interface-automatic-ports.
+    - Remove debug info from #618 fix.
+    - Fix #628: A rpz-passthru action is not ending RPZ zone processing.
+    - Fix for #628: fix rpz-passthru for qname trigger by localzone type.
+    - Fix that address not available is squelched from the logs for
+      udp connect failures. It is visible on verbosity 4 and more.
+    - Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
+      ERR_GET_REASON.
+    - Fix to detect that no IPv6 support means that IPv6 addresses are
+      useless for delegation point lookups.
+    - update Makefile dependencies.
+    - Fix check interface existence for support detection in remote lookup.
+    - Fix #633: Document unix domain socket support for unbound-control.
+    - Fix for #633: updated fix with new text.
+    - Fix edns client subnet to add the option based on the option list,
+      so that it is not state dependent, after the state fix of #605 for
+      double EDNS options.
+    - Fix for edns client subnet option add fix in removal code, from review.
+    - Fix #630: Unify the RPZ log messages.
+    - Merge #623 from rex4539: Fix typos.
+    - Fix pythonmod for change in iter_dp_is_useless function prototype.
+    - Fix compile warnings for printf ll format on mingw compile.
+    - Merge PR #632 from scottrw93: Match cnames in ipset.
+    - Various fixes for #632: variable initialisation, convert the qinfo
+      to str once, accept trailing dot in the local-zone ipset option.
+    - Fix #637: Integer Overflow in sldns_str2period function.
+    - Fix for #637: fix integer overflow checks in sldns_str2period.
+    - Fix configure for python to use sysutils, because distutils is
+      deprecated. It uses sysutils when available, distutils otherwise.
+    - Merge #644: Make `install-lib` make target install the pkg-config
+      file.
+    - Fix to ensure uniform handling of spaces and tabs when parsing RRs.
+    - Fix to describe auth-zone and other configuration at the local-zone
+      configuration option, to allow for more broadly view of the options.
+    - Merge PR #648 from eaglegai: fix -q doesn't work when use with
+      'unbound-control stats_shm'.
+    - Fix #651: [FR] Better logging for refused queries.
+    - Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
+    - Fix zonemd check to allow unsupported algorithms to load.
+      If there are only unsupported algorithms, or unsupported schemes,
+      and no failed or successful other ZONEMD records, or malformed
+      or bad ZONEMD records, the unsupported records allow the zone load.
+    - Fix zonemd unsupported algo check.
+    - Fix zonemd unsupported algo check reason to not copy to next record,
+      and check for success for debug printout.
+    - Fix zonemd unsupported algo check to print unsupported reason before
+      zeroing it.
+    - Fix zonemd unsupported algo check to set reason to NULL before the
+      check routine, but after malformed checks, to get the correct NULL
+      output when the digest matches.
+    - Fix #670: SERVFAIL problems with unbound 1.15.0 running on
+      OpenBSD 7.1.
+    - Fix Python build in non-source directory; based on patch by
+      Michael Tokarev.
+    - Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to
+      host.
+    - Merge #677: Allow using system certificates not only on Windows,
+      from pemensik.
+    - For #677: Added tls-system-cert to config parser and documentation.
+    - Fix #417: prefetch and ECS causing cache corruption when used
+      together.
+    - Fix #678: [FR] modify behaviour of unbound-control rpz_enable zone,
+      by updating unbound-control's documentation.
+    - Fix typos in config_set_option for the 'num-threads' and
+      'ede-serve-expired' options.
+    - Fix to silence test for ede error output to the console from the
+      test setup script.
+    - Fix ede test to not use default pidfile, and use local interface.
+    - Fix some lint type warnings.
+    - Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3
+      (and possibly other distributions)
+
 -------------------------------------------------------------------
 Tue Apr 19 15:41:37 UTC 2022 - Dirk Müller <dmueller@suse.com>
 
@@ -98,6 +182,91 @@ Tue Apr 19 15:41:37 UTC 2022 - Dirk Müller <dmueller@suse.com>
     software version.
   - Fix for #611: Integer overflow in sldns_wire2str_pkt_scan. 
 
+-------------------------------------------------------------------
+Thu Feb 10 22:55:23 UTC 2022 - Michael Ströder <michael@stroeder.com>
+
+- update to 1.15.0
+
+Features
+- Fix #596: unset the RA bit when a query is blocked by an unbound
+  RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
+  signal that a domain is externally blocked to clients when it
+  is blocked with NXDOMAIN by unsetting RA.
+- Add rpz: for-downstream: yesno option, where the RPZ zone is
+  authoritatively answered for, so the RPZ zone contents can be
+  checked with DNS queries directed at the RPZ zone.
+- Merge PR #616: Update ratelimit logic. It also introduces
+  ratelimit-backoff and ip-ratelimit-backoff configuration options.
+- Change aggressive-nsec default to yes.
+
+Bug Fixes
+- Fix compile warning for if_nametoindex on windows 64bit.
+- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
+  warnings in rpz.
+- Fix validator debug output about DS support, print correct algorithm.
+- Add code similar to fix for ldns for tab between strings, for
+  consistency, the test case was not broken.
+- Allow local-data for classes other than IN to inherit a configured
+  local-zone's type if possible, instead of defaulting to type
+  transparent as per the implicit rule.
+- Fix to pick up other class local zone information before unlock.
+- Add missing configure flags for optional features in the
+  documentation.
+- Fix Unbound capitalization in the documentation.
+- Fix #591: Unbound-anchor manpage links to non-existent license file.
+- contrib/aaaa-filter-iterator.patch file renewed diff content to
+  apply cleanly to the current coderepo for the current code version.
+- Fix to add test for rpz-signal-nxdomain-ra.
+- Fix #596: only unset RA when NXDOMAIN is signalled.
+- Fix that RPZ does not set RD flag on replies, it should be copied
+  from the query.
+- Fix for #596: fix that rpz return message is returned and not just
+  the rcode from the iterator return path. This fixes signal unset RA
+  after a CNAME.
+- Fix unit tests for rpz now that the AA flag returns successfully from
+  the iterator loop.
+- Fix for #596: add unit test for nsdname trigger and signal unset RA.
+- Fix for #596: add unit test for nsip trigger and signal unset RA.
+- Fix #598: Fix unbound-checkconf fatal error: module conf
+  'respip dns64 validator iterator' is not known to work.
+- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
+  triggered operation.
+- Merge #600 from pemensik: Change file mode before changing file
+  owner.
+- Fix prematurely terminated TCP queries when a reply has the same ID.
+- For #602: Allow the module-config "subnetcache validator cachedb
+  iterator".
+- Fix EDNS to upstream where the same option could be attached
+  more than once.
+- Add a region to serviced_query for allocations.
+- For dnstap, do not wakeupnow right there. Instead zero the timer to
+  force the wakeup callback asap.
+- Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
+- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
+  serviced_udp_callback.
+- Merge PR #612: TCP race condition.
+- Test for NSID in SERVFAIL response due to DNSSEC bogus.
+- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
+  document.
+- Fix tls-* and ssl-* documented alternate syntax to also be available
+  through remote-control and unbound-checkconf.
+- Better cleanup on failed DoT/DoH listening socket creation.
+- iana portlist update.
+- Fix review comment for use-after-free when failing to send UDP out.
+- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
+  internals.
+- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
+- Merge PR #617: Update stub/forward-host notation to accept port and
+  tls-auth-name.
+- Update stream_ssl.tdir test to also use the new forward-host
+  notation.
+- Fix header comment for doxygen for authextstrtoaddr.
+- please clang analyzer for loop in test code.
+- Fix docker splint test to use more portable uname.
+- Update contrib/aaaa-filter-iterator.patch with diff for current
+  software version.
+- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
+
 -------------------------------------------------------------------
 Fri Dec 31 23:18:09 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>