diff --git a/packages/u/unbound/.files b/packages/u/unbound/.files
index 7dd198df0e7..417d364018f 100644
Binary files a/packages/u/unbound/.files and b/packages/u/unbound/.files differ
diff --git a/packages/u/unbound/.rev b/packages/u/unbound/.rev
index 910742d4d69..7ff10a4c0e2 100644
--- a/packages/u/unbound/.rev
+++ b/packages/u/unbound/.rev
@@ -460,4 +460,12 @@ Features
update to 1.15.0 and switching to sysuser974922
+
+ 84a261549d1a21852ea961f9f682b864
+ 1.16.0
+
+ dimstar_suse
+
+ 983597
+
diff --git a/packages/u/unbound/libunbound-devel-mini.changes b/packages/u/unbound/libunbound-devel-mini.changes
index 103cbdb83cf..be81080099f 100644
--- a/packages/u/unbound/libunbound-devel-mini.changes
+++ b/packages/u/unbound/libunbound-devel-mini.changes
@@ -1,9 +1,178 @@
+-------------------------------------------------------------------
+Thu Jun 2 11:54:13 UTC 2022 - Michael Ströder
+
+- update to 1.16.0
+ * Features
+ - Merge PR #604: Add basic support for EDE (RFC8914).
+ * Bug Fixes
+ - Fix #412: cache invalidation issue with CNAME+A.
+ - Fix that TCP interface does not use TLS when TLS is also configured.
+ - Fix #624: Unable to stop Unbound in Windows console (does not
+ respond to CTRL+C command).
+ - Fix #618: enabling interface-automatic disables DNS-over-TLS.
+ Adds the option to list interface-automatic-ports.
+ - Remove debug info from #618 fix.
+ - Fix #628: A rpz-passthru action is not ending RPZ zone processing.
+ - Fix for #628: fix rpz-passthru for qname trigger by localzone type.
+ - Fix that address not available is squelched from the logs for
+ udp connect failures. It is visible on verbosity 4 and more.
+ - Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
+ ERR_GET_REASON.
+ - Fix to detect that no IPv6 support means that IPv6 addresses are
+ useless for delegation point lookups.
+ - update Makefile dependencies.
+ - Fix check interface existence for support detection in remote lookup.
+ - Fix #633: Document unix domain socket support for unbound-control.
+ - Fix for #633: updated fix with new text.
+ - Fix edns client subnet to add the option based on the option list,
+ so that it is not state dependent, after the state fix of #605 for
+ double EDNS options.
+ - Fix for edns client subnet option add fix in removal code, from review.
+ - Fix #630: Unify the RPZ log messages.
+ - Merge #623 from rex4539: Fix typos.
+ - Fix pythonmod for change in iter_dp_is_useless function prototype.
+ - Fix compile warnings for printf ll format on mingw compile.
+ - Merge PR #632 from scottrw93: Match cnames in ipset.
+ - Various fixes for #632: variable initialisation, convert the qinfo
+ to str once, accept trailing dot in the local-zone ipset option.
+ - Fix #637: Integer Overflow in sldns_str2period function.
+ - Fix for #637: fix integer overflow checks in sldns_str2period.
+ - Fix configure for python to use sysutils, because distutils is
+ deprecated. It uses sysutils when available, distutils otherwise.
+ - Merge #644: Make `install-lib` make target install the pkg-config
+ file.
+ - Fix to ensure uniform handling of spaces and tabs when parsing RRs.
+ - Fix to describe auth-zone and other configuration at the local-zone
+ configuration option, to allow for more broadly view of the options.
+ - Merge PR #648 from eaglegai: fix -q doesn't work when use with
+ 'unbound-control stats_shm'.
+ - Fix #651: [FR] Better logging for refused queries.
+ - Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
+ - Fix zonemd check to allow unsupported algorithms to load.
+ If there are only unsupported algorithms, or unsupported schemes,
+ and no failed or successful other ZONEMD records, or malformed
+ or bad ZONEMD records, the unsupported records allow the zone load.
+ - Fix zonemd unsupported algo check.
+ - Fix zonemd unsupported algo check reason to not copy to next record,
+ and check for success for debug printout.
+ - Fix zonemd unsupported algo check to print unsupported reason before
+ zeroing it.
+ - Fix zonemd unsupported algo check to set reason to NULL before the
+ check routine, but after malformed checks, to get the correct NULL
+ output when the digest matches.
+ - Fix #670: SERVFAIL problems with unbound 1.15.0 running on
+ OpenBSD 7.1.
+ - Fix Python build in non-source directory; based on patch by
+ Michael Tokarev.
+ - Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to
+ host.
+ - Merge #677: Allow using system certificates not only on Windows,
+ from pemensik.
+ - For #677: Added tls-system-cert to config parser and documentation.
+ - Fix #417: prefetch and ECS causing cache corruption when used
+ together.
+ - Fix #678: [FR] modify behaviour of unbound-control rpz_enable zone,
+ by updating unbound-control's documentation.
+ - Fix typos in config_set_option for the 'num-threads' and
+ 'ede-serve-expired' options.
+ - Fix to silence test for ede error output to the console from the
+ test setup script.
+ - Fix ede test to not use default pidfile, and use local interface.
+ - Fix some lint type warnings.
+ - Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3
+ (and possibly other distributions)
+
-------------------------------------------------------------------
Tue Apr 19 15:46:25 UTC 2022 - Dirk Müller
- spec-cleaner
- update to 1.15.0
+-------------------------------------------------------------------
+Thu Feb 10 22:55:23 UTC 2022 - Michael Ströder
+
+- update to 1.15.0
+
+Features
+- Fix #596: unset the RA bit when a query is blocked by an unbound
+ RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
+ signal that a domain is externally blocked to clients when it
+ is blocked with NXDOMAIN by unsetting RA.
+- Add rpz: for-downstream: yesno option, where the RPZ zone is
+ authoritatively answered for, so the RPZ zone contents can be
+ checked with DNS queries directed at the RPZ zone.
+- Merge PR #616: Update ratelimit logic. It also introduces
+ ratelimit-backoff and ip-ratelimit-backoff configuration options.
+- Change aggressive-nsec default to yes.
+
+Bug Fixes
+- Fix compile warning for if_nametoindex on windows 64bit.
+- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
+ warnings in rpz.
+- Fix validator debug output about DS support, print correct algorithm.
+- Add code similar to fix for ldns for tab between strings, for
+ consistency, the test case was not broken.
+- Allow local-data for classes other than IN to inherit a configured
+ local-zone's type if possible, instead of defaulting to type
+ transparent as per the implicit rule.
+- Fix to pick up other class local zone information before unlock.
+- Add missing configure flags for optional features in the
+ documentation.
+- Fix Unbound capitalization in the documentation.
+- Fix #591: Unbound-anchor manpage links to non-existent license file.
+- contrib/aaaa-filter-iterator.patch file renewed diff content to
+ apply cleanly to the current coderepo for the current code version.
+- Fix to add test for rpz-signal-nxdomain-ra.
+- Fix #596: only unset RA when NXDOMAIN is signalled.
+- Fix that RPZ does not set RD flag on replies, it should be copied
+ from the query.
+- Fix for #596: fix that rpz return message is returned and not just
+ the rcode from the iterator return path. This fixes signal unset RA
+ after a CNAME.
+- Fix unit tests for rpz now that the AA flag returns successfully from
+ the iterator loop.
+- Fix for #596: add unit test for nsdname trigger and signal unset RA.
+- Fix for #596: add unit test for nsip trigger and signal unset RA.
+- Fix #598: Fix unbound-checkconf fatal error: module conf
+ 'respip dns64 validator iterator' is not known to work.
+- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
+ triggered operation.
+- Merge #600 from pemensik: Change file mode before changing file
+ owner.
+- Fix prematurely terminated TCP queries when a reply has the same ID.
+- For #602: Allow the module-config "subnetcache validator cachedb
+ iterator".
+- Fix EDNS to upstream where the same option could be attached
+ more than once.
+- Add a region to serviced_query for allocations.
+- For dnstap, do not wakeupnow right there. Instead zero the timer to
+ force the wakeup callback asap.
+- Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
+- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
+ serviced_udp_callback.
+- Merge PR #612: TCP race condition.
+- Test for NSID in SERVFAIL response due to DNSSEC bogus.
+- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
+ document.
+- Fix tls-* and ssl-* documented alternate syntax to also be available
+ through remote-control and unbound-checkconf.
+- Better cleanup on failed DoT/DoH listening socket creation.
+- iana portlist update.
+- Fix review comment for use-after-free when failing to send UDP out.
+- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
+ internals.
+- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
+- Merge PR #617: Update stub/forward-host notation to accept port and
+ tls-auth-name.
+- Update stream_ssl.tdir test to also use the new forward-host
+ notation.
+- Fix header comment for doxygen for authextstrtoaddr.
+- please clang analyzer for loop in test code.
+- Fix docker splint test to use more portable uname.
+- Update contrib/aaaa-filter-iterator.patch with diff for current
+ software version.
+- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
+
-------------------------------------------------------------------
Thu Dec 9 11:14:33 UTC 2021 - Michael Ströder
diff --git a/packages/u/unbound/libunbound-devel-mini.spec b/packages/u/unbound/libunbound-devel-mini.spec
index 84eb860f18f..8731acd8d1e 100644
--- a/packages/u/unbound/libunbound-devel-mini.spec
+++ b/packages/u/unbound/libunbound-devel-mini.spec
@@ -22,7 +22,7 @@
%bcond_without hardened_build
#
Name: libunbound-devel-mini
-Version: 1.15.0
+Version: 1.16.0
Release: 0
Summary: Just a devel package for build loops
License: BSD-3-Clause
@@ -104,5 +104,6 @@ rm -rf %{buildroot}%{_mandir} %{buildroot}%{_libdir}/*.la
%{_includedir}/unbound.h
%{_includedir}/unbound-event.h
%{_libdir}/libunbound.so
+%{_libdir}/pkgconfig/libunbound.pc
%changelog
diff --git a/packages/u/unbound/unbound-1.15.0.tar.gz b/packages/u/unbound/unbound-1.15.0.tar.gz
deleted file mode 120000
index ab72be06410..00000000000
--- a/packages/u/unbound/unbound-1.15.0.tar.gz
+++ /dev/null
@@ -1 +0,0 @@
-/ipfs/bafybeicmhrjvqfssk4olnzwrw5bwmo67p3bqge5vtsn2g7lwafkoi64xey
\ No newline at end of file
diff --git a/packages/u/unbound/unbound-1.16.0.tar.gz b/packages/u/unbound/unbound-1.16.0.tar.gz
new file mode 120000
index 00000000000..75b8dfdcdc7
--- /dev/null
+++ b/packages/u/unbound/unbound-1.16.0.tar.gz
@@ -0,0 +1 @@
+/ipfs/bafybeiaxdfcpc73x2kptqa6wzdyf3zq342vnoehrviqfxnqi4cs5fg2d5i
\ No newline at end of file
diff --git a/packages/u/unbound/unbound.changes b/packages/u/unbound/unbound.changes
index d63c52f2453..f60bf519efa 100644
--- a/packages/u/unbound/unbound.changes
+++ b/packages/u/unbound/unbound.changes
@@ -1,3 +1,87 @@
+-------------------------------------------------------------------
+Thu Jun 2 11:54:13 UTC 2022 - Michael Ströder
+
+- update to 1.16.0
+ * Features
+ - Merge PR #604: Add basic support for EDE (RFC8914).
+ * Bug Fixes
+ - Fix #412: cache invalidation issue with CNAME+A.
+ - Fix that TCP interface does not use TLS when TLS is also configured.
+ - Fix #624: Unable to stop Unbound in Windows console (does not
+ respond to CTRL+C command).
+ - Fix #618: enabling interface-automatic disables DNS-over-TLS.
+ Adds the option to list interface-automatic-ports.
+ - Remove debug info from #618 fix.
+ - Fix #628: A rpz-passthru action is not ending RPZ zone processing.
+ - Fix for #628: fix rpz-passthru for qname trigger by localzone type.
+ - Fix that address not available is squelched from the logs for
+ udp connect failures. It is visible on verbosity 4 and more.
+ - Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
+ ERR_GET_REASON.
+ - Fix to detect that no IPv6 support means that IPv6 addresses are
+ useless for delegation point lookups.
+ - update Makefile dependencies.
+ - Fix check interface existence for support detection in remote lookup.
+ - Fix #633: Document unix domain socket support for unbound-control.
+ - Fix for #633: updated fix with new text.
+ - Fix edns client subnet to add the option based on the option list,
+ so that it is not state dependent, after the state fix of #605 for
+ double EDNS options.
+ - Fix for edns client subnet option add fix in removal code, from review.
+ - Fix #630: Unify the RPZ log messages.
+ - Merge #623 from rex4539: Fix typos.
+ - Fix pythonmod for change in iter_dp_is_useless function prototype.
+ - Fix compile warnings for printf ll format on mingw compile.
+ - Merge PR #632 from scottrw93: Match cnames in ipset.
+ - Various fixes for #632: variable initialisation, convert the qinfo
+ to str once, accept trailing dot in the local-zone ipset option.
+ - Fix #637: Integer Overflow in sldns_str2period function.
+ - Fix for #637: fix integer overflow checks in sldns_str2period.
+ - Fix configure for python to use sysutils, because distutils is
+ deprecated. It uses sysutils when available, distutils otherwise.
+ - Merge #644: Make `install-lib` make target install the pkg-config
+ file.
+ - Fix to ensure uniform handling of spaces and tabs when parsing RRs.
+ - Fix to describe auth-zone and other configuration at the local-zone
+ configuration option, to allow for more broadly view of the options.
+ - Merge PR #648 from eaglegai: fix -q doesn't work when use with
+ 'unbound-control stats_shm'.
+ - Fix #651: [FR] Better logging for refused queries.
+ - Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
+ - Fix zonemd check to allow unsupported algorithms to load.
+ If there are only unsupported algorithms, or unsupported schemes,
+ and no failed or successful other ZONEMD records, or malformed
+ or bad ZONEMD records, the unsupported records allow the zone load.
+ - Fix zonemd unsupported algo check.
+ - Fix zonemd unsupported algo check reason to not copy to next record,
+ and check for success for debug printout.
+ - Fix zonemd unsupported algo check to print unsupported reason before
+ zeroing it.
+ - Fix zonemd unsupported algo check to set reason to NULL before the
+ check routine, but after malformed checks, to get the correct NULL
+ output when the digest matches.
+ - Fix #670: SERVFAIL problems with unbound 1.15.0 running on
+ OpenBSD 7.1.
+ - Fix Python build in non-source directory; based on patch by
+ Michael Tokarev.
+ - Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to
+ host.
+ - Merge #677: Allow using system certificates not only on Windows,
+ from pemensik.
+ - For #677: Added tls-system-cert to config parser and documentation.
+ - Fix #417: prefetch and ECS causing cache corruption when used
+ together.
+ - Fix #678: [FR] modify behaviour of unbound-control rpz_enable zone,
+ by updating unbound-control's documentation.
+ - Fix typos in config_set_option for the 'num-threads' and
+ 'ede-serve-expired' options.
+ - Fix to silence test for ede error output to the console from the
+ test setup script.
+ - Fix ede test to not use default pidfile, and use local interface.
+ - Fix some lint type warnings.
+ - Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3
+ (and possibly other distributions)
+
-------------------------------------------------------------------
Tue Apr 19 15:41:37 UTC 2022 - Dirk Müller
@@ -98,6 +182,91 @@ Tue Apr 19 15:41:37 UTC 2022 - Dirk Müller
software version.
- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
+-------------------------------------------------------------------
+Thu Feb 10 22:55:23 UTC 2022 - Michael Ströder
+
+- update to 1.15.0
+
+Features
+- Fix #596: unset the RA bit when a query is blocked by an unbound
+ RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
+ signal that a domain is externally blocked to clients when it
+ is blocked with NXDOMAIN by unsetting RA.
+- Add rpz: for-downstream: yesno option, where the RPZ zone is
+ authoritatively answered for, so the RPZ zone contents can be
+ checked with DNS queries directed at the RPZ zone.
+- Merge PR #616: Update ratelimit logic. It also introduces
+ ratelimit-backoff and ip-ratelimit-backoff configuration options.
+- Change aggressive-nsec default to yes.
+
+Bug Fixes
+- Fix compile warning for if_nametoindex on windows 64bit.
+- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
+ warnings in rpz.
+- Fix validator debug output about DS support, print correct algorithm.
+- Add code similar to fix for ldns for tab between strings, for
+ consistency, the test case was not broken.
+- Allow local-data for classes other than IN to inherit a configured
+ local-zone's type if possible, instead of defaulting to type
+ transparent as per the implicit rule.
+- Fix to pick up other class local zone information before unlock.
+- Add missing configure flags for optional features in the
+ documentation.
+- Fix Unbound capitalization in the documentation.
+- Fix #591: Unbound-anchor manpage links to non-existent license file.
+- contrib/aaaa-filter-iterator.patch file renewed diff content to
+ apply cleanly to the current coderepo for the current code version.
+- Fix to add test for rpz-signal-nxdomain-ra.
+- Fix #596: only unset RA when NXDOMAIN is signalled.
+- Fix that RPZ does not set RD flag on replies, it should be copied
+ from the query.
+- Fix for #596: fix that rpz return message is returned and not just
+ the rcode from the iterator return path. This fixes signal unset RA
+ after a CNAME.
+- Fix unit tests for rpz now that the AA flag returns successfully from
+ the iterator loop.
+- Fix for #596: add unit test for nsdname trigger and signal unset RA.
+- Fix for #596: add unit test for nsip trigger and signal unset RA.
+- Fix #598: Fix unbound-checkconf fatal error: module conf
+ 'respip dns64 validator iterator' is not known to work.
+- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
+ triggered operation.
+- Merge #600 from pemensik: Change file mode before changing file
+ owner.
+- Fix prematurely terminated TCP queries when a reply has the same ID.
+- For #602: Allow the module-config "subnetcache validator cachedb
+ iterator".
+- Fix EDNS to upstream where the same option could be attached
+ more than once.
+- Add a region to serviced_query for allocations.
+- For dnstap, do not wakeupnow right there. Instead zero the timer to
+ force the wakeup callback asap.
+- Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
+- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
+ serviced_udp_callback.
+- Merge PR #612: TCP race condition.
+- Test for NSID in SERVFAIL response due to DNSSEC bogus.
+- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
+ document.
+- Fix tls-* and ssl-* documented alternate syntax to also be available
+ through remote-control and unbound-checkconf.
+- Better cleanup on failed DoT/DoH listening socket creation.
+- iana portlist update.
+- Fix review comment for use-after-free when failing to send UDP out.
+- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
+ internals.
+- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
+- Merge PR #617: Update stub/forward-host notation to accept port and
+ tls-auth-name.
+- Update stream_ssl.tdir test to also use the new forward-host
+ notation.
+- Fix header comment for doxygen for authextstrtoaddr.
+- please clang analyzer for loop in test code.
+- Fix docker splint test to use more portable uname.
+- Update contrib/aaaa-filter-iterator.patch with diff for current
+ software version.
+- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
+
-------------------------------------------------------------------
Fri Dec 31 23:18:09 UTC 2021 - Callum Farmer
diff --git a/packages/u/unbound/unbound.spec b/packages/u/unbound/unbound.spec
index ca7c79af7f5..3d400dfdf4f 100644
--- a/packages/u/unbound/unbound.spec
+++ b/packages/u/unbound/unbound.spec
@@ -33,7 +33,7 @@
%define piddir /run
Name: unbound
-Version: 1.15.0
+Version: 1.16.0
Release: 0
BuildRequires: flex
BuildRequires: ldns-devel >= %{ldns_version}