diff --git a/packages/u/unbound/.files b/packages/u/unbound/.files index 7dd198df0e7..417d364018f 100644 Binary files a/packages/u/unbound/.files and b/packages/u/unbound/.files differ diff --git a/packages/u/unbound/.rev b/packages/u/unbound/.rev index 910742d4d69..7ff10a4c0e2 100644 --- a/packages/u/unbound/.rev +++ b/packages/u/unbound/.rev @@ -460,4 +460,12 @@ Features update to 1.15.0 and switching to sysuser 974922 + + 84a261549d1a21852ea961f9f682b864 + 1.16.0 + + dimstar_suse + + 983597 + diff --git a/packages/u/unbound/libunbound-devel-mini.changes b/packages/u/unbound/libunbound-devel-mini.changes index 103cbdb83cf..be81080099f 100644 --- a/packages/u/unbound/libunbound-devel-mini.changes +++ b/packages/u/unbound/libunbound-devel-mini.changes @@ -1,9 +1,178 @@ +------------------------------------------------------------------- +Thu Jun 2 11:54:13 UTC 2022 - Michael Ströder + +- update to 1.16.0 + * Features + - Merge PR #604: Add basic support for EDE (RFC8914). + * Bug Fixes + - Fix #412: cache invalidation issue with CNAME+A. + - Fix that TCP interface does not use TLS when TLS is also configured. + - Fix #624: Unable to stop Unbound in Windows console (does not + respond to CTRL+C command). + - Fix #618: enabling interface-automatic disables DNS-over-TLS. + Adds the option to list interface-automatic-ports. + - Remove debug info from #618 fix. + - Fix #628: A rpz-passthru action is not ending RPZ zone processing. + - Fix for #628: fix rpz-passthru for qname trigger by localzone type. + - Fix that address not available is squelched from the logs for + udp connect failures. It is visible on verbosity 4 and more. + - Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with + ERR_GET_REASON. + - Fix to detect that no IPv6 support means that IPv6 addresses are + useless for delegation point lookups. + - update Makefile dependencies. + - Fix check interface existence for support detection in remote lookup. + - Fix #633: Document unix domain socket support for unbound-control. + - Fix for #633: updated fix with new text. + - Fix edns client subnet to add the option based on the option list, + so that it is not state dependent, after the state fix of #605 for + double EDNS options. + - Fix for edns client subnet option add fix in removal code, from review. + - Fix #630: Unify the RPZ log messages. + - Merge #623 from rex4539: Fix typos. + - Fix pythonmod for change in iter_dp_is_useless function prototype. + - Fix compile warnings for printf ll format on mingw compile. + - Merge PR #632 from scottrw93: Match cnames in ipset. + - Various fixes for #632: variable initialisation, convert the qinfo + to str once, accept trailing dot in the local-zone ipset option. + - Fix #637: Integer Overflow in sldns_str2period function. + - Fix for #637: fix integer overflow checks in sldns_str2period. + - Fix configure for python to use sysutils, because distutils is + deprecated. It uses sysutils when available, distutils otherwise. + - Merge #644: Make `install-lib` make target install the pkg-config + file. + - Fix to ensure uniform handling of spaces and tabs when parsing RRs. + - Fix to describe auth-zone and other configuration at the local-zone + configuration option, to allow for more broadly view of the options. + - Merge PR #648 from eaglegai: fix -q doesn't work when use with + 'unbound-control stats_shm'. + - Fix #651: [FR] Better logging for refused queries. + - Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup. + - Fix zonemd check to allow unsupported algorithms to load. + If there are only unsupported algorithms, or unsupported schemes, + and no failed or successful other ZONEMD records, or malformed + or bad ZONEMD records, the unsupported records allow the zone load. + - Fix zonemd unsupported algo check. + - Fix zonemd unsupported algo check reason to not copy to next record, + and check for success for debug printout. + - Fix zonemd unsupported algo check to print unsupported reason before + zeroing it. + - Fix zonemd unsupported algo check to set reason to NULL before the + check routine, but after malformed checks, to get the correct NULL + output when the digest matches. + - Fix #670: SERVFAIL problems with unbound 1.15.0 running on + OpenBSD 7.1. + - Fix Python build in non-source directory; based on patch by + Michael Tokarev. + - Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to + host. + - Merge #677: Allow using system certificates not only on Windows, + from pemensik. + - For #677: Added tls-system-cert to config parser and documentation. + - Fix #417: prefetch and ECS causing cache corruption when used + together. + - Fix #678: [FR] modify behaviour of unbound-control rpz_enable zone, + by updating unbound-control's documentation. + - Fix typos in config_set_option for the 'num-threads' and + 'ede-serve-expired' options. + - Fix to silence test for ede error output to the console from the + test setup script. + - Fix ede test to not use default pidfile, and use local interface. + - Fix some lint type warnings. + - Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3 + (and possibly other distributions) + ------------------------------------------------------------------- Tue Apr 19 15:46:25 UTC 2022 - Dirk Müller - spec-cleaner - update to 1.15.0 +------------------------------------------------------------------- +Thu Feb 10 22:55:23 UTC 2022 - Michael Ströder + +- update to 1.15.0 + +Features +- Fix #596: unset the RA bit when a query is blocked by an unbound + RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to + signal that a domain is externally blocked to clients when it + is blocked with NXDOMAIN by unsetting RA. +- Add rpz: for-downstream: yesno option, where the RPZ zone is + authoritatively answered for, so the RPZ zone contents can be + checked with DNS queries directed at the RPZ zone. +- Merge PR #616: Update ratelimit logic. It also introduces + ratelimit-backoff and ip-ratelimit-backoff configuration options. +- Change aggressive-nsec default to yes. + +Bug Fixes +- Fix compile warning for if_nametoindex on windows 64bit. +- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow + warnings in rpz. +- Fix validator debug output about DS support, print correct algorithm. +- Add code similar to fix for ldns for tab between strings, for + consistency, the test case was not broken. +- Allow local-data for classes other than IN to inherit a configured + local-zone's type if possible, instead of defaulting to type + transparent as per the implicit rule. +- Fix to pick up other class local zone information before unlock. +- Add missing configure flags for optional features in the + documentation. +- Fix Unbound capitalization in the documentation. +- Fix #591: Unbound-anchor manpage links to non-existent license file. +- contrib/aaaa-filter-iterator.patch file renewed diff content to + apply cleanly to the current coderepo for the current code version. +- Fix to add test for rpz-signal-nxdomain-ra. +- Fix #596: only unset RA when NXDOMAIN is signalled. +- Fix that RPZ does not set RD flag on replies, it should be copied + from the query. +- Fix for #596: fix that rpz return message is returned and not just + the rcode from the iterator return path. This fixes signal unset RA + after a CNAME. +- Fix unit tests for rpz now that the AA flag returns successfully from + the iterator loop. +- Fix for #596: add unit test for nsdname trigger and signal unset RA. +- Fix for #596: add unit test for nsip trigger and signal unset RA. +- Fix #598: Fix unbound-checkconf fatal error: module conf + 'respip dns64 validator iterator' is not known to work. +- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip + triggered operation. +- Merge #600 from pemensik: Change file mode before changing file + owner. +- Fix prematurely terminated TCP queries when a reply has the same ID. +- For #602: Allow the module-config "subnetcache validator cachedb + iterator". +- Fix EDNS to upstream where the same option could be attached + more than once. +- Add a region to serviced_query for allocations. +- For dnstap, do not wakeupnow right there. Instead zero the timer to + force the wakeup callback asap. +- Fix #610: Undefine-shift in sldns_str2wire_hip_buf. +- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in + serviced_udp_callback. +- Merge PR #612: TCP race condition. +- Test for NSID in SERVFAIL response due to DNSSEC bogus. +- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC + document. +- Fix tls-* and ssl-* documented alternate syntax to also be available + through remote-control and unbound-checkconf. +- Better cleanup on failed DoT/DoH listening socket creation. +- iana portlist update. +- Fix review comment for use-after-free when failing to send UDP out. +- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA + internals. +- Merge PR #532 from Shchelk: Fix: buffer overflow bug. +- Merge PR #617: Update stub/forward-host notation to accept port and + tls-auth-name. +- Update stream_ssl.tdir test to also use the new forward-host + notation. +- Fix header comment for doxygen for authextstrtoaddr. +- please clang analyzer for loop in test code. +- Fix docker splint test to use more portable uname. +- Update contrib/aaaa-filter-iterator.patch with diff for current + software version. +- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan. + ------------------------------------------------------------------- Thu Dec 9 11:14:33 UTC 2021 - Michael Ströder diff --git a/packages/u/unbound/libunbound-devel-mini.spec b/packages/u/unbound/libunbound-devel-mini.spec index 84eb860f18f..8731acd8d1e 100644 --- a/packages/u/unbound/libunbound-devel-mini.spec +++ b/packages/u/unbound/libunbound-devel-mini.spec @@ -22,7 +22,7 @@ %bcond_without hardened_build # Name: libunbound-devel-mini -Version: 1.15.0 +Version: 1.16.0 Release: 0 Summary: Just a devel package for build loops License: BSD-3-Clause @@ -104,5 +104,6 @@ rm -rf %{buildroot}%{_mandir} %{buildroot}%{_libdir}/*.la %{_includedir}/unbound.h %{_includedir}/unbound-event.h %{_libdir}/libunbound.so +%{_libdir}/pkgconfig/libunbound.pc %changelog diff --git a/packages/u/unbound/unbound-1.15.0.tar.gz b/packages/u/unbound/unbound-1.15.0.tar.gz deleted file mode 120000 index ab72be06410..00000000000 --- a/packages/u/unbound/unbound-1.15.0.tar.gz +++ /dev/null @@ -1 +0,0 @@ -/ipfs/bafybeicmhrjvqfssk4olnzwrw5bwmo67p3bqge5vtsn2g7lwafkoi64xey \ No newline at end of file diff --git a/packages/u/unbound/unbound-1.16.0.tar.gz b/packages/u/unbound/unbound-1.16.0.tar.gz new file mode 120000 index 00000000000..75b8dfdcdc7 --- /dev/null +++ b/packages/u/unbound/unbound-1.16.0.tar.gz @@ -0,0 +1 @@ +/ipfs/bafybeiaxdfcpc73x2kptqa6wzdyf3zq342vnoehrviqfxnqi4cs5fg2d5i \ No newline at end of file diff --git a/packages/u/unbound/unbound.changes b/packages/u/unbound/unbound.changes index d63c52f2453..f60bf519efa 100644 --- a/packages/u/unbound/unbound.changes +++ b/packages/u/unbound/unbound.changes @@ -1,3 +1,87 @@ +------------------------------------------------------------------- +Thu Jun 2 11:54:13 UTC 2022 - Michael Ströder + +- update to 1.16.0 + * Features + - Merge PR #604: Add basic support for EDE (RFC8914). + * Bug Fixes + - Fix #412: cache invalidation issue with CNAME+A. + - Fix that TCP interface does not use TLS when TLS is also configured. + - Fix #624: Unable to stop Unbound in Windows console (does not + respond to CTRL+C command). + - Fix #618: enabling interface-automatic disables DNS-over-TLS. + Adds the option to list interface-automatic-ports. + - Remove debug info from #618 fix. + - Fix #628: A rpz-passthru action is not ending RPZ zone processing. + - Fix for #628: fix rpz-passthru for qname trigger by localzone type. + - Fix that address not available is squelched from the logs for + udp connect failures. It is visible on verbosity 4 and more. + - Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with + ERR_GET_REASON. + - Fix to detect that no IPv6 support means that IPv6 addresses are + useless for delegation point lookups. + - update Makefile dependencies. + - Fix check interface existence for support detection in remote lookup. + - Fix #633: Document unix domain socket support for unbound-control. + - Fix for #633: updated fix with new text. + - Fix edns client subnet to add the option based on the option list, + so that it is not state dependent, after the state fix of #605 for + double EDNS options. + - Fix for edns client subnet option add fix in removal code, from review. + - Fix #630: Unify the RPZ log messages. + - Merge #623 from rex4539: Fix typos. + - Fix pythonmod for change in iter_dp_is_useless function prototype. + - Fix compile warnings for printf ll format on mingw compile. + - Merge PR #632 from scottrw93: Match cnames in ipset. + - Various fixes for #632: variable initialisation, convert the qinfo + to str once, accept trailing dot in the local-zone ipset option. + - Fix #637: Integer Overflow in sldns_str2period function. + - Fix for #637: fix integer overflow checks in sldns_str2period. + - Fix configure for python to use sysutils, because distutils is + deprecated. It uses sysutils when available, distutils otherwise. + - Merge #644: Make `install-lib` make target install the pkg-config + file. + - Fix to ensure uniform handling of spaces and tabs when parsing RRs. + - Fix to describe auth-zone and other configuration at the local-zone + configuration option, to allow for more broadly view of the options. + - Merge PR #648 from eaglegai: fix -q doesn't work when use with + 'unbound-control stats_shm'. + - Fix #651: [FR] Better logging for refused queries. + - Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup. + - Fix zonemd check to allow unsupported algorithms to load. + If there are only unsupported algorithms, or unsupported schemes, + and no failed or successful other ZONEMD records, or malformed + or bad ZONEMD records, the unsupported records allow the zone load. + - Fix zonemd unsupported algo check. + - Fix zonemd unsupported algo check reason to not copy to next record, + and check for success for debug printout. + - Fix zonemd unsupported algo check to print unsupported reason before + zeroing it. + - Fix zonemd unsupported algo check to set reason to NULL before the + check routine, but after malformed checks, to get the correct NULL + output when the digest matches. + - Fix #670: SERVFAIL problems with unbound 1.15.0 running on + OpenBSD 7.1. + - Fix Python build in non-source directory; based on patch by + Michael Tokarev. + - Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to + host. + - Merge #677: Allow using system certificates not only on Windows, + from pemensik. + - For #677: Added tls-system-cert to config parser and documentation. + - Fix #417: prefetch and ECS causing cache corruption when used + together. + - Fix #678: [FR] modify behaviour of unbound-control rpz_enable zone, + by updating unbound-control's documentation. + - Fix typos in config_set_option for the 'num-threads' and + 'ede-serve-expired' options. + - Fix to silence test for ede error output to the console from the + test setup script. + - Fix ede test to not use default pidfile, and use local interface. + - Fix some lint type warnings. + - Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3 + (and possibly other distributions) + ------------------------------------------------------------------- Tue Apr 19 15:41:37 UTC 2022 - Dirk Müller @@ -98,6 +182,91 @@ Tue Apr 19 15:41:37 UTC 2022 - Dirk Müller software version. - Fix for #611: Integer overflow in sldns_wire2str_pkt_scan. +------------------------------------------------------------------- +Thu Feb 10 22:55:23 UTC 2022 - Michael Ströder + +- update to 1.15.0 + +Features +- Fix #596: unset the RA bit when a query is blocked by an unbound + RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to + signal that a domain is externally blocked to clients when it + is blocked with NXDOMAIN by unsetting RA. +- Add rpz: for-downstream: yesno option, where the RPZ zone is + authoritatively answered for, so the RPZ zone contents can be + checked with DNS queries directed at the RPZ zone. +- Merge PR #616: Update ratelimit logic. It also introduces + ratelimit-backoff and ip-ratelimit-backoff configuration options. +- Change aggressive-nsec default to yes. + +Bug Fixes +- Fix compile warning for if_nametoindex on windows 64bit. +- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow + warnings in rpz. +- Fix validator debug output about DS support, print correct algorithm. +- Add code similar to fix for ldns for tab between strings, for + consistency, the test case was not broken. +- Allow local-data for classes other than IN to inherit a configured + local-zone's type if possible, instead of defaulting to type + transparent as per the implicit rule. +- Fix to pick up other class local zone information before unlock. +- Add missing configure flags for optional features in the + documentation. +- Fix Unbound capitalization in the documentation. +- Fix #591: Unbound-anchor manpage links to non-existent license file. +- contrib/aaaa-filter-iterator.patch file renewed diff content to + apply cleanly to the current coderepo for the current code version. +- Fix to add test for rpz-signal-nxdomain-ra. +- Fix #596: only unset RA when NXDOMAIN is signalled. +- Fix that RPZ does not set RD flag on replies, it should be copied + from the query. +- Fix for #596: fix that rpz return message is returned and not just + the rcode from the iterator return path. This fixes signal unset RA + after a CNAME. +- Fix unit tests for rpz now that the AA flag returns successfully from + the iterator loop. +- Fix for #596: add unit test for nsdname trigger and signal unset RA. +- Fix for #596: add unit test for nsip trigger and signal unset RA. +- Fix #598: Fix unbound-checkconf fatal error: module conf + 'respip dns64 validator iterator' is not known to work. +- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip + triggered operation. +- Merge #600 from pemensik: Change file mode before changing file + owner. +- Fix prematurely terminated TCP queries when a reply has the same ID. +- For #602: Allow the module-config "subnetcache validator cachedb + iterator". +- Fix EDNS to upstream where the same option could be attached + more than once. +- Add a region to serviced_query for allocations. +- For dnstap, do not wakeupnow right there. Instead zero the timer to + force the wakeup callback asap. +- Fix #610: Undefine-shift in sldns_str2wire_hip_buf. +- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in + serviced_udp_callback. +- Merge PR #612: TCP race condition. +- Test for NSID in SERVFAIL response due to DNSSEC bogus. +- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC + document. +- Fix tls-* and ssl-* documented alternate syntax to also be available + through remote-control and unbound-checkconf. +- Better cleanup on failed DoT/DoH listening socket creation. +- iana portlist update. +- Fix review comment for use-after-free when failing to send UDP out. +- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA + internals. +- Merge PR #532 from Shchelk: Fix: buffer overflow bug. +- Merge PR #617: Update stub/forward-host notation to accept port and + tls-auth-name. +- Update stream_ssl.tdir test to also use the new forward-host + notation. +- Fix header comment for doxygen for authextstrtoaddr. +- please clang analyzer for loop in test code. +- Fix docker splint test to use more portable uname. +- Update contrib/aaaa-filter-iterator.patch with diff for current + software version. +- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan. + ------------------------------------------------------------------- Fri Dec 31 23:18:09 UTC 2021 - Callum Farmer diff --git a/packages/u/unbound/unbound.spec b/packages/u/unbound/unbound.spec index ca7c79af7f5..3d400dfdf4f 100644 --- a/packages/u/unbound/unbound.spec +++ b/packages/u/unbound/unbound.spec @@ -33,7 +33,7 @@ %define piddir /run Name: unbound -Version: 1.15.0 +Version: 1.16.0 Release: 0 BuildRequires: flex BuildRequires: ldns-devel >= %{ldns_version}