From a68357474ddf972b58626aff15a90603822134e2 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2020 12:03:49 +0000 Subject: import unbound-1.7.3-14.el8 --- diff --git a/SOURCES/root.anchor b/SOURCES/root.anchor index 4a5f11e..c78ee03 100644 --- a/SOURCES/root.anchor +++ b/SOURCES/root.anchor @@ -1,2 +1 @@ . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} -. 98799 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} diff --git a/SOURCES/root.key b/SOURCES/root.key index 077ca98..a0b1bef 100644 --- a/SOURCES/root.key +++ b/SOURCES/root.key @@ -2,7 +2,4 @@ ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this trusted-keys { "." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 - -"." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; // key id = 19036 - }; diff --git a/SOURCES/tmpfiles-unbound.conf b/SOURCES/tmpfiles-unbound.conf index d625589..bb88f01 100644 --- a/SOURCES/tmpfiles-unbound.conf +++ b/SOURCES/tmpfiles-unbound.conf @@ -1 +1 @@ -D /var/run/unbound 0755 unbound unbound - +D /run/unbound 0755 unbound unbound - diff --git a/SOURCES/unbound-1.7.3-DNS-over-TLS-memory-leak.patch b/SOURCES/unbound-1.7.3-DNS-over-TLS-memory-leak.patch new file mode 100644 index 0000000..9823850 --- /dev/null +++ b/SOURCES/unbound-1.7.3-DNS-over-TLS-memory-leak.patch @@ -0,0 +1,36 @@ +From 377d5b426a30fc915cf7905786f93c0ec89845b7 Mon Sep 17 00:00:00 2001 +From: Wouter Wijngaards +Date: Tue, 25 Sep 2018 09:01:13 +0000 +Subject: [PATCH] - Add SSL cleanup for tcp timeout. + +git-svn-id: file:///svn/unbound/trunk@4915 be551aaa-1e26-0410-a405-d3ace91eadb9 +--- + services/outside_network.c | 11 +++++++++++ + 1 files changed, 9 insertions(+) +diff --git a/services/outside_network.c b/services/outside_network.c +index 5700ef8..b52cdab 100644 +--- a/services/outside_network.c ++++ b/services/outside_network.c +@@ -373,6 +373,8 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len) + if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) { + log_err("SSL_set1_host failed"); + pend->c->fd = s; ++ SSL_free(pend->c->ssl); ++ pend->c->ssl = NULL; + comm_point_close(pend->c); + return 0; + } +@@ -1258,6 +1260,13 @@ outnet_tcptimer(void* arg) + } else { + /* it was in use */ + struct pending_tcp* pend=(struct pending_tcp*)w->next_waiting; ++ if(pend->c->ssl) { ++#ifdef HAVE_SSL ++ SSL_shutdown(pend->c->ssl); ++ SSL_free(pend->c->ssl); ++ pend->c->ssl = NULL; ++#endif ++ } + comm_point_close(pend->c); + pend->query = NULL; + pend->next_free = outnet->tcp_free; diff --git a/SOURCES/unbound-1.7.3-auth-callback.patch b/SOURCES/unbound-1.7.3-auth-callback.patch new file mode 100644 index 0000000..57a8922 --- /dev/null +++ b/SOURCES/unbound-1.7.3-auth-callback.patch @@ -0,0 +1,65 @@ +--- a/services/authzone.c 2018-06-14 09:09:01.000000000 +0200 ++++ b/services/authzone.c 2020-04-16 18:55:50.806693241 +0200 +@@ -5139,7 +5139,7 @@ + log_assert(xfr->task_transfer); + lock_basic_lock(&xfr->lock); + env = xfr->task_transfer->env; +- if(env->outnet->want_to_quit) { ++ if(!env || env->outnet->want_to_quit) { + lock_basic_unlock(&xfr->lock); + return; /* stop on quit */ + } +@@ -5558,7 +5558,7 @@ + log_assert(xfr->task_transfer); + lock_basic_lock(&xfr->lock); + env = xfr->task_transfer->env; +- if(env->outnet->want_to_quit) { ++ if(!env || env->outnet->want_to_quit) { + lock_basic_unlock(&xfr->lock); + return 0; /* stop on quit */ + } +@@ -5619,7 +5619,7 @@ + log_assert(xfr->task_transfer); + lock_basic_lock(&xfr->lock); + env = xfr->task_transfer->env; +- if(env->outnet->want_to_quit) { ++ if(!env || env->outnet->want_to_quit) { + lock_basic_unlock(&xfr->lock); + return 0; /* stop on quit */ + } +@@ -5798,7 +5798,7 @@ + log_assert(xfr->task_probe); + lock_basic_lock(&xfr->lock); + env = xfr->task_probe->env; +- if(env->outnet->want_to_quit) { ++ if(!env || env->outnet->want_to_quit) { + lock_basic_unlock(&xfr->lock); + return; /* stop on quit */ + } +@@ -5829,7 +5829,7 @@ + log_assert(xfr->task_probe); + lock_basic_lock(&xfr->lock); + env = xfr->task_probe->env; +- if(env->outnet->want_to_quit) { ++ if(!env || env->outnet->want_to_quit) { + lock_basic_unlock(&xfr->lock); + return 0; /* stop on quit */ + } +@@ -6030,7 +6030,7 @@ + log_assert(xfr->task_probe); + lock_basic_lock(&xfr->lock); + env = xfr->task_probe->env; +- if(env->outnet->want_to_quit) { ++ if(!env || env->outnet->want_to_quit) { + lock_basic_unlock(&xfr->lock); + return; /* stop on quit */ + } +@@ -6089,7 +6089,7 @@ + log_assert(xfr->task_nextprobe); + lock_basic_lock(&xfr->lock); + env = xfr->task_nextprobe->env; +- if(env->outnet->want_to_quit) { ++ if(!env || env->outnet->want_to_quit) { + lock_basic_unlock(&xfr->lock); + return; /* stop on quit */ + } diff --git a/SOURCES/unbound-1.7.3-ksk-2010-revoked.patch b/SOURCES/unbound-1.7.3-ksk-2010-revoked.patch new file mode 100644 index 0000000..a01109c --- /dev/null +++ b/SOURCES/unbound-1.7.3-ksk-2010-revoked.patch @@ -0,0 +1,14 @@ +diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c +index 2bf5b3ab..a30523c7 100644 +--- a/smallapp/unbound-anchor.c ++++ b/smallapp/unbound-anchor.c +@@ -246,9 +246,7 @@ get_builtin_ds(void) + return + /* The anchors must start on a new line with ". IN DS and end with \n"[;] + * because the makedist script greps on the source here */ +-/* anchor 19036 is from 2010 */ + /* anchor 20326 is from 2017 */ +-". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n" + ". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n"; + } + diff --git a/SOURCES/unbound.conf b/SOURCES/unbound.conf index 2de6b64..5efe0d0 100644 --- a/SOURCES/unbound.conf +++ b/SOURCES/unbound.conf @@ -334,7 +334,7 @@ server: # log-replies: no # the pid file. Can be an absolute path outside of chroot/work dir. - pidfile: "/var/run/unbound/unbound.pid" + pidfile: "/run/unbound/unbound.pid" # file to read root hints from. # get one from https://www.internic.net/domain/named.cache diff --git a/SPECS/unbound.spec b/SPECS/unbound.spec index 91c47ca..9a37167 100644 --- a/SPECS/unbound.spec +++ b/SPECS/unbound.spec @@ -34,7 +34,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.7.3 -Release: 11%{?extra_version:.%{extra_version}}%{?dist} +Release: 14%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://www.unbound.net/ Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz @@ -61,7 +61,10 @@ Patch4: unbound-1.7.3-anchor-fallback.patch Patch5: unbound-1.7.3-host-any.patch Patch6: unbound-1.7.3-use-basic-lock.patch Patch7: unbound-1.7.3-ipsec-hook.patch -Patch8: unbound-1.7.3-amplifying-an-incoming-query.patch +Patch8: unbound-1.7.3-auth-callback.patch +Patch9: unbound-1.7.3-ksk-2010-revoked.patch +Patch10: unbound-1.7.3-DNS-over-TLS-memory-leak.patch +Patch11: unbound-1.7.3-amplifying-an-incoming-query.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -163,7 +166,10 @@ pushd %{pkgname} %patch5 -p1 -b .host-any %patch6 -p1 -b .use-basic-lock %patch7 -p1 -b .ipsec-hook -%patch8 -p1 -b .amplifying-an-incoming-query +%patch8 -p1 -b .auth-callback +%patch9 -p1 -b .ksk-2010-revoked +%patch10 -p1 -b .DNS-over-TLS-memory-leak +%patch11 -p1 -b .amplifying-an-incoming-query # only for snapshots # autoreconf -iv @@ -435,9 +441,26 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog -* Wed May 27 2020 Anna Khaitovich - 1.7.3-11 +* Thu May 28 2020 Anna Khaitovich - 1.7.3-14 +- Fix unbound-1.7.3-amplifying-an-incoming-query.patch patch +- Resolves: rhbz#1839178 (CVE-2020-12662) + +* Mon May 25 2020 Anna Khaitovich - 1.7.3-13 +- Fix two previous patches and add missing patch lines to %%prep - Fix amplifying an incoming query into a large number of queries directed to a target -- Resolves: rhbz#1839177 (CVE-2020-12662), rhbz#1840262 (CVE-2020-12663) +- Resolves: rhbz#1839178 (CVE-2020-12662) + +* Tue Apr 21 2020 Anna Khaitovich - 1.7.3-12 +- Remove KSK-2010 from configuration files +- Resolves: rhbz#1665502 +- Replace legacy directory /var/run/ with /run +- Resolves: rhbz#1766463 +- Resolves: rhbz#1805978 +- Fix memory leak when DNS over TLS forwarding is configured +- Resolves: rhbz#1819870 + +* Thu Apr 16 2020 Artem Egorenkov - 1.7.3-11 +- Resolves bz1818761. unbound crash fixed. * Tue Dec 10 2019 Tomas Korbar - 1.7.3-10 - Secure ipsec mode (#1772061)