From 9d429a709c6efed21d3f103d7987ba339b3e1877 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 19 2015 15:51:49 +0000 Subject: import unbound-1.4.20-26.el7 --- diff --git a/SOURCES/unbound-1.4.20-CVE-2014-8602.patch b/SOURCES/unbound-1.4.20-CVE-2014-8602.patch new file mode 100644 index 0000000..9429e84 --- /dev/null +++ b/SOURCES/unbound-1.4.20-CVE-2014-8602.patch @@ -0,0 +1,149 @@ +Index: iterator/iterator.c +=================================================================== +--- iterator/iterator.c (revision 3272) ++++ iterator/iterator.c (working copy) +@@ -120,6 +120,7 @@ + iq->query_restart_count = 0; + iq->referral_count = 0; + iq->sent_count = 0; ++ iq->target_count = NULL; + iq->wait_priming_stub = 0; + iq->refetch_glue = 0; + iq->dnssec_expected = 0; +@@ -453,6 +454,26 @@ + return 1; + } + ++/** create target count structure for this query */ ++static void ++target_count_create(struct iter_qstate* iq) ++{ ++ if(!iq->target_count) { ++ iq->target_count = (int*)calloc(2, sizeof(int)); ++ /* if calloc fails we simply do not track this number */ ++ if(iq->target_count) ++ iq->target_count[0] = 1; ++ } ++} ++ ++static void ++target_count_increase(struct iter_qstate* iq, int num) ++{ ++ target_count_create(iq); ++ if(iq->target_count) ++ iq->target_count[1] += num; ++} ++ + /** + * Generate a subrequest. + * Generate a local request event. Local events are tied to this module, and +@@ -524,6 +545,10 @@ + subiq = (struct iter_qstate*)subq->minfo[id]; + memset(subiq, 0, sizeof(*subiq)); + subiq->num_target_queries = 0; ++ target_count_create(iq); ++ subiq->target_count = iq->target_count; ++ if(iq->target_count) ++ iq->target_count[0] ++; /* extra reference */ + subiq->num_current_queries = 0; + subiq->depth = iq->depth+1; + outbound_list_init(&subiq->outlist); +@@ -1350,6 +1375,12 @@ + + if(iq->depth == ie->max_dependency_depth) + return 0; ++ if(iq->depth > 0 && iq->target_count && ++ iq->target_count[1] > MAX_TARGET_COUNT) { ++ verbose(VERB_QUERY, "request has exceeded the maximum " ++ "number of glue fetches %d", iq->target_count[1]); ++ return 0; ++ } + + iter_mark_cycle_targets(qstate, iq->dp); + missing = (int)delegpt_count_missing_targets(iq->dp); +@@ -1532,6 +1563,7 @@ + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } + iq->num_target_queries += qs; ++ target_count_increase(iq, qs); + if(qs != 0) { + qstate->ext_state[id] = module_wait_subquery; + return 0; /* and wait for them */ +@@ -1541,6 +1573,12 @@ + verbose(VERB_QUERY, "maxdepth and need more nameservers, fail"); + return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL); + } ++ if(iq->depth > 0 && iq->target_count && ++ iq->target_count[1] > MAX_TARGET_COUNT) { ++ verbose(VERB_QUERY, "request has exceeded the maximum " ++ "number of glue fetches %d", iq->target_count[1]); ++ return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL); ++ } + /* mark cycle targets for parent-side lookups */ + iter_mark_pside_cycle_targets(qstate, iq->dp); + /* see if we can issue queries to get nameserver addresses */ +@@ -1570,6 +1608,7 @@ + if(query_count != 0) { /* suspend to await results */ + verbose(VERB_ALGO, "try parent-side glue lookup"); + iq->num_target_queries += query_count; ++ target_count_increase(iq, query_count); + qstate->ext_state[id] = module_wait_subquery; + return 0; + } +@@ -1725,6 +1764,7 @@ + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } + iq->num_target_queries += extra; ++ target_count_increase(iq, extra); + if(iq->num_target_queries > 0) { + /* wait to get all targets, we want to try em */ + verbose(VERB_ALGO, "wait for all targets for fallback"); +@@ -1765,6 +1805,7 @@ + /* errors ignored, these targets are not strictly necessary for + * this result, we do not have to reply with SERVFAIL */ + iq->num_target_queries += extra; ++ target_count_increase(iq, extra); + } + + /* Add the current set of unused targets to our queue. */ +@@ -1810,6 +1851,7 @@ + return 1; + } + iq->num_target_queries += qs; ++ target_count_increase(iq, qs); + } + /* Since a target query might have been made, we + * need to check again. */ +@@ -2921,6 +2963,8 @@ + iq = (struct iter_qstate*)qstate->minfo[id]; + if(iq) { + outbound_list_clear(&iq->outlist); ++ if(iq->target_count && --iq->target_count[0] == 0) ++ free(iq->target_count); + iq->num_current_queries = 0; + } + qstate->minfo[id] = NULL; +Index: iterator/iterator.h +=================================================================== +--- iterator/iterator.h (revision 3272) ++++ iterator/iterator.h (working copy) +@@ -52,6 +52,8 @@ + struct iter_prep_list; + struct iter_priv; + ++/** max number of targets spawned for a query and its subqueries */ ++#define MAX_TARGET_COUNT 32 + /** max number of query restarts. Determines max number of CNAME chain. */ + #define MAX_RESTART_COUNT 8 + /** max number of referrals. Makes sure resolver does not run away */ +@@ -251,6 +253,10 @@ + + /** number of queries fired off */ + int sent_count; ++ ++ /** number of target queries spawned in [1], for this query and its ++ * subqueries, the malloced-array is shared, [0] refcount. */ ++ int* target_count; + + /** + * The query must store NS records from referrals as parentside RRs diff --git a/SOURCES/unbound-anchor.service b/SOURCES/unbound-anchor.service new file mode 100644 index 0000000..26656b3 --- /dev/null +++ b/SOURCES/unbound-anchor.service @@ -0,0 +1,9 @@ +[Unit] +Description=update of the root trust anchor for DNSSEC validation in unbound +Documentation=man:unbound-anchor(8) + +[Service] +Type=oneshot +User=unbound +ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem +SuccessExitStatus=1 diff --git a/SOURCES/unbound-anchor.timer b/SOURCES/unbound-anchor.timer new file mode 100644 index 0000000..a87bf5c --- /dev/null +++ b/SOURCES/unbound-anchor.timer @@ -0,0 +1,14 @@ +[Unit] +Description=daily update of the root trust anchor for DNSSEC +Documentation=man:unbound-anchor(8) + +[Timer] +# Current DNSKEY TTL in root zone is 172800 seconds, i.e. 172800/60/60/24 = 2 days. +# It means that unboud-anchor should be run at least once a day. +OnCalendar=daily +Persistent=true +AccuracySec=24h + +[Install] +WantedBy=timers.target + diff --git a/SOURCES/unbound.conf b/SOURCES/unbound.conf index 7dc69d7..2590f6d 100644 --- a/SOURCES/unbound.conf +++ b/SOURCES/unbound.conf @@ -336,7 +336,11 @@ server: # File with DLV trusted keys. Same format as trust-anchor-file. # There can be only one DLV configured, it is trusted from root down. # Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key - dlv-anchor-file: "/etc/unbound/dlv.isc.org.key" + # + # ISC's DLV registry is being deprecated in the near future, therefore + # it is not used in the default configuration. The use of ISC's DLV + # registry is discouraged. + # dlv-anchor-file: "/etc/unbound/dlv.isc.org.key" # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. diff --git a/SOURCES/unbound.cron b/SOURCES/unbound.cron deleted file mode 100644 index 56059f5..0000000 --- a/SOURCES/unbound.cron +++ /dev/null @@ -1,3 +0,0 @@ -# Look to see if the DNSSEC Root key got rolled, if so check trust and update - -10 3 1 * * unbound /usr/sbin/unbound-anchor -a /var/lib/unbound/root.anchor -c /etc/unbound/icannbundle.pem diff --git a/SOURCES/unbound.service b/SOURCES/unbound.service index a4cf3f3..9b49cb9 100644 --- a/SOURCES/unbound.service +++ b/SOURCES/unbound.service @@ -3,14 +3,15 @@ Description=Unbound recursive Domain Name Server After=syslog.target network.target After=unbound-keygen.service Wants=unbound-keygen.service +Wants=unbound-anchor.timer Before=nss-lookup.target Wants=nss-lookup.target [Service] Type=simple EnvironmentFile=-/etc/sysconfig/unbound -ExecStartPre=/sbin/runuser --shell /bin/sh -c "/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem" unbound ExecStartPre=/usr/sbin/unbound-checkconf +ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS [Install] diff --git a/SPECS/unbound.spec b/SPECS/unbound.spec index 3647850..f5c89af 100644 --- a/SPECS/unbound.spec +++ b/SPECS/unbound.spec @@ -11,7 +11,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.4.20 -Release: 19%{?dist} +Release: 26%{?dist} License: BSD Url: http://www.nlnetlabs.nl/unbound/ Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz @@ -30,11 +30,14 @@ Source11: block-example.com.conf Source12: icannbundle.pem Source13: root.anchor Source14: unbound.sysconfig -Source15: unbound.cron +Source15: unbound-anchor.timer Source16: unbound-munin.README +Source17: unbound-anchor.service + Patch1: unbound-1.4.20-roundrobin.patch Patch2: unbound-1.4.20-streamtcp-manpage.patch Patch3: unbound-1.4.20-coverity_scan.patch +Patch4: unbound-1.4.20-CVE-2014-8602.patch Group: System Environment/Daemons BuildRequires: flex, openssl-devel , ldns-devel >= 1.6.13 @@ -46,9 +49,9 @@ BuildRequires: systemd-units # Required for SVN versions # BuildRequires: bison -Requires(post): systemd-units -Requires(preun): systemd-units -Requires(postun): systemd-units +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd Requires: ldns >= 1.6.13 Requires(pre): shadow-utils # Needed because /usr/sbin/unbound links unbound libs staticly @@ -89,9 +92,19 @@ The devel package contains the unbound library and the include files Summary: Libraries used by the unbound server and client applications Group: Applications/System Requires(post): /sbin/ldconfig +Requires(post): systemd +Requires(preun): systemd Requires(postun): /sbin/ldconfig +Requires(postun): systemd Requires: openssl >= 0.9.8g-12 -Requires: crontabs + +# needed to make sure the redhat-release-xxx contains the presets file +# which enables unbound-anchor.timer. +# See https://bugzilla.redhat.com/show_bug.cgi?id=1215645#c5 +Conflicts: redhat-release-server < 7.2-7 +Conflicts: redhat-release-workstation < 7.2-5 +Conflicts: redhat-release-computenode < 7.2-5 +Conflicts: redhat-release-client < 7.2-4 %description libs Contains libraries used by the unbound server and client applications @@ -111,6 +124,7 @@ Python modules and extensions for unbound %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p0 %build %configure --with-ldns= --with-libevent --with-pthreads --with-ssl \ @@ -131,17 +145,17 @@ Python modules and extensions for unbound install -d 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service +install -p -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/unbound-anchor.timer +install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound -install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound -install -p -m 0644 %{SOURCE16} . -install -d 0755 %{buildroot}%{_sysconfdir}/cron.d -install -p -m 0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/cron.d/unbound-anchor +install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound +install -p -m 0644 %{SOURCE16} . %if %{with_munin} # Install munin plugin and its softlinks -install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d +install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d install -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound -install -d 0755 %{buildroot}%{_datadir}/munin/plugins/ +install -d -m 0755 %{buildroot}%{_datadir}/munin/plugins/ install -p -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin @@ -154,8 +168,8 @@ install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 # Install tmpfiles.d config -install -d -m 0755 %{buildroot}%{_sysconfdir}/tmpfiles.d/ %{buildroot}%{_sharedstatedir}/unbound -install -m 0644 %{SOURCE8} %{buildroot}%{_sysconfdir}/tmpfiles.d/unbound.conf +install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound +install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf # install root and DLV key - we keep a copy of the root key in old location, # in case user has changed the configuration and we wouldn't update it there @@ -191,7 +205,7 @@ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control %{_unitdir}/%{name}.service %{_unitdir}/%{name}-keygen.service %attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name} -%config(noreplace) %{_sysconfdir}/tmpfiles.d/unbound.conf +%attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d @@ -235,7 +249,8 @@ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control %{_sbindir}/unbound-anchor %{_libdir}/libunbound.so.* %{_sysconfdir}/%{name}/icannbundle.pem -%attr(0644,root,root) %{_sysconfdir}/cron.d/unbound-anchor +%{_unitdir}/unbound-anchor.timer +%{_unitdir}/unbound-anchor.service %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} %attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key @@ -257,16 +272,24 @@ exit 0 %post libs /sbin/ldconfig %{_sbindir}/runuser --command="%{_sbindir}/unbound-anchor -a %{_sharedstatedir}/unbound/root.key -c %{_sysconfdir}/unbound/icannbundle.pem" --shell /bin/sh unbound ||: +%systemd_post unbound-anchor.timer +# the Unit is in presets, but would be started afte reboot +/bin/systemctl start unbound-anchor.timer >/dev/null 2>&1 || : %preun %systemd_preun unbound.service %systemd_preun unbound-keygen.service +%preun libs +%systemd_preun unbound-anchor.timer + %postun %systemd_postun_with_restart unbound.service %systemd_postun unbound-keygen.service -%postun libs -p /sbin/ldconfig +%postun libs +/sbin/ldconfig +%systemd_postun_with_restart unbound-anchor.timer %triggerun -- unbound < 1.4.12-4 # Save the current service runlevel info @@ -280,6 +303,28 @@ exit 0 /bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || : %changelog +* Tue Sep 22 2015 Tomas Hozza - 1.4.20-26 +- Added Conficts on redhat-release packages without unbound-anchor.timer in presets (Related #1215645) + +* Tue Sep 15 2015 Tomas Hozza - 1.4.20-25 +- Resolve ordering loop with nss-lookup.target and ntpdate (#1259806) + +* Wed Aug 19 2015 Tomas Hozza - 1.4.20-24 +- Fix CVE-2014-8602 (#1253961) + +* Tue May 26 2015 Tomas Hozza - 1.4.20-23 +- Removed usage of DLV from the default configuration (#1223339) + +* Wed May 13 2015 Tomas Hozza - 1.4.20-22 +- unbound.service now Wants unbound-anchor.timer (Related: #1180267) + +* Tue May 12 2015 Tomas Hozza - 1.4.20-21 +- Fix dependencies and minor scriptlet issues due to systemd timer unit (Related: #1180267) + +* Mon Apr 27 2015 Tomas Hozza - 1.4.20-20 +- Install tmpfiles configuration into /usr/lib/tmpfiles.d (#1180995) +- Fix root key management to comply to RFC5011 (#1180267) + * Fri Jan 24 2014 Daniel Mach - 1.4.20-19 - Mass rebuild 2014-01-24