[unbound/f16] * Mon Dec 19 2011 Paul Wouters <paul at cypherpunks.ca> - 1.4.14-1 - Upgraded to 1.4.14 for CVE-2011-45

Paul Wouters pwouters at fedoraproject.org
Mon Dec 19 22:14:53 UTC 2011 

commit d0cb7c6406bbd60c1f2833e412495519e69fe032
Author: Paul Wouters <paul at xelerance.com>
Date:   Mon Dec 19 17:12:50 2011 -0500

    * Mon Dec 19 2011 Paul Wouters <paul at cypherpunks.ca> - 1.4.14-1
    - Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659
    - SSL-wrapped query support for dnssec-trigger
    - EDNS handling changes
    - Removed integrated EDNS patches
    - Disabled use-caps-for-id, GoDaddy domains now break on it
    - Enabled new harden-below-nxdomain
    - Enable ipv6 per default (was disabled for broken kernels)

 .gitignore   |    1 +
 sources      |    1 +
 unbound.conf |   36 +++++++++++++++++++++++++-----------
 unbound.spec |   13 ++++++++++---
 4 files changed, 37 insertions(+), 14 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 9e98762..c2cafd9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,3 +17,4 @@ unbound-1.4.5.tar.gz
 /unbound-1.4.11.tar.gz
 /unbound-1.4.12.tar.gz
 /unbound-1.4.13.tar.gz
+/unbound-1.4.14.tar.gz
diff --git a/sources b/sources
index 0c3dd89..fc8e3ae 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
 7e3b27dee2b97640dd2e1783253317ab  unbound-1.4.13.tar.gz
+cd69fdaaa6af01ea0b6fbc59802f74ba  unbound-1.4.14.tar.gz
diff --git a/unbound.conf b/unbound.conf
index ae7e406..99bc8d6 100644
--- a/unbound.conf
+++ b/unbound.conf
@@ -60,7 +60,7 @@ server:
 
 	# number of ports to allocate per thread, determines the size of the
 	# port range that can be open simultaneously. 
-	# outgoing-range: 256
+	# outgoing-range: 4096
 	
 	# permit unbound to use this port number or port range for
 	# making outgoing queries, using an outgoing interface.
@@ -83,6 +83,10 @@ server:
 	# 0 is system default.  Use 4m to catch query spikes for busy servers.
 	# so-rcvbuf: 0
 
+	# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
+	# 0 is system default.  Use 4m to handle spikes on very busy servers.
+	# so-sndbuf: 0
+
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
 	# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
 	# edns-buffer-size: 4096
@@ -123,24 +127,18 @@ server:
 	# cache. Items are not cached for longer. In seconds.
 	# cache-max-ttl: 86400
 
-	# the time to live (TTL) value for cached roundtrip times and
-	# EDNS version information for hosts. In seconds.
+	# the time to live (TTL) value for cached roundtrip times, lameness
+	# and EDNS version information for hosts. In seconds.
 	# infra-host-ttl: 900
 
-	# the time to live (TTL) value for cached lame delegations. In sec.
-	# infra-lame-ttl: 900
-
 	# the number of slabs to use for the Infrastructure cache.
 	# the number of slabs must be a power of 2.
 	# more slabs reduce lock contention, but fragment memory usage.
 	# infra-cache-slabs: 4
 
-	# the maximum number of hosts that are cached (roundtrip times, EDNS).
+	# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
 	# infra-cache-numhosts: 10000
 
-	# the maximum size of the lame zones cached per host. in bytes.
-	# infra-cache-lame-size: 10k
-
 	# Enable IPv4, "yes" or "no".
 	# do-ip4: yes
 
@@ -262,6 +260,9 @@ server:
 	# Default on, which insists on dnssec data for trust-anchored zones.
 	harden-dnssec-stripped: yes
 
+	# Harden against queries that fall under dnssec-signed nxdomain names.
+	harden-below-nxdomain: yes
+
         # Harden the referral path by performing additional queries for
 	# infrastructure data.  Validates the replies (if possible).
 	# Default off, because the lookups burden the server.  Experimental 
@@ -270,7 +271,8 @@ server:
 
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
-	use-caps-for-id: yes
+	# (this now fails on all GoDaddy customer domains, so disabled)
+	use-caps-for-id: no
 	
 	# Enforce privacy of these addresses. Strips them away from answers. 
 	# It may cause DNSSEC validation to additionally mark it as bogus. 
@@ -416,6 +418,7 @@ server:
 	# o transparent serves local data, but resolves normally for other names
 	# o redirect serves the zone data for any subdomain in the zone.
 	# o nodefault can be used to normally resolve AS112 zones.
+	# o typetransparent resolves normally for other types and other names
 	#
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
 	# and nxdomain for AS112 zones. If you configure one of these zones
@@ -442,6 +445,17 @@ server:
 	# you need to do the reverse notation yourself.
 	# local-data-ptr: "192.0.2.3 www.example.com"
 
+	# service clients over SSL (on the TCP sockets), with plain DNS inside
+	# the SSL stream.  Give the certificate to use and private key.
+	# default is "" (disabled).  requires restart to take effect.
+	# ssl-service-key: "path/to/privatekeyfile.key"
+	# ssl-service-pem: "path/to/publiccertfile.pem"
+	# ssl-port: 443
+
+	# request upstream over SSL (with plain DNS inside the SSL stream).
+	# Default is no.  Can be turned on and off with unbound-control.
+	# ssl-upstream: no
+
 ## Python config section. To enable:
 ## o use --with-pythonmodule to configure before compiling.
 ## o list python in the module-config string (above) to enable.
diff --git a/unbound.spec b/unbound.spec
index 7f7472b..a8ddffc 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -7,7 +7,7 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.4.13
+Version: 1.4.14
 Release: 1%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/unbound/
@@ -21,7 +21,6 @@ Source6: dlv.isc.org.key
 Source7: unbound-keygen.service
 Source8: tmpfiles-unbound.conf
 Patch1: unbound-1.2-glob.patch
-Patch2: unbound-1.4.13-edns1480.patch
 
 Group: System Environment/Daemons
 BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0, 
@@ -94,7 +93,6 @@ Python modules and extensions for unbound
 %prep
 %setup -q 
 %patch1 -p1
-%patch2 -p0
 
 %build
 %configure  --with-ldns= --with-libevent --with-pthreads --with-ssl \
@@ -222,6 +220,15 @@ fi
 /bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
 
 %changelog
+* Mon Dec 19 2011 Paul Wouters <paul at cypherpunks.ca> - 1.4.14-1
+- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659
+- SSL-wrapped query support for dnssec-trigger
+- EDNS handling changes
+- Removed integrated EDNS patches
+- Disabled use-caps-for-id, GoDaddy domains now break on it
+- Enabled new harden-below-nxdomain
+- Enable ipv6 per default (was disabled for broken kernels)
+
 * Wed Sep 21 2011 Paul Wouters <paul at xelerance.com> - 1.4.13-1
 - Upgraded to 1.4.13
 - Removed merged in pythonmod patch

More information about the scm-commits mailing list