-
unbound (1.17.1-2ubuntu0.2) mantic-security; urgency=medium
* SECURITY UPDATE: Unbound could be used to take part in a DoS attack
- debian/patches/CVE-2024-33655.patch: fix for the DNSBomb
vulnerability in doc/example.conf.in, doc/unbound.conf.5.in,
services/cache/infra.c, services/cache/infra.h, services/mesh.c,
testdata/*, util/config_file.c, util/config_file.h,
util/configlexer.lex, util/configparser.y.
- CVE-2024-33655
-- Marc Deslauriers <email address hidden> Wed, 15 May 2024 12:15:41 +0200
-
unbound (1.17.1-2ubuntu0.1) mantic-security; urgency=medium
* SECURITY UPDATE: Denial of service issues via DNSSEC responses
- debian/patches/CVE-2023-50387_CVE-2023-50868_1.16.1-1.17.1.patch:
patch obtained from Debian's 1.17.1-2+deb12u2 package, thanks to
Salvatore Bonaccorso.
- CVE-2023-50387
- CVE-2023-50868
-- Marc Deslauriers <email address hidden> Tue, 27 Feb 2024 16:48:33 -0500
-
unbound (1.17.1-2) unstable; urgency=medium
* unbound-helper: return 0 explicitly in a few places
(Closes: #1019140)
-- Michael Tokarev <email address hidden> Sun, 09 Apr 2023 15:59:14 +0300
-
unbound (1.17.1-1) unstable; urgency=medium
[ Michael Tokarev ]
* new upstream release. Release notes:
This release fixes a number of bugs. There are also new configuration
options that by default do not change the existing behaviour of Unbound.
With `statistics-inhibit-zero` the printout of zero values by stats can
be controlled. Similarly with `max-sent-count` and `max-query-restarts`
the iterator behaviour can be controlled. The maximum CNAME chain length
that is accepted can be changed by increasing the `max-query-restarts`
number. This takes more time to follow those elements.
The keep-cache option allows reloads to change configuration whilst
keeping the cache memory intact, making the cache hot for good response
times after the change has completed.
The release contains an additional fix for service downgrade due to
wrong hash values for wildcards in a hyperlocal zone, that was reported
by Sergey Kacheev.
Features
- Expose 'statistics-inhibit-zero' as a configuration option; the
default value retains Unbound's behavior.
- Expose 'max-sent-count' as a configuration option; the
default value retains Unbound's behavior.
- Merge #461 from Christian Allred: Add max-query-restarts option.
Exposes an internal configuration but the default value retains
Unbound's behavior.
- Merge #569 from JINMEI Tatuya: add keep-cache option to
'unbound-control reload' to keep caches.
Bug Fixes
- Merge #768 from fobser: Arithmetic on a pointer to void is a GNU
extension.
- In unit test, print python script name list correctly.
- testcode/dohclient sets log identity to its name.
- Clarify the use of MAX_SENT_COUNT in the iterator code.
- Fix that cachedb does not store failures in the external cache.
- Merge #767 from jonathangray: consistently use IPv4/IPv6 in
unbound.conf.5.
- Fix to ignore tcp events for closed comm points.
- Fix to make sure to not read again after a tcp comm point is closed.
- Fix #775: libunbound: subprocess reap causes parent process reap
to hang.
- iana portlist update.
- Complementary fix for distutils.sysconfig deprecation in Python 3.10
to commit 62c5039ab9da42713e006e840b7578e01d66e7f2.
- Fix #779: [doc] Missing documentation in ub_resolve_event() for
callback parameter was_ratelimited.
- Ignore expired error responses.
- Merge #720 from jonathangray: fix use after free when
WSACreateEvent() fails.
- Fix for the ignore of tcp events for closed comm points, preserve
the use after free protection features.
- Fix #782: Segmentation fault in stats.c:404.
- Add SVCB and HTTPS to the types removed by 'unbound-control flush'.
- Clear documentation for interactivity between the subnet module and
the serve-expired and prefetch configuration options.
- Fix #773: When used with systemd-networkd, unbound does not start
until systemd-networkd-wait-online.service times out.
- Merge #808: Wrap Makefile script's directory variables in quotes.
- Fix to wrap Makefile scripts directory in quotes for uninstall.
- Fix windows compile for libunbound subprocess reap comm point closes.
- Update github workflows to use checkout v3.
- Fix wildcard in hyperlocal zone service degradation, reported
by Sergey Kacheev.
* lintian-overrides fixes/additions
[ Helmut Grohne ]
* Fix FTCBFS: export _PYTHON_SYSCONFIGDATA_NAME. (Closes: #1024422)
-- Michael Tokarev <email address hidden> Thu, 12 Jan 2023 18:28:54 +0300
