Next | Query returned 111 messages, browsing 1 to 10 | Previous

History of commit frequency

CVS Commit History:


   2024-03-14 10:38:19 by Havard Eidnes | Files touched by this commit (2) | Package updated
Log message:
Update net/unbound to version 1.19.3.

Pkgsrc changes:
 * Add dependency on devel/protobuf-c/buildlink3.mk
 * Add pkg-config as tool dependency
 * Adjust checksums

Upstream changes:
Features:
- Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as
  per RFC 6672.

Bug Fixes:
- Fix unit test parse of origin syntax.
- Use 127.0.0.1 explicitly in tests to avoid delays and errors on
  newer systems.
- Fix #964: config.h.in~ backup file in release tar balls.
- Merge #968: Replace the obsolescent fgrep with grep -F in tests.
- Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
- Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
- Fix dnstap that assertion failed on logging other than UDP and TCP
  traffic. It lists it as TCP traffic.
- Fix to sync the tests script file common.sh.
- iana portlist update.
- Updated IPv4 and IPv6 address for b.root-servers.net in root hints.
- Update test script file common.sh.
- Fix tests to use new common.sh functions, wait_logfile and
  kill_from_pidfile.
- Fix #974: doc: default number of outgoing ports without libevent.
- Merge #975: Fixed some syntax errors in rpl files.
- Fix root_zonemd unit test, it checks that the root ZONEMD verifies,
  now that the root has a valid ZONEMD.
- Update example.conf with cookie options.
- Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors
  for non-HTTP/2 DoH clients.
- Merge #985: Add DoH and DoT to dnstap message.
- Fix #983: Sha1 runtime insecure change was incomplete.
- Remove unneeded newlines and improve indentation in remote control
  code.
- Merge #987: skip edns frag retry if advertised udp payload size is
  not smaller.
- Fix unit test for #987 change in udp1xxx retry packet send.
- Merge #988: Fix NLnetLabs#981: dump_cache truncates large records.
- Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
- Fix to link with libssp for libcrypto and getaddrinfo check for
  only header. Also update crosscompile to remove ssp for 32bit.
- Merge #993: Update b.root-servers.net also in example config file.
- Update workflow for ports to use newer openssl on windows compile.
- Fix warning for windres on resource files due to redefinition.
- Fix for #997: Print details for SSL certificate failure.
- Update error printout for duplicate trust anchors to include the
  trust anchor name (relates to #920).
- Update message TTL when using cached RRSETs. It could result in
  non-expired messages with expired RRSETs (non-usable messages by
  Unbound).
- Merge #999: Search for protobuf-c with pkg-config.
- Fix #1006: Can't find protobuf-c package since #999.
- Fix documentation for access-control in the unbound.conf man page.
- Merge #1010: Mention REFUSED has the TC bit set with unmatched
  allow_cookie acl in the manpage. It also fixes the code to match the
  documentation about clients with a valid cookie that bypass the
  ratelimit regardless of the allow_cookie acl.
- Document the suspend argument for process_ds_response().
- Move github workflows to use checkoutv4.
- Fix edns subnet replies for scope zero answers to not get stored
  in the global cache, and in cachedb, when the upstream replies
  without an EDNS record.
- Fix for #1022: Fix ede prohibited in access control refused answers.
- Fix unbound-control-setup.cmd to use 3072 bits so that certificates
  are long enough for newer OpenSSL versions.
- Fix TTL of synthesized CNAME when a DNAME is used from cache.
- Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
  like unbound-control-setup.sh has.
   2024-03-07 10:48:53 by Havard Eidnes | Files touched by this commit (2) | Package updated
Log message:
net/unbound: update to version 1.19.2.

Upstream changes:

Bug Fixes:
- Fix CVE-2024-1931, Denial of service when trimming EDE text on
  positive replies.
   2024-02-13 14:53:26 by Havard Eidnes | Files touched by this commit (2)
Log message:
Update net/unbound to version 1.19.1.

Pkgsrc changes:
 * none, other than checksums.

Upstream changes:
This security release fixes two DNSSEC validation vulnerabilities:
CVE-2023-50387 (referred here as the KeyTrap vulnerability) and
CVE-2023-50868 (referred here as the NSEC3 vulnerability).

The KeyTrap vulnerability works by using a combination of Keys
(also colliding Keys), Signatures and number of RRSETs on a malicious
zone.  Answers from that zone can force a DNSSEC validator down a
very CPU intensive and time costly validation path.

The NSEC3 vulnerability uses specially crafted responses on a
malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator
down a very CPU intensive and time costly NSEC3 hash calculation path.

Both can force Unbound to spend an enormous time (comparative to
regular traffic) validating a single specially crafted DNSSEC
response while everything else is on hold for that thread. A
trivially orchestrated attack could render all threads busy with
such responses leading to denial of service.

From version 1.19.1 on, Unbound introduces suspension on DNSSEC
response validations that seem to require more attempts than Unbound
is willing to make per response validation run. Suspension means
that Unbound will continue with other work before resuming a
suspended validation offering CPU time between validation resumptions
to other tasks. There is a backoff timer when suspending which is
further influenced by the number of suspends already used and the
amount of work currently in Unbound.

The introduced builtin limits in Unbound are:

- Max 4 DNSSEC key collissions are allowed when building chain of trust.
  More than that without a secure key treats the delegation as bogus.
- 8 validation attempts per RRSET (combination of keys + signatures).
  If more are needed and Unbound has yet to find a valid signature
  the RRSET is treated as bogus.
- More than 8 validation attempts per answer will suspend validation.
- 8 NSEC3 hash calculations are allowed before suspension. More than
  that will suspend validation.
- The limit of total suspensions is 16 after which the query will error
  out. Any completed RRSET validations populate the cache for use in
  future queries.

While under attack Unbound could show higher CPU load because of the
needed validations but the suspend strategy would guarantee the CPU is
not locked on any particular validation task.

We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel,
and Michael Waidner from the German National Research Center for
Applied Cybersecurity ATHENE for discovering and responsibly
disclosing the KeyTrap vulnerability.

We would like to thank Petr Spacek from ISC for discovering and
responsibly disclosing the NSEC3 vulnerability.

Bug Fixes
- Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to
  exhaust CPU resources and stall DNS resolvers.
- Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
   2024-01-30 19:29:21 by Adam Ciarcinski | Files touched by this commit (47)
Log message:
revbump for devel/abseil
   2023-11-15 19:14:46 by Thomas Klausner | Files touched by this commit (55)
Log message:
*: bump for protobuf 25
   2023-11-08 14:21:43 by Thomas Klausner | Files touched by this commit (2377)
Log message:
*: recursive bump for icu 74.1
   2023-11-02 13:20:06 by Thomas Klausner | Files touched by this commit (54)
Log message:
*: recursive bump for protobuf
   2023-10-25 00:11:51 by Thomas Klausner | Files touched by this commit (2298)
Log message:
*: bump for openssl 3
   2023-08-30 17:18:26 by Havard Eidnes | Files touched by this commit (2) | Package updated
Log message:
Update net/unbound to version 1.18.0.

Pkgsrc changes:
 * none, other than checksums.

Upstream changes:
This release adds DNS cookies downstream, support to respond with EDE
error codes from cache, NAT64 support, and the capability to use a
socket queue timeout to discard old packets, and other features and bug
fixes.

The downstream DNS server cookies are from RFC7873 and RFC9018, it
is turned on with `answer-cookie: yes`. It generates a random cookie
secret, but for anycast setups the cookie secret can be configured with
`cookie-secret: "128bithex"` with the same value as the other instances.
Non cookie traffic can be disallowed with the `allow_cookie` acl option
for access-control. Queries with valid cookie bypass the ordinary
ratelimit, but a ratelimit can be configured for cookie queries
with `ip-ratelimit-cookie: 100`. The statistics has counters for
`query_cookie_valid` and `query_cookie_client` and
`query_cookie_invalid`.

When queries come in with CD flag, a DNSSEC validation EDE can be
returned, with information regarding a failure. EDE error information
is also stored in the cache with the query responses. There is also EDE
error information stored for the cachedb and the subnetcache.

There is NAT64 support, that is enabled with `do-nat64: yes`. The
NAT64 prefix can be configured too, if not the default
`nat64-prefix: 64:ff9b::0/96`. This is useful for an IPv6 only
host where Unbound is running, so that Unbound can use NAT64 to
connect to IPv4 servers.

The new default for the maximum UDP response size is 1232, with
`max-udp-size: 1232`. This is similar to other resolvers. The new
default is smaller and that makes it harder to get large responses.
Thanks to Xiang Li, from NISL Lab, Tsinghua University.

There is a new option `harden-unknown-additional: yes`. This removes
unknown records from the authority and additional section. This stops
unknown records from being copied from the upstream to the downstream
client, potentially exposing those clients to the extra records. Default
is no, because it could hamper future protocol developments that want to
add records. Thanks to Xiang Li, from NISL Lab, Tsinghua University.

With the `sock-queue-timeout: 3` option kernel timestamps are turned on
for UDP queries, and old packets are dropped. Queries that have waited
in the socket buffer for a long time are then discarded, and is useful
if the host was not running for a while. The statistics has
`num.queries_timed_out` and `query.queue_time_us.max` counters.

The local-zone type `block_a` is for when queries to IPv4 have to be
stopped to force IPv6 usage. It stops type A queries with nodata, and
transparently allows other queries.

The redis server can be contacted over a unix socket with
`redis-server-path: "/var/lib/redis/redis-server.sock"`. The redis
server password can be configured with
`redis-server-password: "password"`.

The number of hashtable collisions is logged in the statistics counters
`msg.cache.max_collisions` and `rrset.cache.max_collisions`. It can be
used to monitor for mistakes where the wrong or same hash value occurs
too frequently.

The repository does not have the bison and flex generated output in it,
so these tools are necessary to compile from a checkout, the tarball
distribution contains pregenerated files and can use either those files
or bison and flex tools on the compile system.

If kernel timestamps are enabled, with the sock-queue-timeout option,
they are also used to set the time for dnstap logs.

There is a yocto compatible init script available in the contrib
directory of the source code, `unbound.init_yocto`.
The number of cachedb hits from cache is output in `num.query.cachedb`.
There is support for the dohpath parameter for the SVCB record type.
Prefetch is supported for subnet cache entries.
Detection of the python paths on the system has been expanded.

Compared to the release candidate rc1, this release has an extra fix to
fix a compile issue on NetBSD.

Features
- Merge #826: #dd a metric about the maximum number of collisions in
  lrushah.
- Set max-udp-size default to 1232. This is the same default value as
  the default value for edns-buffer-size. It restricts client edns
  buffer size choices, and makes unbound behave similar to other DNS
  resolvers. The new choice, down from 4096 means it is harder to get
  large responses from Unbound. Thanks to Xiang Li, from NISL Lab,
  Tsinghua University.
- Add harden-unknown-additional option. It removes
  unknown records from the authority section and additional section.
  Thanks to Xiang Li, from NISL Lab, Tsinghua University.
- Merge #819: Added new static zone type block_a to suppress all A
  queries for specific zones.
- Fix #835: [FR] Ability to use Redis unix sockets.
- Fix #833: [FR] Ability to set the Redis password.
- Merge #882 from vvfedorenko: Features/dropqueuedpackets, with
  sock-queue-timeout option that drops packets that have been in the
  socket queue for too long. Added statistics num.queries_timed_out
  and query.queue_time_us.max that track the socket queue timeouts.
- Merge #722 from David 'eqvinox' Lamparter: NAT64 support.
- Fix #888: [FR] Use kernel timestamps for dnstap.
- Merge #903: contrib: add yocto compatible init script.
- Merge #892: Add cachedb hit stat. Introduces 'num.query.cachedb' as
  a new statistical counter.
- Merge #739: Add SVCB dohpath support.
- Merge #802: add validation EDEs to queries where the CD bit is set.
- Merge #664 from tilan7763: Add prefetch support for subnet cache
  entries.
- Merge #759 from Tom Carpay: Add EDE (RFC8914) caching.
- Merge #790 from Tom Carpay: Add support for EDE caching in cachedb
  and subnetcache.
- Merge PR #762: Downstream DNS Server Cookies a la RFC7873 and
  RFC9018. Create server cookies for clients that send client cookies.
  This needs to be explicitly turned on in the config file with:
  `answer-cookie: yes`. A `cookie-secret:` can be configured for
  anycast setups. Without one, a random cookie secret is generated.
  The acl option `allow_cookie` allows queries with either a valid
  cookie or over a stateful transport. The statistics output has
  `queries_cookie_valid` and `queries_cookie_client` and
  `queries_cookie_invalid` information. The `ip\-ratelimit\-cookie:`
  value determines a rate limit for queries with cookies, if desired.

Bug Fixes
- Fix #823: Response change to NODATA for some ANY queries since
  1.12, tested on 1.16.1.
- Fix python module install path detection.
- Fix python version detection in configure.
- Improve documentation for #826, describe the large collisions amount.
- Fix not following cleared RD flags potentially enables amplification
  DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab,
  Tsinghua University. The fix stops query loops, by refusing to send
  RD=0 queries to a forwarder, they still get answered from cache.
- Set default for harden-unknown-additional to no. So that it does
  not hamper future protocol developments.
- Fix test for new default.
- Fix acx_nlnetlabs.m4 for -Wstrict-prototypes.
- Add duration variable for speed_local.test.
- Fix #841: Unbound won't build with aaaa-filter-iterator.patch.
- Fix to ignore entirely empty responses, and try at another authority.
  This turns completely empty responses, a type of noerror/nodata into
  a servfail, but they do not conform to RFC2308, and the retry can
  fetch improved content.
- Fix unit tests for spurious empty messages.
- Fix consistency of unit test without roundrobin answers for the
  cnametooptout unit test.
- Fix to git ignore the library symbol file that configure can create.
- Allow TTL refresh of expired error responses.
- Add testcase for refreshing expired error responses.
- Clean up iterator/iterator.c::error_response_cache() and allow for
  better interaction with serve-expired, prefetch and cached error
  responses.
- Fix #825: Unexpected behavior with client-subnet-always-forward
  and serve-expired
- Fix for #852: Completion of error handling.
- Fix unbound-dnstap-socket test program to reply the finish frame
  over a TLS connection correctly.
- Fix ssl.h include brackets, instead of quotes.
- Fix #812, fix #846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option
  to ignore the unexpected eof while reading in openssl >= 3.
- iana portlist update.
- Fix issue #851: reserved identifier violation
- Fix issue #676: Unencrypted query is sent when
  forward-tls-upstream: yes is used without tls-cert-bundle
- Extra consistency check to make sure that when TLS is requested,
  either we set up a TLS connection or we return an error.
- Fix #870: NXDOMAIN instead of NOERROR rcode when asked for existing
  CNAME record.
- Fix for #870: Add test case for the qname minimisation and CNAME.
- Fix build badge, from failing travis link to github ci action link.
- Merge #875: change obsolete txt URL in unbound-anchor.c to point
  to RFC 7958, and Fix #874.
- Fix for #878: Invalid IP address in unbound.conf causes Segmentation
  Fault on OpenBSD.
- Fix for #882: small changes, date updated in Copyright for
  util/timeval_func.c and util/timeval_func.h. Man page entries and
  example entry.
- Fix for #882: document variable to stop doxygen warning.
- Fix issue #860: Bad interaction with 0 TTL records and serve-expired
- Fix RPZ IP responses with trigger rpz-drop on cache entries, that
  they are dropped.
- For #722: minor fixes, formatting, refactoring.
- Fix #885: Error: util/configlexer.c: No such file or directory,
  adds error messages explaining to install flex and bison.
- Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.
- Fix doxygen in addr_to_nat64 header definition.
- Fix warning in windows compile, in set_recvtimestamp.
- Fix to print debug log for ancillary data with correct IP address.
- Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
- Fix to remove unused variables from RPZ clientip data structure.
- Fix unbound-dnstap-socket printout when no query is present.
- Fix unbound-dnstap-socket time fraction conversion for printout.
- Merge #896: Fix: #895: pythonmodule: add all site-packages
  directories to sys.path.
- Fix #895: python + sysconfig gives ANOTHER path comparing to
  distutils.
- Fix for uncertain unit test for doh buffer size events.
- Properly handle all return values of worker_check_request during
  early EDE code.
- Do not check the incoming request more than once.
- Fix for issue #887 (Timeouts to forward servers on BSD based
  system with ASLR)
- Probably fixes #516 (Stream reuse does not work on Windows) as well
- Remove warning about unknown cast-function-type warning pragma.
- Fix python modules with multiple scripts, by incrementing reference
  counts.
- More fixes for reference counting for python module and clean up
  failure code.
- Merge #827 from rcmcdonald91: Eliminate unnecessary Python reloading
  which causes memory leaks.
- Fix #906: warning: `Py_SetProgramName' is deprecated.
- Fix dereference of NULL variable warning in mesh_do_callback.
- Code cleanup for sldns_str2wire_svcparam_key_lookup.
- For #802: Cleanup comments and add RCODE check for CD bit test case.
- Skip the 00-lint test. splint is not maintained; it either does not
  work or produces false positives. Static analysis is handled in the
  clang test.
- For #664: Easier code flow for subnetcache prefetching.
- For #664: Add testcase.
- For #664: Rename subnet_prefetch tests to subnet_global_prefetch to
  differentiate from the new subnet prefetch support.
- Merge #880 from chipitsine: services/authzone.c: remove redundant
  check.
- More clear description of the different auth-zone behaviors on the
  man page.
- Merge #909 from headshog: Numeric truncation when parsing TYPEXX and
  CLASSXX representation.
- For #909: Fix return values.
- Merge #901 from Sergei Trofimovich: config: improve handling of
  unknown modules.
- For #909: Fix RR class comparison.
- Merge #857 from eaglegai: fix potential memory leaks when errors
  happen.
- For #857: fix mixed declarations and code.
- Merge #118 from mibere: Changed verbosity level for Redis init &
  deinit.
- Merge #390 from Frank Riley: Add missing callbacks to the python
  module.
- Cleaner failure code for callback functions in interface.i.
- Merge #889 from borisVanhoof: Free memory in error case + remove
  unused function.
- For #889: use netcat-openbsd instead of netcat-traditional.
- For #889: Account for num_detached_states before possible
  mesh_state_delete when erroring out.
- Fix unused variable compile warning for kernel timestamps in
  netevent.c
- Merge #911 from natalie-reece: Exclude EDE before other EDNS options
  when there isn't enough space.
- For #911: Try to trim EXTRA-TEXT (and LDNS_EDE_OTHER options
  altogether) before giving up on attaching EDE options.
- More braces and formatting for Fix for EDNS EDE size calculation to
  avoid future bugs.
- Fix to use the now cached EDE, if any, for CD_bit queries.
- Fix for EDNS EDE size calculation.
- Move a cache reply callback in worker.c closer to the cache reply
  generation.
- Fix regional_alloc_init for potential unaligned source of the copy.
- Fix ip_ratelimit test to work with dig that enables DNS cookies.
- Fix for iter_dec_attempts that could cause a hang, part of
  capsforid and qname minimisation, depending on the settings.
- Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
- Fix stat_values test to work with dig that enables DNS cookies.
- Debug Windows ci workflow.
- Fix windows ci workflow to install bison and flex.
- Fix for #925: unbound.service: Main process exited, code=killed,
  status=11/SEGV. Fixes cachedb configuration handling.
- Fix #923: processQueryResponse() THROWAWAY should be mindful of
  fail_reply.
- Fix unit test for unbound-control to work when threads are disabled,
  and fix cache dump check.
- Fix compile error on NetBSD in util/netevent.h.
   2023-04-19 10:12:01 by Adam Ciarcinski | Files touched by this commit (2359) | Package updated
Log message:
revbump after textproc/icu update

Next | Query returned 111 messages, browsing 1 to 10 | Previous