diff --git a/CVE-2019-18934.patch b/CVE-2019-18934.patch deleted file mode 100644 index 7a9f9e6e51640a82cca4b0b500ebc63be91bf66f..0000000000000000000000000000000000000000 --- a/CVE-2019-18934.patch +++ /dev/null @@ -1,227 +0,0 @@ -From 34e52a4313d59b9d57e928c44300fd81e1a48910 Mon Sep 17 00:00:00 2001 -From: "W.C.A. Wijngaards" -Date: Tue, 19 Nov 2019 07:49:59 +0100 -Subject: [PATCH] Fix CVE-2019-18934, shell execution in ipsecmod. - ---- - ipsecmod/ipsecmod.c | 147 ++++++++++++++++++++++++++++++++++++-------- - 1 file changed, 120 insertions(+), 27 deletions(-) - -diff --git a/ipsecmod/ipsecmod.c b/ipsecmod/ipsecmod.c -index c8400c633..9e916d604 100644 ---- a/ipsecmod/ipsecmod.c -+++ b/ipsecmod/ipsecmod.c -@@ -161,6 +161,71 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name, - return 1; - } - -+/** -+ * Check if the string passed is a valid domain name with safe characters to -+ * pass to a shell. -+ * This will only allow: -+ * - digits -+ * - alphas -+ * - hyphen (not at the start) -+ * - dot (not at the start, or the only character) -+ * - underscore -+ * @param s: pointer to the string. -+ * @param slen: string's length. -+ * @return true if s only contains safe characters; false otherwise. -+ */ -+static int -+domainname_has_safe_characters(char* s, size_t slen) { -+ size_t i; -+ for(i = 0; i < slen; i++) { -+ if(s[i] == '\0') return 1; -+ if((s[i] == '-' && i != 0) -+ || (s[i] == '.' && (i != 0 || s[1] == '\0')) -+ || (s[i] == '_') || (s[i] >= '0' && s[i] <= '9') -+ || (s[i] >= 'A' && s[i] <= 'Z') -+ || (s[i] >= 'a' && s[i] <= 'z')) { -+ continue; -+ } -+ return 0; -+ } -+ return 1; -+} -+ -+/** -+ * Check if the stringified IPSECKEY RDATA contains safe characters to pass to -+ * a shell. -+ * This is only relevant for checking the gateway when the gateway type is 3 -+ * (domainname). -+ * @param s: pointer to the string. -+ * @param slen: string's length. -+ * @return true if s contains only safe characters; false otherwise. -+ */ -+static int -+ipseckey_has_safe_characters(char* s, size_t slen) { -+ int precedence, gateway_type, algorithm; -+ char* gateway; -+ gateway = (char*)calloc(slen, sizeof(char)); -+ if(!gateway) { -+ log_err("ipsecmod: out of memory when calling the hook"); -+ return 0; -+ } -+ if(sscanf(s, "%d %d %d %s ", -+ &precedence, &gateway_type, &algorithm, gateway) != 4) { -+ free(gateway); -+ return 0; -+ } -+ if(gateway_type != 3) { -+ free(gateway); -+ return 1; -+ } -+ if(domainname_has_safe_characters(gateway, slen)) { -+ free(gateway); -+ return 1; -+ } -+ free(gateway); -+ return 0; -+} -+ - /** - * Prepare the data and call the hook. - * -@@ -175,7 +240,7 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq, - { - size_t slen, tempdata_len, tempstring_len, i; - char str[65535], *s, *tempstring; -- int w; -+ int w = 0, w_temp, qtype; - struct ub_packed_rrset_key* rrset_key; - struct packed_rrset_data* rrset_data; - uint8_t *tempdata; -@@ -192,9 +257,9 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq, - memset(s, 0, slen); - - /* Copy the hook into the buffer. */ -- sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook); -+ w += sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook); - /* Put space into the buffer. */ -- sldns_str_print(&s, &slen, " "); -+ w += sldns_str_print(&s, &slen, " "); - /* Copy the qname into the buffer. */ - tempstring = sldns_wire2str_dname(qstate->qinfo.qname, - qstate->qinfo.qname_len); -@@ -202,68 +267,96 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq, - log_err("ipsecmod: out of memory when calling the hook"); - return 0; - } -- sldns_str_print(&s, &slen, "\"%s\"", tempstring); -+ if(!domainname_has_safe_characters(tempstring, strlen(tempstring))) { -+ log_err("ipsecmod: qname has unsafe characters"); -+ free(tempstring); -+ return 0; -+ } -+ w += sldns_str_print(&s, &slen, "\"%s\"", tempstring); - free(tempstring); - /* Put space into the buffer. */ -- sldns_str_print(&s, &slen, " "); -+ w += sldns_str_print(&s, &slen, " "); - /* Copy the IPSECKEY TTL into the buffer. */ - rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; -- sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl); -+ w += sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl); - /* Put space into the buffer. */ -- sldns_str_print(&s, &slen, " "); -- /* Copy the A/AAAA record(s) into the buffer. Start and end this section -- * with a double quote. */ -+ w += sldns_str_print(&s, &slen, " "); - rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo, - qstate->return_msg->rep); -+ /* Double check that the records are indeed A/AAAA. -+ * This should never happen as this function is only executed for A/AAAA -+ * queries but make sure we don't pass anything other than A/AAAA to the -+ * shell. */ -+ qtype = ntohs(rrset_key->rk.type); -+ if(qtype != LDNS_RR_TYPE_AAAA && qtype != LDNS_RR_TYPE_A) { -+ log_err("ipsecmod: Answer is not of A or AAAA type"); -+ return 0; -+ } - rrset_data = (struct packed_rrset_data*)rrset_key->entry.data; -- sldns_str_print(&s, &slen, "\""); -+ /* Copy the A/AAAA record(s) into the buffer. Start and end this section -+ * with a double quote. */ -+ w += sldns_str_print(&s, &slen, "\""); - for(i=0; icount; i++) { - if(i > 0) { - /* Put space into the buffer. */ -- sldns_str_print(&s, &slen, " "); -+ w += sldns_str_print(&s, &slen, " "); - } - /* Ignore the first two bytes, they are the rr_data len. */ -- w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2, -+ w_temp = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2, - rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype); -- if(w < 0) { -+ if(w_temp < 0) { - /* Error in printout. */ -- return -1; -- } else if((size_t)w >= slen) { -+ log_err("ipsecmod: Error in printing IP address"); -+ return 0; -+ } else if((size_t)w_temp >= slen) { - s = NULL; /* We do not want str to point outside of buffer. */ - slen = 0; -- return -1; -+ log_err("ipsecmod: shell command too long"); -+ return 0; - } else { -- s += w; -- slen -= w; -+ s += w_temp; -+ slen -= w_temp; -+ w += w_temp; - } - } -- sldns_str_print(&s, &slen, "\""); -+ w += sldns_str_print(&s, &slen, "\""); - /* Put space into the buffer. */ -- sldns_str_print(&s, &slen, " "); -+ w += sldns_str_print(&s, &slen, " "); - /* Copy the IPSECKEY record(s) into the buffer. Start and end this section - * with a double quote. */ -- sldns_str_print(&s, &slen, "\""); -+ w += sldns_str_print(&s, &slen, "\""); - rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; - for(i=0; icount; i++) { - if(i > 0) { - /* Put space into the buffer. */ -- sldns_str_print(&s, &slen, " "); -+ w += sldns_str_print(&s, &slen, " "); - } - /* Ignore the first two bytes, they are the rr_data len. */ - tempdata = rrset_data->rr_data[i] + 2; - tempdata_len = rrset_data->rr_len[i] - 2; - /* Save the buffer pointers. */ - tempstring = s; tempstring_len = slen; -- w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen, -- NULL, 0); -+ w_temp = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, -+ &slen, NULL, 0); - /* There was an error when parsing the IPSECKEY; reset the buffer - * pointers to their previous values. */ -- if(w == -1){ -+ if(w_temp == -1) { - s = tempstring; slen = tempstring_len; -+ } else if(w_temp > 0) { -+ if(!ipseckey_has_safe_characters( -+ tempstring, tempstring_len - slen)) { -+ log_err("ipsecmod: ipseckey has unsafe characters"); -+ return 0; -+ } -+ w += w_temp; - } - } -- sldns_str_print(&s, &slen, "\""); -- verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str); -+ w += sldns_str_print(&s, &slen, "\""); -+ if(w >= (int)sizeof(str)) { -+ log_err("ipsecmod: shell command too long"); -+ return 0; -+ } -+ verbose(VERB_ALGO, "ipsecmod: shell command: '%s'", str); - /* ipsecmod-hook should return 0 on success. */ - if(system(str) != 0) - return 0; diff --git a/unbound-1.10.0-auth-callback.patch b/unbound-1.10.0-auth-callback.patch new file mode 100644 index 0000000000000000000000000000000000000000..c4d01b8c4ad69fd6fcf4db02dcd3a65339406d68 --- /dev/null +++ b/unbound-1.10.0-auth-callback.patch @@ -0,0 +1,74 @@ +--- a/services/authzone.c 2020-04-16 13:01:10.550618034 +0200 ++++ b/services/authzone.c 2020-04-16 13:07:04.624476160 +0200 +@@ -5331,7 +5331,7 @@ + log_assert(xfr->task_transfer); + lock_basic_lock(&xfr->lock); + env = xfr->task_transfer->env; +- if(env->outnet->want_to_quit) { ++ if(!env || env->outnet->want_to_quit) { + lock_basic_unlock(&xfr->lock); + return; /* stop on quit */ + } +@@ -5770,7 +5770,7 @@ + log_assert(xfr->task_transfer); + lock_basic_lock(&xfr->lock); + env = xfr->task_transfer->env; +- if(env->outnet->want_to_quit) { ++ if(!env || env->outnet->want_to_quit) { + lock_basic_unlock(&xfr->lock); + return; /* stop on quit */ + } +@@ -5812,7 +5812,7 @@ + log_assert(xfr->task_transfer); + lock_basic_lock(&xfr->lock); + env = xfr->task_transfer->env; +- if(env->outnet->want_to_quit) { ++ if(!env || env->outnet->want_to_quit) { + lock_basic_unlock(&xfr->lock); + return 0; /* stop on quit */ + } +@@ -5893,7 +5893,7 @@ + log_assert(xfr->task_transfer); + lock_basic_lock(&xfr->lock); + env = xfr->task_transfer->env; +- if(env->outnet->want_to_quit) { ++ if(!env || env->outnet->want_to_quit) { + lock_basic_unlock(&xfr->lock); + return 0; /* stop on quit */ + } +@@ -6107,7 +6107,7 @@ + log_assert(xfr->task_probe); + lock_basic_lock(&xfr->lock); + env = xfr->task_probe->env; +- if(env->outnet->want_to_quit) { ++ if(!env || env->outnet->want_to_quit) { + lock_basic_unlock(&xfr->lock); + return; /* stop on quit */ + } +@@ -6143,7 +6143,7 @@ + log_assert(xfr->task_probe); + lock_basic_lock(&xfr->lock); + env = xfr->task_probe->env; +- if(env->outnet->want_to_quit) { ++ if(!env || env->outnet->want_to_quit) { + lock_basic_unlock(&xfr->lock); + return 0; /* stop on quit */ + } +@@ -6388,7 +6388,7 @@ + log_assert(xfr->task_probe); + lock_basic_lock(&xfr->lock); + env = xfr->task_probe->env; +- if(env->outnet->want_to_quit) { ++ if(!env || env->outnet->want_to_quit) { + lock_basic_unlock(&xfr->lock); + return; /* stop on quit */ + } +@@ -6465,7 +6465,7 @@ + log_assert(xfr->task_nextprobe); + lock_basic_lock(&xfr->lock); + env = xfr->task_nextprobe->env; +- if(env->outnet->want_to_quit) { ++ if(!env || env->outnet->want_to_quit) { + lock_basic_unlock(&xfr->lock); + return; /* stop on quit */ + } diff --git a/unbound-1.7.3.tar.gz b/unbound-1.10.1.tar.gz similarity index 45% rename from unbound-1.7.3.tar.gz rename to unbound-1.10.1.tar.gz index ca3d60abd00e8006b005ddce41a50eff34aaa717..083d37ee55cbd9c31ab11ce14ec1ad5c96a7141e 100644 Binary files a/unbound-1.7.3.tar.gz and b/unbound-1.10.1.tar.gz differ diff --git a/unbound-1.7.2-python3-devel.patch b/unbound-1.7.2-python3-devel.patch deleted file mode 100644 index db6fce07005f043ee2c6533fb2780ade98f4f586..0000000000000000000000000000000000000000 --- a/unbound-1.7.2-python3-devel.patch +++ /dev/null @@ -1,320 +0,0 @@ -From b5aab36d41f374eddb0f66f28f251588f53a1e1e Mon Sep 17 00:00:00 2001 -From: Wouter Wijngaards -Date: Wed, 27 Jun 2018 05:46:36 +0000 -Subject: [PATCH 1/2] - #4109: Fix that package config depends on python - unconditionally. - -git-svn-id: file:///svn/unbound/trunk@4757 be551aaa-1e26-0410-a405-d3ace91eadb9 ---- - configure | 257 +++++++++++++++++++++++++++++++---------------------------- - configure.ac | 5 +- - 2 files changed, 137 insertions(+), 125 deletions(-) - -diff --git a/configure b/configure -index 3f1c372a..2a1687ae 100755 ---- a/configure -+++ b/configure -@@ -670,9 +670,6 @@ SYSTEMD_DAEMON_LIBS - SYSTEMD_DAEMON_CFLAGS - SYSTEMD_LIBS - SYSTEMD_CFLAGS --PKG_CONFIG_LIBDIR --PKG_CONFIG_PATH --PKG_CONFIG - staticexe - PC_LIBEVENT_DEPENDENCY - UNBOUND_EVENT_UNINSTALL -@@ -697,6 +694,9 @@ swig - SWIG_LIB - SWIG - PC_PY_DEPENDENCY -+PKG_CONFIG_LIBDIR -+PKG_CONFIG_PATH -+PKG_CONFIG - PY_MAJOR_VERSION - PYTHON_SITE_PKG - PYTHON_LDFLAGS -@@ -16930,7 +16930,136 @@ $as_echo "#define HAVE_PYTHON 1" >>confdefs.h - CPPFLAGS="$PYTHON_CPPFLAGS" - fi - ub_have_python=yes -- PC_PY_DEPENDENCY="python" -+ -+ -+ -+ -+ -+ -+ -+if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then -+ if test -n "$ac_tool_prefix"; then -+ # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. -+set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if ${ac_cv_path_PKG_CONFIG+:} false; then : -+ $as_echo_n "(cached) " >&6 -+else -+ case $PKG_CONFIG in -+ [\\/]* | ?:[\\/]*) -+ ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path. -+ ;; -+ *) -+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -+for as_dir in $PATH -+do -+ IFS=$as_save_IFS -+ test -z "$as_dir" && as_dir=. -+ for ac_exec_ext in '' $ac_executable_extensions; do -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then -+ ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ break 2 -+ fi -+done -+ done -+IFS=$as_save_IFS -+ -+ ;; -+esac -+fi -+PKG_CONFIG=$ac_cv_path_PKG_CONFIG -+if test -n "$PKG_CONFIG"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5 -+$as_echo "$PKG_CONFIG" >&6; } -+else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+fi -+ -+ -+fi -+if test -z "$ac_cv_path_PKG_CONFIG"; then -+ ac_pt_PKG_CONFIG=$PKG_CONFIG -+ # Extract the first word of "pkg-config", so it can be a program name with args. -+set dummy pkg-config; ac_word=$2 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then : -+ $as_echo_n "(cached) " >&6 -+else -+ case $ac_pt_PKG_CONFIG in -+ [\\/]* | ?:[\\/]*) -+ ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path. -+ ;; -+ *) -+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -+for as_dir in $PATH -+do -+ IFS=$as_save_IFS -+ test -z "$as_dir" && as_dir=. -+ for ac_exec_ext in '' $ac_executable_extensions; do -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then -+ ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ break 2 -+ fi -+done -+ done -+IFS=$as_save_IFS -+ -+ ;; -+esac -+fi -+ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG -+if test -n "$ac_pt_PKG_CONFIG"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5 -+$as_echo "$ac_pt_PKG_CONFIG" >&6; } -+else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+fi -+ -+ if test "x$ac_pt_PKG_CONFIG" = x; then -+ PKG_CONFIG="" -+ else -+ case $cross_compiling:$ac_tool_warned in -+yes:) -+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 -+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} -+ac_tool_warned=yes ;; -+esac -+ PKG_CONFIG=$ac_pt_PKG_CONFIG -+ fi -+else -+ PKG_CONFIG="$ac_cv_path_PKG_CONFIG" -+fi -+ -+fi -+if test -n "$PKG_CONFIG"; then -+ _pkg_min_version=0.9.0 -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5 -+$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; } -+ if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -+$as_echo "yes" >&6; } -+ else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+ PKG_CONFIG="" -+ fi -+fi -+ if test -n "$PKG_CONFIG" && \ -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"\"python\${PY_MAJOR_VERSION}\"\""; } >&5 -+ ($PKG_CONFIG --exists --print-errors ""python${PY_MAJOR_VERSION}"") 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; then -+ PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}" -+else -+ PC_PY_DEPENDENCY="python" -+fi - - - # Check for SWIG -@@ -18960,126 +19089,6 @@ else - fi - - have_systemd=no -- -- -- -- -- -- -- --if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then -- if test -n "$ac_tool_prefix"; then -- # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. --set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 --{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 --$as_echo_n "checking for $ac_word... " >&6; } --if ${ac_cv_path_PKG_CONFIG+:} false; then : -- $as_echo_n "(cached) " >&6 --else -- case $PKG_CONFIG in -- [\\/]* | ?:[\\/]*) -- ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path. -- ;; -- *) -- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR --for as_dir in $PATH --do -- IFS=$as_save_IFS -- test -z "$as_dir" && as_dir=. -- for ac_exec_ext in '' $ac_executable_extensions; do -- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then -- ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" -- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 -- break 2 -- fi --done -- done --IFS=$as_save_IFS -- -- ;; --esac --fi --PKG_CONFIG=$ac_cv_path_PKG_CONFIG --if test -n "$PKG_CONFIG"; then -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5 --$as_echo "$PKG_CONFIG" >&6; } --else -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 --$as_echo "no" >&6; } --fi -- -- --fi --if test -z "$ac_cv_path_PKG_CONFIG"; then -- ac_pt_PKG_CONFIG=$PKG_CONFIG -- # Extract the first word of "pkg-config", so it can be a program name with args. --set dummy pkg-config; ac_word=$2 --{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 --$as_echo_n "checking for $ac_word... " >&6; } --if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then : -- $as_echo_n "(cached) " >&6 --else -- case $ac_pt_PKG_CONFIG in -- [\\/]* | ?:[\\/]*) -- ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path. -- ;; -- *) -- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR --for as_dir in $PATH --do -- IFS=$as_save_IFS -- test -z "$as_dir" && as_dir=. -- for ac_exec_ext in '' $ac_executable_extensions; do -- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then -- ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" -- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 -- break 2 -- fi --done -- done --IFS=$as_save_IFS -- -- ;; --esac --fi --ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG --if test -n "$ac_pt_PKG_CONFIG"; then -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5 --$as_echo "$ac_pt_PKG_CONFIG" >&6; } --else -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 --$as_echo "no" >&6; } --fi -- -- if test "x$ac_pt_PKG_CONFIG" = x; then -- PKG_CONFIG="" -- else -- case $cross_compiling:$ac_tool_warned in --yes:) --{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 --$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} --ac_tool_warned=yes ;; --esac -- PKG_CONFIG=$ac_pt_PKG_CONFIG -- fi --else -- PKG_CONFIG="$ac_cv_path_PKG_CONFIG" --fi -- --fi --if test -n "$PKG_CONFIG"; then -- _pkg_min_version=0.9.0 -- { $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5 --$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; } -- if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 --$as_echo "yes" >&6; } -- else -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 --$as_echo "no" >&6; } -- PKG_CONFIG="" -- fi --fi - if test "x$enable_systemd" != xno; then : - - -diff --git a/configure.ac b/configure.ac -index 1828253c..b2c95d1a 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -586,7 +586,10 @@ if test x_$ub_test_python != x_no; then - CPPFLAGS="$PYTHON_CPPFLAGS" - fi - ub_have_python=yes -- PC_PY_DEPENDENCY="python" -+ PKG_PROG_PKG_CONFIG -+ PKG_CHECK_EXISTS(["python${PY_MAJOR_VERSION}"], -+ [PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}"], -+ [PC_PY_DEPENDENCY="python"]) - AC_SUBST(PC_PY_DEPENDENCY) - - # Check for SWIG --- -2.14.4 - diff --git a/unbound-1.7.2-python3-pkgconfig.patch b/unbound-1.7.2-python3-pkgconfig.patch deleted file mode 100644 index 86ba0b8bd0af90ac352f6f98ba717bfa82d889a2..0000000000000000000000000000000000000000 --- a/unbound-1.7.2-python3-pkgconfig.patch +++ /dev/null @@ -1,31 +0,0 @@ -From bca54a8b252d4a75e940424dc761c6a4e487eb84 Mon Sep 17 00:00:00 2001 -From: Wouter Wijngaards -Date: Wed, 27 Jun 2018 06:07:31 +0000 -Subject: [PATCH 2/2] =?UTF-8?q?-=20Patch,=20do=20not=20export=20python=20f?= - =?UTF-8?q?rom=20pkg-config,=20from=20Petr=20Men=C5=A1=C3=ADk.?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -git-svn-id: file:///svn/unbound/trunk@4758 be551aaa-1e26-0410-a405-d3ace91eadb9 ---- - contrib/libunbound.pc.in | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/contrib/libunbound.pc.in b/contrib/libunbound.pc.in -index 0cb9f875..810c5713 100644 ---- a/contrib/libunbound.pc.in -+++ b/contrib/libunbound.pc.in -@@ -7,7 +7,8 @@ Name: unbound - Description: Library with validating, recursive, and caching DNS resolver - URL: http://www.unbound.net - Version: @PACKAGE_VERSION@ --Requires: @PC_LIBEVENT_DEPENDENCY@ @PC_PY_DEPENDENCY@ -+Requires: libcrypto libssl @PC_LIBEVENT_DEPENDENCY@ -+Requires.private: @PC_PY_DEPENDENCY@ - Libs: -L${libdir} -lunbound -lssl -lcrypto - Libs.private: @SSLLIB@ @LIBS@ - Cflags: -I${includedir} --- -2.14.4 - diff --git a/unbound-1.7.3-anchor-fallback.patch b/unbound-1.7.3-anchor-fallback.patch deleted file mode 100644 index 2470ce11f2cdde3c061f88faded02b338ab807e7..0000000000000000000000000000000000000000 --- a/unbound-1.7.3-anchor-fallback.patch +++ /dev/null @@ -1,182 +0,0 @@ -From 81e9f82a8ddd811d7ebafe2fd0ee5af836d0b405 Mon Sep 17 00:00:00 2001 -From: Wouter Wijngaards -Date: Wed, 4 Jul 2018 10:02:16 +0000 -Subject: [PATCH] - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will - not pass if DNSSEC is not enabled. New option -R allows fallback from - resolv.conf to direct queries. - -git-svn-id: file:///svn/unbound/trunk@4770 be551aaa-1e26-0410-a405-d3ace91eadb9 ---- - doc/unbound-anchor.8.in | 5 ++++ - smallapp/unbound-anchor.c | 66 ++++++++++++++++++++++++++++++++++------------- - 2 files changed, 53 insertions(+), 18 deletions(-) - -diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in -index 02a3e781..e114eb25 100644 ---- a/doc/unbound-anchor.8.in -+++ b/doc/unbound-anchor.8.in -@@ -109,6 +109,11 @@ It does so, because the tool when used for bootstrapping the recursive - resolver, cannot use that recursive resolver itself because it is bootstrapping - that server. - .TP -+.B \-R -+Allow fallback from \-f resolv.conf file to direct root servers query. -+It allows you to prefer local resolvers, but fallback automatically -+to direct root query if they do not respond or do not support DNSSEC. -+.TP - .B \-v - More verbose. Once prints informational messages, multiple times may enable - large debug amounts (such as full certificates or byte\-dumps of downloaded -diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c -index b3009108..f3985090 100644 ---- a/smallapp/unbound-anchor.c -+++ b/smallapp/unbound-anchor.c -@@ -192,9 +192,10 @@ usage(void) - printf("-n name signer's subject emailAddress, default %s\n", P7SIGNER); - printf("-4 work using IPv4 only\n"); - printf("-6 work using IPv6 only\n"); -- printf("-f resolv.conf use given resolv.conf to resolve -u name\n"); -- printf("-r root.hints use given root.hints to resolve -u name\n" -+ printf("-f resolv.conf use given resolv.conf\n"); -+ printf("-r root.hints use given root.hints\n" - " builtin root hints are used by default\n"); -+ printf("-R fallback from -f to root query on error\n"); - printf("-v more verbose\n"); - printf("-C conf debug, read config\n"); - printf("-P port use port for https connect, default 443\n"); -@@ -1920,8 +1921,7 @@ static int - do_certupdate(const char* root_anchor_file, const char* root_cert_file, - const char* urlname, const char* xmlname, const char* p7sname, - const char* p7signer, const char* res_conf, const char* root_hints, -- const char* debugconf, int ip4only, int ip6only, int port, -- struct ub_result* dnskey) -+ const char* debugconf, int ip4only, int ip6only, int port) - { - STACK_OF(X509)* cert; - BIO *xml, *p7s; -@@ -1961,7 +1961,6 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file, - #ifndef S_SPLINT_S - sk_X509_pop_free(cert, X509_free); - #endif -- ub_resolve_free(dnskey); - ip_list_free(ip_list); - return 1; - } -@@ -2199,16 +2198,33 @@ probe_date_allows_certupdate(const char* root_anchor_file) - return 0; - } - -+static struct ub_result * -+fetch_root_key(const char* root_anchor_file, const char* res_conf, -+ const char* root_hints, const char* debugconf, -+ int ip4only, int ip6only) -+{ -+ struct ub_ctx* ctx; -+ struct ub_result* dnskey; -+ -+ ctx = create_unbound_context(res_conf, root_hints, debugconf, -+ ip4only, ip6only); -+ add_5011_probe_root(ctx, root_anchor_file); -+ dnskey = prime_root_key(ctx); -+ ub_ctx_delete(ctx); -+ return dnskey; -+} -+ - /** perform the unbound-anchor work */ - static int - do_root_update_work(const char* root_anchor_file, const char* root_cert_file, - const char* urlname, const char* xmlname, const char* p7sname, - const char* p7signer, const char* res_conf, const char* root_hints, -- const char* debugconf, int ip4only, int ip6only, int force, int port) -+ const char* debugconf, int ip4only, int ip6only, int force, -+ int res_conf_fallback, int port) - { -- struct ub_ctx* ctx; - struct ub_result* dnskey; - int used_builtin = 0; -+ int rcode; - - /* see if builtin rootanchor needs to be provided, or if - * rootanchor is 'revoked-trust-point' */ -@@ -2217,12 +2233,22 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file, - - /* make unbound context with 5011-probe for root anchor, - * and probe . DNSKEY */ -- ctx = create_unbound_context(res_conf, root_hints, debugconf, -- ip4only, ip6only); -- add_5011_probe_root(ctx, root_anchor_file); -- dnskey = prime_root_key(ctx); -- ub_ctx_delete(ctx); -- -+ dnskey = fetch_root_key(root_anchor_file, res_conf, -+ root_hints, debugconf, ip4only, ip6only); -+ rcode = dnskey->rcode; -+ -+ if (res_conf_fallback && res_conf && !dnskey->secure) { -+ if (verb) printf("%s failed, retrying direct\n", res_conf); -+ ub_resolve_free(dnskey); -+ /* try direct query without res_conf */ -+ dnskey = fetch_root_key(root_anchor_file, NULL, -+ root_hints, debugconf, ip4only, ip6only); -+ if (rcode != 0 && dnskey->rcode == 0) { -+ res_conf = NULL; -+ rcode = 0; -+ } -+ } -+ - /* if secure: exit */ - if(dnskey->secure && !force) { - if(verb) printf("success: the anchor is ok\n"); -@@ -2230,18 +2256,18 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file, - return used_builtin; - } - if(force && verb) printf("debug cert update forced\n"); -+ ub_resolve_free(dnskey); - - /* if not (and NOERROR): check date and do certupdate */ -- if((dnskey->rcode == 0 && -+ if((rcode == 0 && - probe_date_allows_certupdate(root_anchor_file)) || force) { - if(do_certupdate(root_anchor_file, root_cert_file, urlname, - xmlname, p7sname, p7signer, res_conf, root_hints, -- debugconf, ip4only, ip6only, port, dnskey)) -+ debugconf, ip4only, ip6only, port)) - return 1; - return used_builtin; - } - if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n"); -- ub_resolve_free(dnskey); - return used_builtin; - } - -@@ -2264,8 +2290,9 @@ int main(int argc, char* argv[]) - const char* root_hints = NULL; - const char* debugconf = NULL; - int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT; -+ int res_conf_fallback = 0; - /* parse the options */ -- while( (c=getopt(argc, argv, "46C:FP:a:c:f:hln:r:s:u:vx:")) != -1) { -+ while( (c=getopt(argc, argv, "46C:FRP:a:c:f:hln:r:s:u:vx:")) != -1) { - switch(c) { - case 'l': - dolist = 1; -@@ -2300,6 +2327,9 @@ int main(int argc, char* argv[]) - case 'r': - root_hints = optarg; - break; -+ case 'R': -+ res_conf_fallback = 1; -+ break; - case 'C': - debugconf = optarg; - break; -@@ -2346,5 +2376,5 @@ int main(int argc, char* argv[]) - - return do_root_update_work(root_anchor_file, root_cert_file, urlname, - xmlname, p7sname, p7signer, res_conf, root_hints, debugconf, -- ip4only, ip6only, force, port); -+ ip4only, ip6only, force, res_conf_fallback, port); - } --- -2.14.4 - diff --git a/unbound-1.7.3-host-any.patch b/unbound-1.7.3-host-any.patch deleted file mode 100644 index 9db4b947654558e412bf959c0e05099824494edf..0000000000000000000000000000000000000000 --- a/unbound-1.7.3-host-any.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/smallapp/unbound-host.c b/smallapp/unbound-host.c -index 53bf3277..f02511fe 100644 ---- a/smallapp/unbound-host.c -+++ b/smallapp/unbound-host.c -@@ -340,6 +340,7 @@ pretty_output(char* q, int t, int c, struct ub_result* result, int docname) - exit(1); - } - printf("%s\n", s); -+ free(s); - } else printf(" has no %s record", tstr); - printf(" %s\n", secstatus); - } diff --git a/unbound.conf b/unbound.conf index 2de6b64132185be9495ebd86786af5127e494008..748a661d06f76e47a20b9b2f57561cec1e7383bc 100644 --- a/unbound.conf +++ b/unbound.conf @@ -105,6 +105,7 @@ server: # are present, they are processed in order. # Our SElinux policy does not allow non-ephemeral ports to be used outgoing-port-avoid: 0-32767 + outgoing-port-avoid: 61000-65535 # number of outgoing simultaneous tcp buffers to hold per thread. # outgoing-num-tcp: 10 diff --git a/unbound.spec b/unbound.spec index 621c90be02f7bd1e816791b0d052a23e1325ff92..814eb32a7b221491d547b618e046ea329f7a5375 100644 --- a/unbound.spec +++ b/unbound.spec @@ -1,8 +1,8 @@ %{!?delete_la: %global delete_la find $RPM_BUILD_ROOT -type f -name "*.la" -delete} Name: unbound -Version: 1.7.3 -Release: 14 +Version: 1.10.1 +Release: 1 Summary: Unbound is a validating, recursive, caching DNS resolver License: BSD Url: https://nlnetlabs.nl/projects/unbound/about/ @@ -21,14 +21,11 @@ Source11: unbound.sysconfig Source12: unbound-anchor.timer Source13: unbound-anchor.service -Patch0001: unbound-1.7.2-python3-devel.patch -Patch0002: unbound-1.7.2-python3-pkgconfig.patch -Patch0003: unbound-1.7.3-anchor-fallback.patch -Patch0004: unbound-1.7.3-host-any.patch -Patch0005: CVE-2019-18934.patch +Patch0001: unbound-1.10.0-auth-callback.patch BuildRequires: make flex swig pkgconfig systemd python-unversioned-command BuildRequires: libevent-devel expat-devel openssl-devel python3-devel +BuildRequires: unbound-libs %{?systemd_requires} Requires: %{name}-libs = %{version}-%{release} @@ -75,10 +72,9 @@ Package help includes includes man pages for unbound. %setup -qcn %{name}-%{version} pushd %{name}-%{version} -%patch0001 -p1 -b .python3 -%patch0002 -p1 -b .python3 -%patch0003 -p1 -b .anchor-fallback -%patch0004 -p1 -b .host-any + +%patch0001 -p1 + cp -pr doc pythonmod libunbound ../ popd @@ -121,7 +117,7 @@ install -p -m 0644 %{SOURCE11} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/unbound install -p -m 0644 %{SOURCE12} $RPM_BUILD_ROOT%{_unitdir}/unbound-anchor.timer install -p -m 0644 %{SOURCE13} $RPM_BUILD_ROOT%{_unitdir}/unbound-anchor.service - +cp -a %{_libdir}/libunbound.so.2* %{buildroot}%{_libdir} %delete_la @@ -233,6 +229,12 @@ popd %{_mandir}/man* %changelog +* Tue Jul 28 2020 gaihuiying - 1.10.1-1 +- Type:requirement +- ID:NA +- SUG:NA +- DESC:update unbound version to 1.10.1 + * Wed Feb 19 2020 hexiujun - 1.7.3-14 - Type:enhancement - ID:NA