unbound (1.17.1-2+deb12u2) bookworm-security; urgency=high
* Non-maintainer upload by the Security Team.
* Address DNSSEC protocol vulnerabilities (Closes: #1063845)
- Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to
exhaust CPU resources and stall DNS resolvers.
- Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
-- Salvatore Bonaccorso <carnil@debian.org> Tue, 13 Feb 2024 21:00:13 +0100
unbound (1.17.1-2+deb12u1) bookworm; urgency=medium
* fix-812-fix-846-by-using-the-SSL_OP_IGNORE_UNEXPECTE.patch from upstream
to fix error log flooding when using DNS over TLS with openssl 3.0.
Closes: #1038243
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 25 Sep 2023 18:45:40 +0300
unbound (1.17.1-2) unstable; urgency=medium
* unbound-helper: return 0 explicitly in a few places
(Closes: #1019140)
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 09 Apr 2023 15:59:14 +0300
unbound (1.17.1-1) unstable; urgency=medium
[ Michael Tokarev ]
* new upstream release. Release notes:
This release fixes a number of bugs. There are also new configuration
options that by default do not change the existing behaviour of Unbound.
With `statistics-inhibit-zero` the printout of zero values by stats can
be controlled. Similarly with `max-sent-count` and `max-query-restarts`
the iterator behaviour can be controlled. The maximum CNAME chain length
that is accepted can be changed by increasing the `max-query-restarts`
number. This takes more time to follow those elements.
The keep-cache option allows reloads to change configuration whilst
keeping the cache memory intact, making the cache hot for good response
times after the change has completed.
The release contains an additional fix for service downgrade due to
wrong hash values for wildcards in a hyperlocal zone, that was reported
by Sergey Kacheev.
Features
- Expose 'statistics-inhibit-zero' as a configuration option; the
default value retains Unbound's behavior.
- Expose 'max-sent-count' as a configuration option; the
default value retains Unbound's behavior.
- Merge #461 from Christian Allred: Add max-query-restarts option.
Exposes an internal configuration but the default value retains
Unbound's behavior.
- Merge #569 from JINMEI Tatuya: add keep-cache option to
'unbound-control reload' to keep caches.
Bug Fixes
- Merge #768 from fobser: Arithmetic on a pointer to void is a GNU
extension.
- In unit test, print python script name list correctly.
- testcode/dohclient sets log identity to its name.
- Clarify the use of MAX_SENT_COUNT in the iterator code.
- Fix that cachedb does not store failures in the external cache.
- Merge #767 from jonathangray: consistently use IPv4/IPv6 in
unbound.conf.5.
- Fix to ignore tcp events for closed comm points.
- Fix to make sure to not read again after a tcp comm point is closed.
- Fix #775: libunbound: subprocess reap causes parent process reap
to hang.
- iana portlist update.
- Complementary fix for distutils.sysconfig deprecation in Python 3.10
to commit 62c5039ab9da42713e006e840b7578e01d66e7f2.
- Fix #779: [doc] Missing documentation in ub_resolve_event() for
callback parameter was_ratelimited.
- Ignore expired error responses.
- Merge #720 from jonathangray: fix use after free when
WSACreateEvent() fails.
- Fix for the ignore of tcp events for closed comm points, preserve
the use after free protection features.
- Fix #782: Segmentation fault in stats.c:404.
- Add SVCB and HTTPS to the types removed by 'unbound-control flush'.
- Clear documentation for interactivity between the subnet module and
the serve-expired and prefetch configuration options.
- Fix #773: When used with systemd-networkd, unbound does not start
until systemd-networkd-wait-online.service times out.
- Merge #808: Wrap Makefile script's directory variables in quotes.
- Fix to wrap Makefile scripts directory in quotes for uninstall.
- Fix windows compile for libunbound subprocess reap comm point closes.
- Update github workflows to use checkout v3.
- Fix wildcard in hyperlocal zone service degradation, reported
by Sergey Kacheev.
* lintian-overrides fixes/additions
[ Helmut Grohne ]
* Fix FTCBFS: export _PYTHON_SYSCONFIGDATA_NAME. (Closes: #1024422)
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 12 Jan 2023 18:28:54 +0300
unbound (1.17.0-1) unstable; urgency=medium
* new upstream release
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 13 Oct 2022 14:01:15 +0300
unbound (1.16.3-1) unstable; urgency=medium
* new upstream minor release with the following change:
- Patch for CVE-2022-3204 Non-Responsive Delegation Attack
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 21 Sep 2022 13:21:43 +0300
unbound (1.16.2-1) unstable; urgency=medium
* new upstream minor release with many bugfixes and 2 features.
Closes: #1016493, CVE-2022-30698, CVE-2022-30699
* d/unbound.docs: install doc/Changelog file
* d/copyright: mark debian/patches/* as GPL-2 (#1013957)
(not closing the bug since it is more than d/patches/)
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 12 Aug 2022 12:57:33 +0300
unbound (1.16.0-2) unstable; urgency=medium
* revert the python path change in previous upload, and set python
module directory explicitly to /usr/lib/python3/dist-packages/.
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 02 Jun 2022 19:35:26 +0300
unbound (1.16.0-1) unstable; urgency=medium
* update to the new upstream release.
Highlight this time is basic support for EDE (RFC8914)
* removed patches applied upstream
* updated paths for python modules (usr/lib/python3.M/site-packages/)
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 02 Jun 2022 18:28:14 +0300
unbound (1.15.0-11) unstable; urgency=medium
[ Simon Deziel ]
* d/unbound.postinst: fix configure action to have unbound user/group created
* d/apparmor-profile: use profile name specifier
[ Michael Tokarev ]
* tests/runzones: add 1s delay after starting daemon:
apparently the pid file is created/written too late
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 15 May 2022 22:22:19 +0300
unbound (1.15.0-10) unstable; urgency=medium
* d/tests/: fix the test to not rely on presence of unbound.pid after
daemon start. Apparently unbound creates the pid file at a wrong time
-- Michael Tokarev <mjt@tls.msk.ru> Sun, 08 May 2022 10:17:45 +0300
unbound (1.15.0-9) unstable; urgency=medium
* d/apparmor-profile: remove old /var/run/ alternatives for /run
* d/apparmor-profile: allow /etc/unbound/var/lib/unbound/ access too,
for chrooting to upstream-preferred /etc/unbound (Closes: #1010517)
* d/rules: stop explicitly exporting CFLAGS/LDFLAGS, dh_auto_* does this
automatically since dh-compat 9
* d/rules: do not enable --with-lto-server on kfreebsd (this fixes FTBFS)
It is a good candicate for an autoconf test.
* d/rules: add comments for --disable-lto, --with-libbsd
* d/tests/: add simple autopkgtest (verify www.debian.org record with DNSSEC)
-- Michael Tokarev <mjt@tls.msk.ru> Sat, 07 May 2022 10:34:09 +0300
unbound (1.15.0-8) unstable; urgency=medium
* fix the brown-paper bag bug in the previous upload. I did it again:
it is var += newvalue, not var := newvalue. This made the previous
upload to built without many build options
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 29 Apr 2022 18:33:16 +0300
unbound (1.15.0-7) unstable; urgency=medium
* unbound-resolvconf.service:
- do not (re)start it explicitly from the postinst script, it should
only be started as a part of unbound.service. Closes: #1009928
- add comments to this service file to clarify its purpose
- add lintian overrides for this service file
* /etc/resolvconf/update.d/unbound resolvconf hook script:
- ship it enabled for new installs. Closes: #1003135
- but do not re-enable it for previous installs
- add more comments to this file clarifying its purpose and possible issues
- add comments about various ways to enable/disable this hook,
- implement ability to disable it by setting USE_RESOLVCONF_FORWARDS=false
in /etc/default/unbound
- multiple other small changes and cleanups
- rename it in debian packaging from d/resolvconf to d/resolvconf-forwards
to make it's purpose more explicit
* use dns root.key stored in /usr/share/dns/ (as provided by dns-root-data
package) instead of the unbound-owned /var/lib/unbound/root.key (which is
managed by an untrusted user). This changes defaults for unbound-host and
unbound-anchor. Add Recommends: dns-root-data for unbound-host so it can
find this root.key in the default install. Closes: #641704
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 29 Apr 2022 16:53:50 +0300
unbound (1.15.0-6) unstable; urgency=medium
* actually install the forgotten remote-control.conf.
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 28 Apr 2022 20:15:21 +0300
unbound (1.15.0-5) unstable; urgency=medium
* use unix-domain socket /run/unbound.ctl for the control interface
instead of tcp localhost socket. This makes the keys/certs files
for the remote contol to be unnecessary, so stop running
unbound-control-setup in postinst too.
(Closes: #1010271)
* move remote-control section out of main unbound.conf file into
unbound.conf.d/remote-control.conf. Main file now becomes the
same as before version 1.15. There was no need to mess with the
main config file since the NEWS file already gives the user
enough information.
* do-not-chown-control-socket.patch: stop chowning control socket
to the unprivileged user, only group ownership is needed.
* do-not-look-at-pidfile.patch: stop messing up with the pidfile.
Unbound does not need to look at its pid file for the previous
instance, since it will not be able to open listening sockets
if the daemon is already running. Remove whole reading of the
pid file, and especially remove setting ownership of the pid file
to the unprivileged user (done in order to be able to clean it up),
since this is a potential security issue.
* unbound.postrm: stop removing the unbound system user
* fix wording and reformat the previous unbound.NEWS entry, and merge
old NEWS file into unbound.NEWS, since all news in there are actually
about the unbound package, not about all other binary packages we build.
* a few more tweaks for d/unbound-helper, in do_resolvconf_{start|stop}.
Thank you Simon Deziel for the ideas.
-- Michael Tokarev <mjt@tls.msk.ru> Thu, 28 Apr 2022 19:15:23 +0300
unbound (1.15.0-4) unstable; urgency=medium
* d/unbound.conf: move and fix the remote-control section
Move the remote-control section above the include directive so it is
possible to override it there, and fix comment. Do this remote-control
section in unbound.conf directly (instead of in new unbound.conf.d/
fragment), so it is more obvious that the default were flipped and
the default value is changed.
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 20 Apr 2022 10:52:26 +0300
unbound (1.15.0-3) unstable; urgency=medium
* modify the default unbound.conf to include control-enale: yes so
the remote control is enabled by default even if the default value
is not flipped by a patch (upstream sets it to "no")
* d/control: use the right spelling for Recommends:
-- Michael Tokarev <mjt@tls.msk.ru> Wed, 20 Apr 2022 00:37:17 +0300
unbound (1.15.0-2) experimental; urgency=medium
[ Michael Stella ]
* Add clarifying description to resolvconf hook
[ Simon Deziel ]
* debian/unbound.init: ask start-stop-daemon to remove the PID file
when stopping the daemon. Closes: #947771
[ Michael Tokarev ]
* d/changelog: mention #1000201 closed by 1.15.0-1
* d/changelog: mention install-pkgconfig-in-lib-not-all.patch in 1.15.0-1
* stop resetting permissions of unbound resovconf hook from ancient
pre-jessie (<<1.5.8-1) version
* stop removing ancient pre-jessie (<<1.5.7-2) /etc/default/unbound conffile
* add DEP12 d/upstream/metadata
* d/rules: stop adding --as-needed linker flag (it is the default now)
* stop flipping default value for remote-control: control-enable to "yes"
(see the NEWS file) (Closes: #991017)
* enable TCP Fast-Open (TFO) for both client and server (Closes: #903390)
This can be configured in /proc/sys/net/ipv4/tcp_fastopen (bitmask):
0x01 is client-side (enabled by default), 0x02 is server-side (disabled).
To enable tfo for both client and server, enable both bits.
* enable DNS over HTTP (DoH) for the server. This adds libnghttp2-dev
to Build-Depends (Closes: #973793)
* add source lintian-override to shut up a false positive (windows binary)
* d/unbound-helper: rename from package-helper and move it from subdir in
/usr/lib/unbound/ to /usr/libexec/unbound-helper.
* d/unbound-helper: rework updating of the unbound copy of the root.key file:
copy it to /var/lib/unbound/root.key.tmp first and rename to ..../root.key
only when done. Also do not do it as root in an untrusted directory.
(Closes: #989959)
* d/unbound-helper: do not perform chroot setup operations if chroot is
not configured in the config file
* d/unbound-helper: perform /run/systemd/notify bind-mount for any chroot
if configured, not only for non-standard chroot which needs a copy of
all config files. Closes: #931583, Actually closes: #828699.
* d/unbound-helper: other cleanups
* d/unbound.init: set PATH={,/usr}/{,s}bin. Closes: #900751
* d/unbound.init: stop hiding update_trust_anchor messages and use "unbound"
tag for logging them
* d/control: since unbound does not use unbound-anchor directly anymore,
drop the Depends
* d/control: move openssl from Depends to Recommends. It is used only to
generate remove-control keys for unbound-control, once, usually at the
install time (in postinst) and never used after install. Also check if
openssl is installed and print a friendly error message in
unbound-control-setup if it is not. This is done in a new patch,
unbound-control-setup-check-openssl.patch
* d/control: move dns-root-data from Depends to Recommends. It is only
used for root.key currently (in unbound-helper) and even there, once
it is initially copied to unbound library directory, this file will
be managed by unbound itself using RFC 5011 trust anchor tracking.
So this package can be removed if necessary, without harming unbound.
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 19 Apr 2022 20:39:12 +0300
unbound (1.15.0-1) experimental; urgency=medium
* Acknowledge the NMU
* New upstream release (1.15.0)
Closes: #997694, #1001430, #1008918, #1000201
* remove python3.10-related patches (included upstream)
* add myself to Uploaders
* redo the whole packag build procedure
- switch to dh sequence
- switch to debhelper-compat=13
- switch to dh-sequence-python3
- move configure/build/install parts out of binary target
into the right places
- move different builds into subdirs of b/ to stop building
them one by one replacing results
- perform 2 builds, one main (daemon & tools) and one libunbound
--with-nettle (daemon can't be built with nettle);
when installing, install libunbound build on top of the main
install in d/tmp, replacing only the library
- use pkg.unbound.libonly build profile in d/rules
- use normal d/*.install way to install files instead of a lot
of custom renaming in d/rules (Closes: #632096)
- enable dh_missing (automatic with dh=13), with actual filelist
and two *.la files in d/not-installed
- include only required dpkg *.mk files (else it is slow)
* install all *.3 manpages (for individual functions too)
* install unbound-control-setup.8
* enable-python-build-in-subdir.patch: fix 2 probs with python
module building in a subdir (needs to go upstream)
* add install-pkgconfig-in-lib-not-all.patch to fix another small
install prob in Makefile.in (pkgconfig is installed in wrong place)
* d/onttrol: bump Standards-Version to 4.6.0 (no changes needed)
* d/control: add Pre-Depends: ${misc:Pre-Depends} to unbound package
to satisfy current dh_installsystemd & dh_installinit maintscript
fragments
* d/control: Rules-Requires-Root: no
* d/unbound.init: add short description to the init file
* added simple d/salsa-ci.yml file
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 18 Apr 2022 00:56:10 +0300
unbound (1.13.1-1.1) unstable; urgency=medium
* Non-maintainer upload
[ Rico Tzschichholz ]
* Cherry-pick upstream commits for Python 3.10 compatibility (Closes:
#1008641)
-- Sebastian Ramacher <sramacher@debian.org> Wed, 06 Apr 2022 21:37:02 +0200
unbound (1.13.1-1) unstable; urgency=medium
* New upstream version 1.13.1
* debian/gbp.conf: [import-orig] upstream-signatures = True
* Drop debian/patches/0002-Fix-358-Squelch-udp-connect-no-route-to-host-
errors-.patch (included in 1.13.1 release)
* debian/copyright: 2021
-- Robert Edmonds <edmonds@debian.org> Tue, 09 Feb 2021 17:53:57 -0500
unbound (1.13.0-1) unstable; urgency=medium
* New upstream version 1.13.0
- Fix CVE-2020-28935: PID file vulnerability (Closes: #977165)
* debian/patches/0002-Fix-358-Squelch-udp-connect-no-route-to-host-
errors-.patch: Cherry-pick upstream commit
5906811ff19f005110b2edbda5aa144ad5fa05b1 to suppress UDP connect()
errors on low verbosity
-- Robert Edmonds <edmonds@debian.org> Wed, 23 Dec 2020 19:34:24 -0500
unbound (1.12.0-1) unstable; urgency=medium
* New upstream version 1.12.0
-- Robert Edmonds <edmonds@debian.org> Mon, 19 Oct 2020 00:35:38 -0400
unbound (1.11.0-1) unstable; urgency=medium
[ Simon Deziel ]
* systemd: don't create a PID file
* debian/package-helper: mount --bind systemd notify socket into chroot
(Closes: #867187)
[ Robert Edmonds ]
* New upstream version 1.11.0
- Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use
"Requires:". (Closes: #958331)
- Introduce "include-toplevel:" configuration option.
- Adds its own implementation of Frame Streams for dnstap support.
* debian/control: Remove build dependency on libfstrm-dev
* debian/unbound.conf: Use "include-toplevel:" instead of "include:"
(Closes: #950754)
* debian/NEWS: Add entry for 1.11.0-1 regarding the change of
/etc/unbound/unbound.conf to using the "include-toplevel:" directive
* debian/patches/: Refresh patches
-- Robert Edmonds <edmonds@debian.org> Sun, 09 Aug 2020 20:57:15 -0400
unbound (1.10.1-1) unstable; urgency=high
* New upstream version 1.10.1
- Fix CVE-2020-12662: Unbound can be tricked into amplifying an incoming
query into a large number of queries directed to a target.
- Fix CVE-2020-12663: Malformed answers from upstream name servers can be
used to make Unbound unresponsive.
-- Robert Edmonds <edmonds@debian.org> Tue, 19 May 2020 11:36:53 -0400
unbound (1.10.0-1) unstable; urgency=medium
[ Robert Edmonds ]
* New upstream version 1.10.0
* Drop debian/patches/0002-Allow-use-of-libbsd-functions-with-configure-
option-.patch (applied upstream)
[ Stuart Prescott ]
* Drop Python 2 module package (Closes: #938752)
-- Robert Edmonds <edmonds@debian.org> Sat, 18 Apr 2020 19:29:50 -0400
unbound (1.9.6-2) unstable; urgency=medium
* debian/unbound.maintscript: Remove obsolete conffile
/etc/unbound/unbound.conf.d/qname-minimisation.conf (Closes: #950406)
-- Robert Edmonds <edmonds@debian.org> Sat, 01 Feb 2020 14:44:39 -0500
unbound (1.9.6-1) unstable; urgency=medium
[ Robert Edmonds ]
* New upstream version 1.9.6 (Closes: #948036)
- Fixes 'unbound crashes with "Assertion nread >= 0 failed in
evmap_io_del_"' (Closes: #930699)
- Fixes "unbound: Fails to answer TCP queries due to broken idle-timeout"
(Closes: #946421)
* debian/source/options: Remove 'single-debian-patch' option
* debian/unbound.service: Change ExecReload to send SIGHUP rather than
using unbound-control (Closes: #923314)
* Enable remote-control by default (Closes: #923314)
* Allow use of libbsd functions with configure option --with-libbsd
* Remove "qname-minimisation: yes" config file setting, since this is
now the default (Closes: #915056)
* debian/package-helper: No longer invoke unbound-anchor for root trust
anchor update (Closes: #910675)
* debian/control: Bump Standards-Version to 4.5.0 (no changes)
* debian/control: Remove build dependencies on autotools-dev, dh-
autoreconf
* debian/libunbound8.symbols: Add "* Build-Depends-Package: libunbound-
dev"
* Rename debian/NEWS.Debian -> debian/NEWS
[ Matthew Palmer ]
* Fix insecure use of start-stop-daemon --pidfile (Closes: #941573)
[ Simon Deziel ]
* Install Apparmor profile prior to service startup (Closes: #919511)
[ Debian Janitor ]
* Trim trailing whitespace.
* Drop use of autotools-dev debhelper.
* Bump debhelper from old 9 to 10.
* Set field Upstream-Name in debian/copyright.
-- Robert Edmonds <edmonds@debian.org> Sun, 26 Jan 2020 22:45:45 -0500
unbound (1.9.4-2) unstable; urgency=medium
* Cherry-pick upstream commit ec021e0d, "fix build with nettle-3.5"
(Closes: #941041)
-- Robert Edmonds <edmonds@debian.org> Sat, 26 Oct 2019 08:00:58 -0400
unbound (1.9.4-1) unstable; urgency=high
* New upstream version 1.9.4
- Fix CVE-2019-16866: uninitialized memory access when parsing specially
crafted NOTIFY query.
-- Robert Edmonds <edmonds@debian.org> Fri, 04 Oct 2019 00:43:19 -0400
unbound (1.9.3-1) unstable; urgency=medium
* New upstream version 1.9.3
-- Robert Edmonds <edmonds@debian.org> Tue, 27 Aug 2019 14:24:11 -0400
unbound (1.9.3~rc1-1) experimental; urgency=medium
* New upstream version 1.9.3~rc1
* debian/control: Bump Standards-Version to 4.4.0 (no changes)
-- Robert Edmonds <edmonds@debian.org> Sat, 17 Aug 2019 18:01:56 -0400
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libunbound8`.
Generated by dwww version 1.15 on Sat May 18 13:08:19 CEST 2024.