Hi, Unbound 1.13.0rc2 pre-release is available: https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0rc2.tar.gz sha256 63a626a301fe11d4aaf5990f0d46c645d7c99262ead76a9066e3515179f71417 pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0rc2.tar.gz.asc
This RC2 fixes bugs that were reported on the RC1 candidate. Bug Fixes - Fix crash when TLS connection is closed prematurely, when reuse tree comparison is not properly identical to insertion. - Fix padding of struct regional for 32bit systems. - with udp-connect ignore connection refused with UDP timeouts. - Fix udp-connect on FreeBSD, do send calls on connected UDP socket. - Better fix for reuse tree comparison for is-tls sockets. Where the tree key identity is preserved after cleanup of the TLS state. - Fix memory leak for edns client tag opcode config element. - Attempt fix for libevent state in tcp reuse cases after a packet is written. - Fix readagain and writeagain callback functions for comm point cleanup. Best regards, Wouter On 24/11/2020 15:28, Wouter Wijngaards via maintainers wrote: > Hi, > > Unbound 1.13.0rc1 pre-release is available: > https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0rc1.tar.gz > sha256 a55e8b5dfc290867017e7fbb75f1023ee2f6234943f870a5c24694b0908d7c17 > pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0rc1.tar.gz.asc > > > This version has fixes to connect for UDP sockets, slowing down > potential ICMP side channel leakage. The fix can be controlled with the > option udp-connect: yes, it is enabled by default. > > Additionally CVE-2020-28935 is fixed, this solves a problem where the > pidfile is altered by a symlink, and fails if a symlink is encountered. > See https://nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt for more > information. > > New features are upstream TCP and TLS query reuse, where a channel is > reused for several queries. And http-notls-downstream: yesno for > unencrypted DoH, useful for back end support servers. The option > infra-keep-probing can be used to probe hosts that are down more > frequently. > > The options edns-client-string and edns-client-string-opcode can be used > to add an EDNS option with the specified string in queries towards > servers, with the servers specified by IP address. It replaces the > edns-client-tag option. > > Features > - Pass the comm_reply information to the inplace_cb_reply* functions > during the mesh state and update the documentation on that. > - Fix #330: [Feature request] Add unencrypted DNS over HTTPS support. > This adds the option http-notls-downstream: yesno to change that, > and the dohclient test code has the -n option. > - Merge PR #228 : infra-keep-probing option to probe hosts that are > down. Add infra-keep-probing: yes option. Hosts that are down are > probed more frequently. > With the option turned on, it probes about every 120 seconds, > eventually after exponential backoff, and that keeps that way. If > traffic keeps up for the domain. It probes with one at a time, eg. > one query is allowed to probe, other queries within that 120 second > interval are turned away. > - Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with > edns-client-string option. > - Merge PR #283 : Stream reuse. This implements upstream stream > reuse for performing several queries over the same TCP or TLS > channel. > - Fix to connect() to UDP destinations, default turned on, > this lowers vulnerability to ICMP side channels. > Option to toggle udp-connect, default is enabled. > > Bug Fixes > - Fix #319: potential memory leak on config failure, in rpz config. > - Fix dnstap socket and the chroot not applied properly to the dnstap > socket path. > - Fix warning in libnss compile, nss_buf2dsa is not used without DSA. > - Fix #323: unbound testsuite fails on mock build in systemd-nspawn > if systemd support is build. > - Fix for python reply callback to see mesh state reply_list member, > it only removes it briefly for the commpoint call so that it does > not drop it and attempt to modify the reply list during reply. > - Fix that if there are on reply callbacks, those are called per > reply and a new message created if that was modified by the call. > - Free up auth zone parse region after use for lookup of host > - Merge PR #326 from netblue30: DoH: implement content-length > header field. > - DoH content length, simplify code, remove declaration after > statement and fix cast warning. > - Fix that if there are reply callbacks for the given rcode, those > are called per reply and a new message created if that was modified > by the call. > - Fix that the out of order TCP processing does not limit the > number of outstanding queries over a connection. > - Fix python documentation warning on functions.rst inplace_cb_reply. > - Log ip address when http session recv fails, eg. due to tls fail. > - Fix to set the tcp handler event toggle flag back to default when > the handler structure is reused. > - Clean the fix for out of order TCP processing limits on number > of queries. It was tested to work. > - Fix that http settings have colon in set_option, for > http-endpoint, http-max-streams, http-query-buffer-size, > http-response-buffer-size, and http-nodelay. > - Fix memory leak of https port string when reading config. > - local-zone regional allocations outside of chunk > - Merge PR #324 from James Renken: Add modern X.509v3 extensions to > unbound-control TLS certificates. > - Fix for PR #324 to attach the x509v3 extensions to the client > certificate. > - Fix #327: net/if.h check fails on some darwin versions; contribution by > Joshua Root. > - Fix #320: potential memory corruption due to size miscomputation upton > custom region alloc init. > - Fix #333: Unbound Segmentation Fault w/ log_info Functions From > Python Mod. > - Fix that minimal-responses does not remove addresses from a priming > query response. > - In man page note that tls-cert-bundle is read before permission > drop and chroot. > - Fix #341: fixing a possible memory leak. > - Fix memory leak after fix for possible memory leak failure. > - Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX' > undeclared. > - Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere > with chown of pidfile. > - Fix #347: IP_DONTFRAG broken on Apple xcode 12.2. > - Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error: > failed to list interfaces: getifaddrs: Address family not > supported by protocol. > - Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket > address families. > - iana portlist updated. > > Best regards, Wouter > > > _______________________________________________ > maintainers mailing list > maintain...@lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/maintainers >
signature.asc
Description: OpenPGP digital signature
