Tags give the ability to mark specific points in history as being important
-
-
release-1.9.4
b60c4a47 · ·Unbound 1.9.4 This release is a fix for vulnerability CVE-2019-16866 that causes a failure when a specially crafted query is received. Bug Fixes: - Fix for the reported vulnerability.
-
-
release-1.9.3
79fa9483 · ·Unbound 1.9.3 This release has a number of bug fixes. Added is the ipset module, that helps add ip-addresses that are looked up in a domain to a firewall ip-address filter. Also, the python module has restart next, per-query data and multiple instance support. The unbound -V option has been added and it prints the build config. Features: - PR #28: IPSet module, by Kevin Chou. Created a module to support the ipset that could add the domain's ip to a list easily. Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md. - Merge PR #6: Python module: support multiple instances - Merge PR #5: Python module: define constant MODULE_RESTART_NEXT - Merge PR #4: Python module: assign something useful to the per-query data store 'qdata' - Introduce `-V` option to print the version number and build options. Previously reported build options like linked libs and linked modules are now moved from `-h` to `-V` as well for consistency. - PACKAGE_BUGREPORT now also includes link to GitHub issues. Bug Fixes: - Fix #39: In libunbound, leftover logfile is close()d unpredictably. - Fix for #24: Fix abort due to scan of auth zone masters using old address from previous scan. - Fix to omit RRSIGs from addition to the ipset. - Fix to make unbound-control with ipset, remove unused variable, use unsigned type because of comparison, and assign null instead of compare with it. Remade lex and yacc output. - make depend - Added documentation to the ipset files (for doxygen output). - Fix python dict reference and double free in config. - Fix memleak in unit test, reported from the clang 8.0 static analyzer. - For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf when do-not-query-localhost is turned on, or at default on, unbound-checkconf prints a warning if it is found in forward-addr or stub-addr statements. - Fix for possible assertion failure when answering respip CNAME from cache. - Fix in respip addrtree selection. Absence of addr_tree_init_parents() call made it impossible to go up the tree when the matching netmask is too specific. - Fix #48: Unbound returns additional records on NODATA response, if minimal-responses is enabled, also the additional for negative responses is removed. - Fix #49: Set no renegotiation on the SSL context to stop client session renegotiation. - Fix question section mismatch in local zone redirect. - Add verbose log message when auth zone file is written, at level 4. - Add hex print of trust anchor pointer to trust anchor file temp name to make it unique, for libunbound created multiple contexts. - For #52 #53, second context does not close logfile override. - Fix #52 #53, fix for example fail program. - Fix to return after failed auth zone http chunk write. - Fix to remove unused test for task_probe existance. - Fix to timeval_add for remaining second in microseconds. - Check repinfo in worker_handle_request, if null, drop it. - Generate configlexer with newer flex. - Fix warning for unused variable for compilation without systemd. - Fix #59, when compiled with systemd support check that we can properly communicate with systemd through the `NOTIFY_SOCKET`. - iana portlist updated. - Fix autotrust temp file uniqueness windows compile. - avoid warning about upcast on 32bit systems for autotrust. - escape commandline contents for -V. - Fix character buffer size in ub_ctx_hosts. - Option -V prints if TCP fastopen is available. - Fix unittest valgrind false positive uninitialised value report, where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0 issues an uninitialised value for the token buffer at the str2wire.c rrinternal_get_owner() strcmp with the '@' value. Rewritten to use straight character comparisons removes the false positive. Also valgrinds --expensive-definedness-checks=yes can stop this false positive. - Please doxygen's parser for "@" occurrence in doxygen comment. - Fixup contrib/fastrpz.patch - Remove warning about unknown cast-function-type warning pragma. - Document limitation of pidfile removal outside of chroot directory. - Fix log_dns_msg to log irrespective of minimal responses config. - Fix that pkg-config is setup before --enable-systemd needs it.
-
-
release-1.9.2
ee06aaaa · ·Unbound release 1.9.2 This release contains a number of bug fixes for crashes introduced in 1.9, session ticket code, stream pipeline code, auth zone code and it also fixes qname minimisation packet scrub failures. There is a new python module example. This is an example of a module that is loaded into unbound that changes DNS messages, and how Unbound processes them. The example resolves records in multicast DNS, with Avahi. AXFR over TLS is supported. This uses TLS to connect to the master and download the AXFR or IXFR. Enable by loading certificates (just like for other DNS over TLS), and syntax like master: "ip#authname" in unbound.conf for the auth-zone where you want to use this. Features - add type CAA to libpyunbound (accessing libunbound from python). - Fix #17: Add python module example from Jan Janak, that is a plugin for the Unbound DNS resolver to resolve DNS records in multicast DNS [RFC 6762] via Avahi. The plugin communicates with Avahi via DBus. The comment section at the beginning of the file contains detailed documentation. - travis build file. - PR #16: XoT support, AXFR over TLS, turn it on with master: <ip>#<authname> in unbound.conf. This uses TLS to download the AXFR (or IXFR). Bug Fixes - Fix for #4233: guard use of NDEBUG, so that it can be passed in CFLAGS into configure. - Add log message, at verbosity 4, that says the query is encrypted with TLS, if that is enabled for the query. - Fix #4239: set NOTIMPL when deny-any is enabled, for RFC8482. - Fix #4240: Fix whitespace cleanup in example.conf. - Fix that tls-session-ticket-keys: "" on its own in unbound.conf disables the tls session ticker key calls into the OpenSSL API. - Fix crash if tls-servic-pem not filled in when necessary. - Fix auth-zone NSEC3 response for empty nonterminals with exact match nsec3 records. - Fix for out of bounds integers, thanks to OSTIF audit. It is in allocation debug code. - Fix for auth zone nsec3 ent fix for wildcard nodata. - Move goto label in answer_from_cache to the end of the function where it is more visible. - Fix auth-zone NSEC3 response for wildcard nodata answers, include the closest encloser in the answer. - Fix spelling error in log output for event method. - Fix to reinit event structure for accepted TCP (and TLS) sockets. - Fix to use event_assign with libevent for thread-safety. - verbose information about auth zone lookup process, also lookup start, timeout and fail. - Fix to wipe ssl ticket keys from memory with explicit_bzero, if available. - Fix that auth zone uses correct network type for sockets for SOA serial probes. This fixes that probes fail because earlier probe addresses are unreachable. - Fix that auth zone fails over to next master for timeout in tcp. - Squelch SSL read and write connection reset by peer and broken pipe messages. Verbosity 2 and higher enables them. - Update python documentation for init_standard(). - Typos. - Fix tls write event for read state change to re-call SSL_write and not resume the TLS handshake. - Better braces in if statement in TCP fastopen code. - iana portlist updated. - Scrub RRs from answer section when reusing NXDOMAIN message for subdomain answers. - For harden-below-nxdomain: do not consider a name to be non-exitent when message contains a CNAME record. - Fix wrong query name in local zone redirect answers with a CNAME, the copy of the local alias is in unpacked form. - contrib/fastrpz.patch updated for code changes, and with git diff. - Fix #29: Solaris 11.3 and missing symbols be64toh, htobe64. - Fix #30: AddressSanitizer finding in lookup3.c. This sets the hash function to use a slower but better auditable code that does not read beyond array boundaries. This makes code better security checkable, and is better for security. It is fixed to be slower, but not read outside of the array. - Fix edns-subnet locks, in error cases the lock was not unlocked. - Fix doxygen output error on readme markdown vignettes. - Squelch log messages from tcp send about connection reset by peer. They can be enabled with verbosity at higher values for diagnosing network connectivity issues. - Attempt to fix malformed tcp response. - Fix #31: swig 4.0 and python module. - Note that so-reuseport at extreme load is better turned off, otherwise queries are not distributed evenly, on Linux 4.4.x. - Fix that spoolbuf is not used to store tcp pipelined response between mesh send and callback end. - Fix double file close in tcp pipelined response code. - Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD. - Fix to guard _OPENBSD_SOURCE from redefinition. - Fix that fixes the Fix that spoolbuf is not used to store tcp pipelined response between mesh send and callback end, this fixes error cases that did not use the correct spoolbuf. - Fix that fixes the Fix that spoolbuf is not used to store tcp pipelined response between mesh send and callback end, this fixes error cases that did not use the correct spoolbuf. - Fix another spoolbuf storage code point, in prefetch.
-
-
final-svn-state
2a788030 · ·Final state of Unbound svn repository before git migration git-svn-id: file:///svn/unbound/tags/final-svn-state@5176 be551aaa-1e26-0410-a405-d3ace91eadb9
-
release-1.9.1rc1
16cc196b · ·tag release 1.9.1rc1 git-svn-id: file:///svn/unbound/tags/release-1.9.1rc1@5131 be551aaa-1e26-0410-a405-d3ace91eadb9
-