Re: git: cad815552953 - main - dns/unbound: Update to unbound 1.19.3

In reply to: Dan Langille : "git: cad815552953 - main - dns/unbound: Update to unbound 1.19.3"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Dan Langille <dan_at_langille.org>
Date: Fri, 15 Mar 2024 13:31:27 UTC
On Fri, Mar 15, 2024, at 8:37 AM, Dan Langille wrote:
> The branch main has been updated by dvl:
>
> URL: 
> https://cgit.FreeBSD.org/ports/commit/?id=cad815552953aeb16257949d564a663705d2ce67
>
> commit cad815552953aeb16257949d564a663705d2ce67
> Author:     Jaap Akkerhuis <jaap@NLnetLabs.nl>
> AuthorDate: 2024-03-14 13:00:53 +0000
> Commit:     Dan Langille <dvl@FreeBSD.org>
> CommitDate: 2024-03-15 12:29:31 +0000
>
>     dns/unbound: Update to unbound 1.19.3
>    
>     This release has a number of bug fixes. The CNAME synthesized for a
>     DNAME record uses the original TTL, of the DNAME record, and that means
>     it can be cached for the TTL, instead of 0.
>    
>     There is a fix that when a message was stored in cache, but one of the
>     RRsets was not updated due to cache policy, it now restricts the message
>     TTL if the cache version of the RRset has a shorter TTL. It avoids a
>     bug where the message is not expired, but its contents is expired.
>    
>     For dnstap, it logs type DoH and DoT correctly, if that is used for
>     the message.
>    
>     The b.root-servers.net address is updated in the default root hints.
>    
>     When performing retries for failed sends, a retry at a smaller UDP size
>     is now not performed when that attempt is not actually smaller, and at
>     defaults, since the flag day changes, it is the same size. This makes
>     it skip the step, it is useless because there is no reduction in size.
>    
>     Clients with a valid DNS Cookie will bypass the ratelimit, if one is
>     set. The value from ip-ratelimit-cookie is used for these queries.
>    
>     Furthermore there is a fix to make correct EDE Prohibited answers for
>     access control denials, and a fix for EDNS client subnet scope zero
>     answers.
>    
>     For more details, see
>     https://github.com/NLnetLabs/unbound/releases/tag/release-1.19.3
>     PR:             277686
>     Security:       c2ad8700-de25-11ee-9190-84a93843eb75
> ---
>  dns/unbound/Makefile         |  2 +-
>  dns/unbound/distinfo         |  6 +++---
>  dns/unbound/pkg-plist        |  2 +-
>  security/vuxml/vuln/2024.xml | 26 ++++++++++++++++++++++++++
>  4 files changed, 31 insertions(+), 5 deletions(-)
>
> diff --git a/dns/unbound/Makefile b/dns/unbound/Makefile
> index 4ae9d9af2629..d44f32a56335 100644
> --- a/dns/unbound/Makefile
> +++ b/dns/unbound/Makefile
> @@ -1,5 +1,5 @@
>  PORTNAME=	unbound
> -DISTVERSION=	1.19.1
> +DISTVERSION=	1.19.3
>  CATEGORIES=	dns
>  MASTER_SITES=	https://www.nlnetlabs.nl/downloads/unbound/
> 
> diff --git a/dns/unbound/distinfo b/dns/unbound/distinfo
> index 885164c792f0..e562c6066e68 100644
> --- a/dns/unbound/distinfo
> +++ b/dns/unbound/distinfo
> @@ -1,3 +1,3 @@
> -TIMESTAMP = 1707886312
> -SHA256 (unbound-1.19.1.tar.gz) = 
> bc1d576f3dd846a0739adc41ffaa702404c6767d2b6082deb9f2f97cbb24a3a9
> -SIZE (unbound-1.19.1.tar.gz) = 6340435
> +TIMESTAMP = 1710413556
> +SHA256 (unbound-1.19.3.tar.gz) = 
> 3ae322be7dc2f831603e4b0391435533ad5861c2322e34a76006a9fb65eb56b9
> +SIZE (unbound-1.19.3.tar.gz) = 6338685
> diff --git a/dns/unbound/pkg-plist b/dns/unbound/pkg-plist
> index fc24817f9c01..d4ba63f60c07 100644
> --- a/dns/unbound/pkg-plist
> +++ b/dns/unbound/pkg-plist
> @@ -5,7 +5,7 @@ libdata/pkgconfig/libunbound.pc
>  lib/libunbound.a
>  lib/libunbound.so
>  lib/libunbound.so.8
> -lib/libunbound.so.8.1.24
> +lib/libunbound.so.8.1.26
>  %%PYTHON%%%%PYTHON_SITELIBDIR%%/_unbound.so
>  %%PYTHON%%%%PYTHON_SITELIBDIR%%/unbound.py
>  %%PYTHON%%%%PYTHON_SITELIBDIR%%/unboundmodule.py
> diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
> index 24fdf446ac91..d999fbe79bf7 100644
> --- a/security/vuxml/vuln/2024.xml
> +++ b/security/vuxml/vuln/2024.xml
> @@ -1,3 +1,29 @@
> +  <vuln vid="6ef4043e-2912-4d79-ba1c-cfb8da63764d">
> +    <topic>unbound--Denial of service when trimming EDE text on 
> positive replies</topic>
> +    <affects>
> +      <package>
> +	<name>unbound</name>
> +	<range><lt></lt></range>
> +      </package>
> +    </affects>
> +    <description>
> +	<body xmlns="http://www.w3.org/1999/xhtml">
> +	<p>SO-AND-SO reports:</p>
> +	<blockquote cite="INSERT URL HERE">

I'll be fixing this.  I didn't realize it was coming through. Sorry.

> +	  <p>.</p>
> +	</blockquote>
> +	</body>
> +    </description>
> +    <references>
> +      <cvename>CVE-2024-1931</cvename>
> +      
> <url>https://www.nlnetlabs.nl/downloads/unbound/CVE-2024-1931.txt</url>
> +    </references>
> +    <dates>
> +      <discovery>2024-03-07</discovery>
> +      <entry>2024-03-14</entry>
> +    </dates>
> +  </vuln>
> +
>    <vuln vid="49dd9362-4473-48ae-8fac-e1b69db2dedf">
>      <topic>electron{27,28} -- Out of bounds memory access in V8</topic>
>      <affects>

-- 
  Dan Langille
  dan@langille.org