This release fixes CVE-2020-12662 and CVE-2020-12663.
Bug Fixes:
- CVE-2020-12662 Unbound can be tricked into amplifying an incoming
query into a large number of queries directed to a target.
- CVE-2020-12663 Malformed answers from upstream name servers can be
used to make Unbound unresponsive.
The key is on several public keyservers. Also signatures from my
colleagues, whose fingerprint can be found on public keyservers too, and
my colleagues may have signatures from ietf,ripe key exchange.
rm -rf unbound-git
git clone https://github.com/NLnetLabs/unbound unbound-git
cd unbound-git
git tag -l | grep release-1.1[0-9]
release-1.10.0
release-1.10.0rc1
release-1.10.0rc2
i'll grab the tarball for now ...
That works too. `git pull --tags` pulls in the tag references for me
that are not locally available yet.
To be clear, the crux of the "problem" is that the commit tagged as release-1.10.1 is not part of the history of any named branch in the git repository. A plain "git fetch" only fetches tags that exist in the branches being fetched, and the default is to fetch only named branches.
The release-1.10.0 and release-1.9.5 tags are also not part of any named branch's history, and maybe some others (I did not check thoroughly; use "git branch -a --contains <tagname>").
There's nothing inherently "wrong" with having tags on nameless branches, but some folks might find it confusing.
Thank you for this new release. I noticed that the Changelog [1] that is
referenced on the webpage [2] shows the 20 February 2020 as the top
entry.
It seems to me that this not as it should be, because the master branch
Changelog [3] shows the CVE's which are fixed in the 1.10.1 release.
Yes you are correct that is a missing dependency for information. The
1.10.1 is the 1.10.0 plus a patch, and to make it as close as possible,
I did not commit edits to the Changelog. I could have, but did not
realise it was linked from the webpage, it shows the change on the
downloads page, where I put the entry. I am not going to change the
1.10.1 release for it, but I would want to fix this information mixup
for other releases.
This release fixes CVE-2020-12662 and CVE-2020-12663.
Bug Fixes:
- CVE-2020-12662 Unbound can be tricked into amplifying an incoming
query into a large number of queries directed to a target.
- CVE-2020-12663 Malformed answers from upstream name servers can be
used to make Unbound unresponsive.
Best regards, Wouter
Got this version built on Solaris 11.4 with Studio 12.6. Still did get
the following error when compiling:
----------------------------------------------------------------------------------
"smallapp/unbound-checkconf.c", line 707: identifier redeclared:
auth_zones_delete
current : function() returning int
previous: function(pointer to struct auth_zones {struct
_pthread_rwlock {..} lock, struct rbtree_type {..} ztree, struct
rbtree_type {..} xtree, int have_downstream, unsigned long num_query_up,
unsigned long num_query_down, pointer to struct rpz {..} rpz_first,
struct _pthread_rwlock {..} rpz_lock}) returning void :
"./services/authzone.h", line 494
"smallapp/unbound-checkconf.c", line 708: syntax error before or at: }
cc: acomp failed for smallapp/unbound-checkconf.c
gmake: *** [Makefile:291: unbound-checkconf.lo] Error 1
----------------------------------------------------------------------------------
But got it sorted out by editing line 704 in
"smallapp/unbound-checkconf.c" changing from:
if(!az || !auth_zones_apply_cfg(az, cfg, 0i, &is_rpz)) {
To:
if(!az || !auth_zones_apply_cfg(az, cfg, 0, &is_rpz)) {
Version 1.10.0 did not have this fix, when I look in the .tar.gz. I
guess it was fixed for you by a patch included from a package repository
or so. The fix in the code repository is there for next releases.