packages/unbound
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:22cfd5f215bce55a2074d2b7b98463d92a88c2fe
Branches Tags
packages:main
..
compare: packages:d8a7bde7ea66b750a235b75130c3910c68663b60
Branches Tags
packages:main

10 Commits
22cfd5f215 ... d8a7bde7ea

Author SHA1 Message Date
openeuler-ci-bot
d8a7bde7ea
!113 move files about anchor and pem to separate package 
From: @eaglegai 
Reviewed-by: @renmingshuai 
Signed-off-by: @renmingshuai
 2024-06-25 06:17:39 +00:00
eaglegai
6225641fe0 move files about anchor and pem to separate package 
Signed-off-by: eaglegai <eaglegai@163.com>
 2024-06-25 03:13:40 +00:00
openeuler-ci-bot
7ce3ff78ff
!105 [sync] PR-98: change ExecReload to fix reload failure 
From: @openeuler-sync-bot 
Reviewed-by: @robertxw 
Signed-off-by: @robertxw
 2024-03-06 02:11:29 +00:00
eaglegai
dabbc85b85 change ExecReload to fix reload failure 
(cherry picked from commit 75d3bdea47ba4e33d9285b527089c6202bf618d9)
 2024-03-06 09:21:30 +08:00
openeuler-ci-bot
7081e64a80
!93 [sync] PR-91: fix CVE-2024-1488 
From: @openeuler-sync-bot 
Reviewed-by: @gebidelidaye 
Signed-off-by: @gebidelidaye
 2024-02-28 01:05:50 +00:00
eaglegai
cc15a59a0d fix CVE-2024-1488 
(cherry picked from commit 1cf5fe79d84d50636922c83d71ebb7a4195ecee3)
 2024-02-27 14:23:49 +08:00
openeuler-ci-bot
af35215d9d
!85 [sync] PR-81: fix CVE-2023-50387 CVE-2023-50868 
From: @openeuler-sync-bot 
Reviewed-by: @gebidelidaye 
Signed-off-by: @gebidelidaye
 2024-02-26 07:07:46 +00:00
eaglegai
230070f675 fix CVE-2023-50387 CVE-2023-50868 
(cherry picked from commit 75ddb133697ff2dc97e2a648921d680def0ef483)
 2024-02-26 11:10:09 +08:00
openeuler-ci-bot
c6e52e672b
!75 [sync] PR-72: change run directory from /var/run to /run 
From: @openeuler-sync-bot 
Reviewed-by: @seuzw 
Signed-off-by: @seuzw
 2023-03-04 06:28:31 +00:00
eaglegai
f940b468a2 change run directory from /var/run to /run to fix 
(cherry picked from commit f0d36000052d481f09ee7252a88b743ef123c6c8)
 2023-03-03 17:29:05 +08:00
5 changed files with 2407 additions and 22 deletions
Show Stats Expand all files Collapse all files

2345
backport-CVE-2023-50387_CVE-2023-50868.patch Normal file
View File

File diff suppressed because it is too large Load Diff

2
tmpfiles-unbound.conf
View File

@ -1 +1 @@
D /var/run/unbound 0755 unbound unbound - D /run/unbound 0755 unbound unbound -

2
unbound.conf
View File

@ -805,7 +805,7 @@ remote-control:
# Enable remote control with unbound-control(8) here. # Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup. # set up the keys and certificates with unbound-control-setup.
# Note: required for unbound-munin package # Note: required for unbound-munin package
control-enable: yes control-enable: no
# Set to no and use an absolute path as control-interface to use # Set to no and use an absolute path as control-interface to use
# a unix local named pipe for unbound-control. # a unix local named pipe for unbound-control.

2
unbound.service
View File

@ -13,7 +13,7 @@ EnvironmentFile=-/etc/sysconfig/unbound
ExecStartPre=/usr/sbin/unbound-checkconf ExecStartPre=/usr/sbin/unbound-checkconf
ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R
ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
ExecReload=/usr/sbin/unbound-control reload ExecReload=+/bin/kill -HUP $MAINPID
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

78
unbound.spec
View File

@ -2,7 +2,7 @@
Name: unbound Name: unbound
Version: 1.13.2 Version: 1.13.2
Release: 7 Release: 12
Summary: Unbound is a validating, recursive, caching DNS resolver Summary: Unbound is a validating, recursive, caching DNS resolver
License: BSD License: BSD
Url: https://nlnetlabs.nl/projects/unbound/about/ Url: https://nlnetlabs.nl/projects/unbound/about/
@ -27,6 +27,7 @@ Patch2: backport-CVE-2022-30698-and-CVE-2022-30699.patch
Patch3: backport-CVE-2022-3204.patch Patch3: backport-CVE-2022-3204.patch
Patch4: backport-Undefine-shift-in-sldns_str2wire_hip_buf.patch Patch4: backport-Undefine-shift-in-sldns_str2wire_hip_buf.patch
Patch5: backport-Integer-overflow-in-sldns_wire2str_pkt_scan.patch Patch5: backport-Integer-overflow-in-sldns_wire2str_pkt_scan.patch
Patch6: backport-CVE-2023-50387_CVE-2023-50868.patch
BuildRequires: make flex swig pkgconfig systemd BuildRequires: make flex swig pkgconfig systemd
BuildRequires: libevent-devel expat-devel openssl-devel python3-devel BuildRequires: libevent-devel expat-devel openssl-devel python3-devel
@ -34,6 +35,7 @@ BuildRequires: gcc
%{?systemd_requires} %{?systemd_requires}
Requires: %{name}-libs = %{version}-%{release} Requires: %{name}-libs = %{version}-%{release}
Requires: %{name}-anchor = %{version}-%{release}
%description %description
Unbound is a validating, recursive, caching DNS resolver. It is designed Unbound is a validating, recursive, caching DNS resolver. It is designed
@ -51,6 +53,13 @@ Requires(pre): shadow-utils
%description libs %description libs
Libraries for %{name}. Libraries for %{name}.
%package anchor
Requires: %{name}-libs = %{version}-%{release}
Summary: DNSSEC trust anchor maintaining tool
%description anchor
Contains tool maintaining trust anchor using RFC 5011 key rollover algorithm.
%package devel %package devel
Summary: Libraries and header files Summary: Libraries and header files
Requires: %{name}-libs = %{version}-%{release} openssl-devel pkgconfig Requires: %{name}-libs = %{version}-%{release} openssl-devel pkgconfig
@ -88,7 +97,7 @@ popd
--enable-relro-now --enable-pie \\\ --enable-relro-now --enable-pie \\\
--enable-subnet --enable-ipsecmod \\\ --enable-subnet --enable-ipsecmod \\\
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
--with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \\\ --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
--enable-sha2 --disable-gost --enable-ecdsa \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\
--with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\ --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\
--enable-linux-ip-local-port-range --enable-linux-ip-local-port-range
@ -133,7 +142,7 @@ do
echo ".so man3/libunbound.3" > $RPM_BUILD_ROOT%{_mandir}/man3/$mpage ; echo ".so man3/libunbound.3" > $RPM_BUILD_ROOT%{_mandir}/man3/$mpage ;
done done
install -d $RPM_BUILD_ROOT%{_localstatedir}/run/unbound install -d $RPM_BUILD_ROOT%{_rundir}/unbound
install -d $RPM_BUILD_ROOT%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} install -d $RPM_BUILD_ROOT%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
install -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/unbound/keys.d/ install -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/unbound/keys.d/
@ -152,10 +161,11 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
%systemd_post unbound.service %systemd_post unbound.service
%systemd_post unbound-keygen.service %systemd_post unbound-keygen.service
%post libs %post anchor
%{?ldconfig} %systemd_post unbound-anchor.service unbound-anchor.timer
%systemd_post unbound-anchor.timer # start the timer only if installing the package to prevent starting it, if it was stopped on purpose
if [ "$1" -eq 1 ]; then if [ "$1" -eq 1 ]; then
# the Unit is in presets, but would be started after reboot
/bin/systemctl start unbound-anchor.timer >/dev/null 2>&1 || : /bin/systemctl start unbound-anchor.timer >/dev/null 2>&1 || :
fi fi
@ -163,16 +173,15 @@ fi
%systemd_preun unbound.service %systemd_preun unbound.service
%systemd_preun unbound-keygen.service %systemd_preun unbound-keygen.service
%preun libs %preun anchor
%systemd_preun unbound-anchor.timer %systemd_preun unbound-anchor.service unbound-anchor.timer
%postun %postun
%systemd_postun_with_restart unbound.service %systemd_postun_with_restart unbound.service
%systemd_postun unbound-keygen.service %systemd_postun unbound-keygen.service
%postun libs %postun anchor
%{?ldconfig} %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer
%systemd_postun_with_restart unbound-anchor.timer
%triggerun -- unbound < 1.4.12-4 %triggerun -- unbound < 1.4.12-4
/usr/bin/systemd-sysv-convert --save unbound >/dev/null 2>&1 ||: /usr/bin/systemd-sysv-convert --save unbound >/dev/null 2>&1 ||:
@ -190,6 +199,7 @@ popd
%defattr(-,root,root) %defattr(-,root,root)
%doc doc/CREDITS doc/FEATURES doc/README doc/LICENSE %doc doc/CREDITS doc/FEATURES doc/README doc/LICENSE
%attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
%attr(0755,unbound,unbound) %dir %{_rundir}/%{name}
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
@ -209,22 +219,14 @@ popd
%files libs %files libs
%defattr(-,root,root) %defattr(-,root,root)
%dir %attr(0755,root,root) %{_sysconfdir}/%{name}
%if %{?openEuler:1}0 %if %{?openEuler:1}0
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key %attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key
%{_sysconfdir}/%{name}/icannbundle.pem
%else %else
%attr(0600,root,root) %config %{_sysconfdir}/%{name}/root.key
%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
%attr(0600,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key %attr(0600,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key
%attr(0600,root,root) %{_sysconfdir}/%{name}/icannbundle.pem
%endif %endif
%{_sbindir}/unbound-anchor
%{_libdir}/libunbound.so.* %{_libdir}/libunbound.so.*
%{_unitdir}/unbound-anchor.timer
%{_unitdir}/unbound-anchor.service
%files -n python3-unbound %files -n python3-unbound
%defattr(-,root,root) %defattr(-,root,root)
@ -237,11 +239,49 @@ popd
%{_libdir}/pkgconfig/*.pc %{_libdir}/pkgconfig/*.pc
%{_includedir}/* %{_includedir}/*
%files anchor
%dir %attr(0755,root,root) %{_sysconfdir}/%{name}
%{_sbindir}/unbound-anchor
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
%{_sysconfdir}/%{name}/icannbundle.pem
%{_unitdir}/unbound-anchor.timer
%{_unitdir}/unbound-anchor.service
%files help %files help
%defattr(-,root,root) %defattr(-,root,root)
%{_mandir}/man* %{_mandir}/man*
%changelog %changelog
* Tue Jun 25 2024 gaihuiying <eaglegai@163.com> - 1.13.2-12
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:move files about anchor and pem to separate package
* Tue Mar 05 2024 gaihuiying <eaglegai@163.com> - 1.13.2-11
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:change ExecReload to fix reload failure
* Tue Feb 27 2024 gaihuiying <eaglegai@163.com> - 1.13.2-10
- Type:cves
- CVE:CVE-2024-1488
- SUG:NA
- DESC:fix CVE-2024-1488
* Fri Feb 23 2024 gaihuiying <eaglegai@163.com> - 1.13.2-9
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix CVE-2023-50387 CVE-2023-50868
* Fri Mar 03 2023 gaihuiying <eaglegai@163.com> - 1.13.2-8
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:change run directory from /var/run to /run to fix "/usr/lib/tmpfiles.d/unbound.conf:1: xxxx"
* Wed Feb 22 2023 gaihuiying <eaglegai@163.com> - 1.13.2-7 * Wed Feb 22 2023 gaihuiying <eaglegai@163.com> - 1.13.2-7
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA