Created attachment 235691 [details] patch to update This release fixes the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. They were reported by Xiang Li from the Network and Information Security Lab of Tsinghua University. Other than that there are some bug fixes, and an option to configure the max retransmit timeout, infra-cache-max-rtt. If left at default it does not make any change. Because it is a security fix point release, there is no RC1 release candidate. Features - Merge #718: Introduce infra-cache-max-rtt option to config max retransmit timeout. Bug Fixes - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. - Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for one loop pass'. - Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on outbound tcp sockets. - Fix verbose EDE error printout. - Fix dname count in sldns parse type descriptor for SVCB and HTTPS. - For windows crosscompile, fix setting the IPV6_MTU socket option equivalent (IPV6_USER_MTU); allows cross compiling with latest cross-compiler versions. - Merge PR 714: Avoid treat normal hosts as unresponsive servers. And fixup the lock code. - iana portlist update. - Update documentation for 'outbound-msg-retry:'. - Tests for ghost domain fixes.
Hi, IMO, a vuxml entry should be created and MFH to 2022Q3 should be done. What do you think? Cheers
(In reply to Nuno Teixeira from comment #1) The severity is considered pretty low and there are no known exploits, but yes, for completeness, a vuxml entry is probably the right thing to do. An MFH might be overkill but why not, if it is not too much of a problem?
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=9ed08e850c5cebd7a68fc1562c255382366c8d3c commit 9ed08e850c5cebd7a68fc1562c255382366c8d3c Author: Bernard Spil <brnrd@FreeBSD.org> AuthorDate: 2022-08-05 18:58:00 +0000 Commit: Bernard Spil <brnrd@FreeBSD.org> CommitDate: 2022-08-05 18:58:00 +0000 dns/unbound: Security update to 1.6.2 PR: 265645 Reported by: Jaap Akkerhuis <jaap NLnetLabs nl> (maintainer) Security: bc43a578-14ec-11ed-856e-d4c9ef517024 MFH: 2022Q3 dns/unbound/Makefile | 2 +- dns/unbound/distinfo | 6 +++--- dns/unbound/pkg-plist | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-)
A commit in branch 2022Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=75fa5d21c309eeef83eeffc0d2825bd79ca2f0f6 commit 75fa5d21c309eeef83eeffc0d2825bd79ca2f0f6 Author: Bernard Spil <brnrd@FreeBSD.org> AuthorDate: 2022-08-05 18:58:00 +0000 Commit: Bernard Spil <brnrd@FreeBSD.org> CommitDate: 2022-08-05 19:01:07 +0000 dns/unbound: Security update to 1.6.2 PR: 265645 Reported by: Jaap Akkerhuis <jaap NLnetLabs nl> (maintainer) Security: bc43a578-14ec-11ed-856e-d4c9ef517024 MFH: 2022Q3 (cherry picked from commit 9ed08e850c5cebd7a68fc1562c255382366c8d3c) dns/unbound/Makefile | 2 +- dns/unbound/distinfo | 6 +++--- dns/unbound/pkg-plist | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-)
Thanks Jaap! Registered vuxml entry, updated port and merged in 2022Q3
A commit in branch vendor/unbound references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=9b76d32f2310b735dbeb896cbf2776cad61f23e8 commit 9b76d32f2310b735dbeb896cbf2776cad61f23e8 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-08-05 20:02:55 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-08-05 20:02:55 +0000 unbound: Vendor import 1.16.2 Security update to unbound. PR: 265645 Security: CVE-2022-30698, CVE-2022-30699 Security: bc43a578-14ec-11ed-856e-d4c9ef517024 SECURITY.md (new) | 31 + cachedb/cachedb.c | 2 +- configure | 25 +- configure.ac | 5 +- daemon/cachedump.c | 5 +- daemon/worker.c | 2 +- dns64/dns64.c | 4 +- doc/Changelog | 30 +- doc/README | 2 +- doc/example.conf.in | 8 +- doc/libunbound.3.in | 4 +- doc/unbound-anchor.8.in | 2 +- doc/unbound-checkconf.8.in | 2 +- doc/unbound-control.8.in | 2 +- doc/unbound-host.1.in | 2 +- doc/unbound.8.in | 4 +- doc/unbound.conf.5.in | 15 +- ipsecmod/ipsecmod.c | 2 +- iterator/iter_utils.c | 6 +- iterator/iter_utils.h | 3 +- iterator/iterator.c | 23 +- iterator/iterator.h | 12 +- pythonmod/interface.i | 5 +- pythonmod/pythonmod_utils.c | 3 +- services/authzone.c | 1 - services/cache/dns.c | 111 +- services/cache/dns.h | 18 +- services/cache/infra.c | 6 +- services/listen_dnsport.c | 17 +- services/mesh.c | 1 + sldns/rrdef.c | 4 +- sldns/wire2str.c | 2 +- testdata/iter_ghost_sub.rpl (new) | 309 ++ testdata/iter_ghost_timewindow.rpl (new) | 391 +++ testdata/iter_prefetch_change.rpl | 16 +- util/config_file.c | 15 +- util/config_file.h | 4 +- util/configlexer.c | 4869 +++++++++++++++--------------- util/configlexer.lex | 1 + util/configparser.c | 3833 +++++++++++------------ util/configparser.h | 656 ++-- util/configparser.y | 13 +- util/data/msgreply.c | 2 +- util/iana_ports.inc | 1 + util/module.h | 6 + util/rtt.c | 3 + util/rtt.h | 2 +- validator/val_utils.c | 1 - validator/validator.c | 7 +- 49 files changed, 5722 insertions(+), 4766 deletions(-)
The tag vendor/unbound/1.16.2 references this bug: URL: https://cgit.FreeBSD.org/src/tag/?h=vendor/unbound/1.16.2 tag vendor/unbound/1.16.2 Tagger: Cy Schubert <cy@FreeBSD.org> TaggerDate: 2022-08-05 20:06:23 +0000 Unbound: Tag 1.16.2 commit 9b76d32f2310b735dbeb896cbf2776cad61f23e8 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-08-05 20:02:55 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-08-05 20:02:55 +0000 unbound: Vendor import 1.16.2 Security update to unbound. PR: 265645 Security: CVE-2022-30698, CVE-2022-30699 Security: bc43a578-14ec-11ed-856e-d4c9ef517024 SECURITY.md (new) | 31 + cachedb/cachedb.c | 2 +- configure | 25 +- configure.ac | 5 +- daemon/cachedump.c | 5 +- daemon/worker.c | 2 +- dns64/dns64.c | 4 +- doc/Changelog | 30 +- doc/README | 2 +- doc/example.conf.in | 8 +- doc/libunbound.3.in | 4 +- doc/unbound-anchor.8.in | 2 +- doc/unbound-checkconf.8.in | 2 +- doc/unbound-control.8.in | 2 +- doc/unbound-host.1.in | 2 +- doc/unbound.8.in | 4 +- doc/unbound.conf.5.in | 15 +- ipsecmod/ipsecmod.c | 2 +- iterator/iter_utils.c | 6 +- iterator/iter_utils.h | 3 +- iterator/iterator.c | 23 +- iterator/iterator.h | 12 +- pythonmod/interface.i | 5 +- pythonmod/pythonmod_utils.c | 3 +- services/authzone.c | 1 - services/cache/dns.c | 111 +- services/cache/dns.h | 18 +- services/cache/infra.c | 6 +- services/listen_dnsport.c | 17 +- services/mesh.c | 1 + sldns/rrdef.c | 4 +- sldns/wire2str.c | 2 +- testdata/iter_ghost_sub.rpl (new) | 309 ++ testdata/iter_ghost_timewindow.rpl (new) | 391 +++ testdata/iter_prefetch_change.rpl | 16 +- util/config_file.c | 15 +- util/config_file.h | 4 +- util/configlexer.c | 4869 +++++++++++++++--------------- util/configlexer.lex | 1 + util/configparser.c | 3833 +++++++++++------------ util/configparser.h | 656 ++-- util/configparser.y | 13 +- util/data/msgreply.c | 2 +- util/iana_ports.inc | 1 + util/module.h | 6 + util/rtt.c | 3 + util/rtt.h | 2 +- validator/val_utils.c | 1 - validator/validator.c | 7 +- 49 files changed, 5722 insertions(+), 4766 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=790c6b245151d6d5a26b84e5f34fee61453e2e60 commit 790c6b245151d6d5a26b84e5f34fee61453e2e60 Merge: 220818ac0307 9b76d32f2310 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-08-06 01:44:40 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-08-06 01:44:40 +0000 unbound: Vendor import 1.16.2 Security update to unbound. PR: 265645 Security: CVE-2022-30698, CVE-2022-30699 Security: bc43a578-14ec-11ed-856e-d4c9ef517024 MFC after: 3 days Merge commit '9b76d32f2310b735dbeb896cbf2776cad61f23e8' into main contrib/unbound/SECURITY.md (new) | 31 ++ contrib/unbound/cachedb/cachedb.c | 2 +- contrib/unbound/configure | 25 +- contrib/unbound/configure.ac | 5 +- contrib/unbound/daemon/cachedump.c | 5 +- contrib/unbound/daemon/worker.c | 2 +- contrib/unbound/dns64/dns64.c | 4 +- contrib/unbound/doc/Changelog | 30 +- contrib/unbound/doc/README | 2 +- contrib/unbound/doc/example.conf.in | 8 +- contrib/unbound/doc/libunbound.3.in | 4 +- contrib/unbound/doc/unbound-anchor.8.in | 2 +- contrib/unbound/doc/unbound-checkconf.8.in | 2 +- contrib/unbound/doc/unbound-control.8.in | 2 +- contrib/unbound/doc/unbound-host.1.in | 2 +- contrib/unbound/doc/unbound.8.in | 4 +- contrib/unbound/doc/unbound.conf.5.in | 15 +- contrib/unbound/ipsecmod/ipsecmod.c | 2 +- contrib/unbound/iterator/iter_utils.c | 6 +- contrib/unbound/iterator/iter_utils.h | 3 +- contrib/unbound/iterator/iterator.c | 23 +- contrib/unbound/iterator/iterator.h | 12 +- contrib/unbound/services/authzone.c | 1 - contrib/unbound/services/cache/dns.c | 111 +++++- contrib/unbound/services/cache/dns.h | 18 +- contrib/unbound/services/cache/infra.c | 6 +- contrib/unbound/services/listen_dnsport.c | 17 +- contrib/unbound/services/mesh.c | 1 + contrib/unbound/sldns/rrdef.c | 4 +- contrib/unbound/sldns/wire2str.c | 2 +- contrib/unbound/testdata/iter_ghost_sub.rpl (new) | 309 ++++++++++++++++ .../testdata/iter_ghost_timewindow.rpl (new) | 391 +++++++++++++++++++++ contrib/unbound/util/config_file.c | 15 +- contrib/unbound/util/config_file.h | 4 +- contrib/unbound/util/configlexer.lex | 1 + contrib/unbound/util/configparser.y | 13 +- contrib/unbound/util/data/msgreply.c | 2 +- contrib/unbound/util/iana_ports.inc | 1 + contrib/unbound/util/module.h | 6 + contrib/unbound/util/rtt.c | 3 + contrib/unbound/util/rtt.h | 2 +- contrib/unbound/validator/val_utils.c | 1 - contrib/unbound/validator/validator.c | 7 +- 43 files changed, 1015 insertions(+), 91 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=ed7eaf6b8dce3765542d0695a5ff8fa8148978c2 commit ed7eaf6b8dce3765542d0695a5ff8fa8148978c2 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-08-06 01:44:40 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-08-09 13:29:14 +0000 unbound: Vendor import 1.16.2 Security update to unbound. PR: 265645 Security: CVE-2022-30698, CVE-2022-30699 Security: bc43a578-14ec-11ed-856e-d4c9ef517024 Merge commit '9b76d32f2310b735dbeb896cbf2776cad61f23e8' into main (cherry picked from commit 790c6b245151d6d5a26b84e5f34fee61453e2e60) contrib/unbound/SECURITY.md (new) | 31 ++ contrib/unbound/cachedb/cachedb.c | 2 +- contrib/unbound/configure | 25 +- contrib/unbound/configure.ac | 5 +- contrib/unbound/daemon/cachedump.c | 5 +- contrib/unbound/daemon/worker.c | 2 +- contrib/unbound/dns64/dns64.c | 4 +- contrib/unbound/doc/Changelog | 30 +- contrib/unbound/doc/README | 2 +- contrib/unbound/doc/example.conf.in | 8 +- contrib/unbound/doc/libunbound.3.in | 4 +- contrib/unbound/doc/unbound-anchor.8.in | 2 +- contrib/unbound/doc/unbound-checkconf.8.in | 2 +- contrib/unbound/doc/unbound-control.8.in | 2 +- contrib/unbound/doc/unbound-host.1.in | 2 +- contrib/unbound/doc/unbound.8.in | 4 +- contrib/unbound/doc/unbound.conf.5.in | 15 +- contrib/unbound/ipsecmod/ipsecmod.c | 2 +- contrib/unbound/iterator/iter_utils.c | 6 +- contrib/unbound/iterator/iter_utils.h | 3 +- contrib/unbound/iterator/iterator.c | 23 +- contrib/unbound/iterator/iterator.h | 12 +- contrib/unbound/services/authzone.c | 1 - contrib/unbound/services/cache/dns.c | 111 +++++- contrib/unbound/services/cache/dns.h | 18 +- contrib/unbound/services/cache/infra.c | 6 +- contrib/unbound/services/listen_dnsport.c | 17 +- contrib/unbound/services/mesh.c | 1 + contrib/unbound/sldns/rrdef.c | 4 +- contrib/unbound/sldns/wire2str.c | 2 +- contrib/unbound/testdata/iter_ghost_sub.rpl (new) | 309 ++++++++++++++++ .../testdata/iter_ghost_timewindow.rpl (new) | 391 +++++++++++++++++++++ contrib/unbound/util/config_file.c | 15 +- contrib/unbound/util/config_file.h | 4 +- contrib/unbound/util/configlexer.lex | 1 + contrib/unbound/util/configparser.y | 13 +- contrib/unbound/util/data/msgreply.c | 2 +- contrib/unbound/util/iana_ports.inc | 1 + contrib/unbound/util/module.h | 6 + contrib/unbound/util/rtt.c | 3 + contrib/unbound/util/rtt.h | 2 +- contrib/unbound/validator/val_utils.c | 1 - contrib/unbound/validator/validator.c | 7 +- 43 files changed, 1015 insertions(+), 91 deletions(-)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3f83233b4d510ce8f3f940ca6786fc99b746346e commit 3f83233b4d510ce8f3f940ca6786fc99b746346e Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-08-06 01:44:40 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-08-09 13:31:20 +0000 unbound: Vendor import 1.16.2 Security update to unbound. PR: 265645 Security: CVE-2022-30698, CVE-2022-30699 Security: bc43a578-14ec-11ed-856e-d4c9ef517024 Merge commit '9b76d32f2310b735dbeb896cbf2776cad61f23e8' into main (cherry picked from commit 790c6b245151d6d5a26b84e5f34fee61453e2e60) contrib/unbound/SECURITY.md (new) | 31 ++ contrib/unbound/cachedb/cachedb.c | 2 +- contrib/unbound/configure | 25 +- contrib/unbound/configure.ac | 5 +- contrib/unbound/daemon/cachedump.c | 5 +- contrib/unbound/daemon/worker.c | 2 +- contrib/unbound/dns64/dns64.c | 4 +- contrib/unbound/doc/Changelog | 30 +- contrib/unbound/doc/README | 2 +- contrib/unbound/doc/example.conf.in | 8 +- contrib/unbound/doc/libunbound.3.in | 4 +- contrib/unbound/doc/unbound-anchor.8.in | 2 +- contrib/unbound/doc/unbound-checkconf.8.in | 2 +- contrib/unbound/doc/unbound-control.8.in | 2 +- contrib/unbound/doc/unbound-host.1.in | 2 +- contrib/unbound/doc/unbound.8.in | 4 +- contrib/unbound/doc/unbound.conf.5.in | 15 +- contrib/unbound/ipsecmod/ipsecmod.c | 2 +- contrib/unbound/iterator/iter_utils.c | 6 +- contrib/unbound/iterator/iter_utils.h | 3 +- contrib/unbound/iterator/iterator.c | 23 +- contrib/unbound/iterator/iterator.h | 12 +- contrib/unbound/services/authzone.c | 1 - contrib/unbound/services/cache/dns.c | 111 +++++- contrib/unbound/services/cache/dns.h | 18 +- contrib/unbound/services/cache/infra.c | 6 +- contrib/unbound/services/listen_dnsport.c | 17 +- contrib/unbound/services/mesh.c | 1 + contrib/unbound/sldns/rrdef.c | 4 +- contrib/unbound/sldns/wire2str.c | 2 +- contrib/unbound/testdata/iter_ghost_sub.rpl (new) | 309 ++++++++++++++++ .../testdata/iter_ghost_timewindow.rpl (new) | 391 +++++++++++++++++++++ contrib/unbound/util/config_file.c | 15 +- contrib/unbound/util/config_file.h | 4 +- contrib/unbound/util/configlexer.lex | 1 + contrib/unbound/util/configparser.y | 13 +- contrib/unbound/util/data/msgreply.c | 2 +- contrib/unbound/util/iana_ports.inc | 1 + contrib/unbound/util/module.h | 6 + contrib/unbound/util/rtt.c | 3 + contrib/unbound/util/rtt.h | 2 +- contrib/unbound/validator/val_utils.c | 1 - contrib/unbound/validator/validator.c | 7 +- 43 files changed, 1015 insertions(+), 91 deletions(-)