Created attachment 249151 [details] patch to 1.19.3 Just a patch to update to 1.19.3
I'm afraid that there is more needed than just this patch. I'll send an improved patch later today.
Created attachment 249154 [details] corrected updated patch Corrected patch to upgrade port to the most recent version. Security record to update security/vuxml/vuln/2024.xml is not provided.
Created attachment 249156 [details] patch to upgrade [Patch by maintainer] This release has a number of bug fixes. The CNAME synthesized for a DNAME record uses the original TTL, of the DNAME record, and that means it can be cached for the TTL, instead of 0. There is a fix that when a message was stored in cache, but one of the RRsets was not updated due to cache policy, it now restricts the message TTL if the cache version of the RRset has a shorter TTL. It avoids a bug where the message is not expired, but its contents is expired. For dnstap, it logs type DoH and DoT correctly, if that is used for the message. The b.root-servers.net address is updated in the default root hints. When performing retries for failed sends, a retry at a smaller UDP size is now not performed when that attempt is not actually smaller, and at defaults, since the flag day changes, it is the same size. This makes it skip the step, it is useless because there is no reduction in size. Clients with a valid DNS Cookie will bypass the ratelimit, if one is set. The value from ip-ratelimit-cookie is used for these queries. Furthermore there is a fix to make correct EDE Prohibited answers for access control denials, and a fix for EDNS client subnet scope zero answers. For more details, see https://github.com/NLnetLabs/unbound/releases/tag/release-1.19.3
I was going to work on this now, but something has come up.
diff --git a/dns/unbound/Makefile b/dns/unbound/Makefile index 4ae9d9af2629..d44f32a56335 100644 --- a/dns/unbound/Makefile +++ b/dns/unbound/Makefile @@ -1,5 +1,5 @@ PORTNAME= unbound -DISTVERSION= 1.19.1 +DISTVERSION= 1.19.3 CATEGORIES= dns MASTER_SITES= https://www.nlnetlabs.nl/downloads/unbound/ diff --git a/dns/unbound/distinfo b/dns/unbound/distinfo index 885164c792f0..205e39e6bab4 100644 --- a/dns/unbound/distinfo +++ b/dns/unbound/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1707886312 -SHA256 (unbound-1.19.1.tar.gz) = bc1d576f3dd846a0739adc41ffaa702404c6767d2b6082deb9f2f97cbb24a3a9 -SIZE (unbound-1.19.1.tar.gz) = 6340435 +TIMESTAMP = 1710444112 +SHA256 (unbound-1.19.3.tar.gz) = 3ae322be7dc2f831603e4b0391435533ad5861c2322e34a76006a9fb65eb56b9 +SIZE (unbound-1.19.3.tar.gz) = 6338685 diff --git a/dns/unbound/pkg-plist b/dns/unbound/pkg-plist index fc24817f9c01..d4ba63f60c07 100644 --- a/dns/unbound/pkg-plist +++ b/dns/unbound/pkg-plist @@ -5,7 +5,7 @@ libdata/pkgconfig/libunbound.pc lib/libunbound.a lib/libunbound.so lib/libunbound.so.8 -lib/libunbound.so.8.1.24 +lib/libunbound.so.8.1.26 %%PYTHON%%%%PYTHON_SITELIBDIR%%/_unbound.so %%PYTHON%%%%PYTHON_SITELIBDIR%%/unbound.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/unboundmodule.py
(In reply to Jordan Ostreff from comment #5) Let's see if I can get this done before $WORK.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=cad815552953aeb16257949d564a663705d2ce67 commit cad815552953aeb16257949d564a663705d2ce67 Author: Jaap Akkerhuis <jaap@NLnetLabs.nl> AuthorDate: 2024-03-14 13:00:53 +0000 Commit: Dan Langille <dvl@FreeBSD.org> CommitDate: 2024-03-15 12:29:31 +0000 dns/unbound: Update to unbound 1.19.3 This release has a number of bug fixes. The CNAME synthesized for a DNAME record uses the original TTL, of the DNAME record, and that means it can be cached for the TTL, instead of 0. There is a fix that when a message was stored in cache, but one of the RRsets was not updated due to cache policy, it now restricts the message TTL if the cache version of the RRset has a shorter TTL. It avoids a bug where the message is not expired, but its contents is expired. For dnstap, it logs type DoH and DoT correctly, if that is used for the message. The b.root-servers.net address is updated in the default root hints. When performing retries for failed sends, a retry at a smaller UDP size is now not performed when that attempt is not actually smaller, and at defaults, since the flag day changes, it is the same size. This makes it skip the step, it is useless because there is no reduction in size. Clients with a valid DNS Cookie will bypass the ratelimit, if one is set. The value from ip-ratelimit-cookie is used for these queries. Furthermore there is a fix to make correct EDE Prohibited answers for access control denials, and a fix for EDNS client subnet scope zero answers. For more details, see https://github.com/NLnetLabs/unbound/releases/tag/release-1.19.3 PR: 277686 Security: c2ad8700-de25-11ee-9190-84a93843eb75 dns/unbound/Makefile | 2 +- dns/unbound/distinfo | 6 +++--- dns/unbound/pkg-plist | 2 +- security/vuxml/vuln/2024.xml | 26 ++++++++++++++++++++++++++ 4 files changed, 31 insertions(+), 5 deletions(-)
Thank you.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3bac9fee140f64f562008b81ea2f2391b3fca116 commit 3bac9fee140f64f562008b81ea2f2391b3fca116 Author: Dan Langille <dvl@FreeBSD.org> AuthorDate: 2024-03-15 13:48:30 +0000 Commit: Dan Langille <dvl@FreeBSD.org> CommitDate: 2024-03-15 13:48:30 +0000 security/vuxml: remove duplicate entry for CVE-2024-1931 PR: 277686 security/vuxml/vuln/2024.xml | 26 -------------------------- 1 file changed, 26 deletions(-)