--- 9.18.24 released ---
6343. [bug] Fix case insensitive setting for isc_ht hashtable.
[GL #4568]
--- 9.18.23 released ---
6322. [security] Specific DNS answers could cause a denial-of-service
condition due to DNS validation taking a long time.
(CVE-2023-50387) [GL #4424]
6321. [security] Change 6315 inadvertently introduced regressions that
could cause named to crash. [GL #4234]
6320. [bug] Under some circumstances, the DoT code in client
mode could process more than one message at a time when
that was not expected. That has been fixed. [GL #4487]
--- 9.18.22 released ---
6319. [func] Limit isc_task_send() overhead for RBTDB tree pruning.
[GL #4383]
6317. [security] Restore DNS64 state when handling a serve-stale timeout.
(CVE-2023-5679) [GL #4334]
6316. [security] Specific queries could trigger an assertion check with
nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]
6315. [security] Speed up parsing of DNS messages with many different
names. (CVE-2023-4408) [GL #4234]
6314. [bug] Address race conditions in dns_tsigkey_find().
[GL #4182]
6312. [bug] Conversion from NSEC3 signed to NSEC signed could
temporarily put the zone into a state where it was
treated as unsigned until the NSEC chain was built.
Additionally conversion from one set of NSEC3 parameters
to another could also temporarily put the zone into a
state where it was treated as unsigned until the new
NSEC3 chain was built. [GL #1794] [GL #4495]
6310. [bug] Memory leak in zone.c:sign_zone. When named signed a
zone it could leak dst_keys due to a misplaced
'continue'. [GL #4488]
6306. [func] Log more details about the cause of "not exact" errors.
[GL #4500]
6304. [bug] The wrong time was being used to determine what RRSIGs
where to be generated when dnssec-policy was in use.
[GL #4494]
6302. [func] The "trust-anchor-telemetry" statement is no longer
marked as experimental. This silences a relevant log
message that was emitted even when the feature was
explicitly disabled. [GL #4497]
6300. [bug] Fix statistics export to use full 64 bit signed numbers
instead of truncating values to unsigned 32 bits.
[GL #4467]
6299. [port] NetBSD has added 'hmac' to libc which collides with our
use of 'hmac'. [GL #4478]
--- 9.18.21 released ---
6297. [bug] Improve LRU cleaning behaviour. [GL #4448]
6296. [func] The "resolver-nonbackoff-tries" and
"resolver-retry-interval" options are deprecated;
a warning will be logged if they are used. [GL #4405]
6294. [bug] BIND might sometimes crash after startup or
re-configuration when one 'tls' entry is used multiple
times to connect to remote servers due to initialisation
attempts from contexts of multiple threads. That has
been fixed. [GL #4464]
6290. [bug] Dig +yaml will now report "no servers could be reached"
also for UDP setup failure when no other servers or
tries are left. [GL #1229]
6287. [bug] Recognize escapes when reading the public key from file.
[GL !8502]
6286. [bug] Dig +yaml will now report "no servers could be reached"
on TCP connection failure as well as for UDP timeouts.
[GL #4396]
6282. [func] Deprecate AES-based DNS cookies. [GL #4421]
--- 9.18.20 released ---
6280. [bug] Fix missing newlines in the output of "rndc nta -dump".
[GL !8454]
6277. [bug] Take into account local authoritative zones when
falling back to serve-stale. [GL #4355]
6275. [bug] Fix assertion failure when using lock-file configuration
option together -X argument to named. [GL #4386]
6274. [bug] The 'lock-file' file was being removed when it
shouldn't have been making it ineffective if named was
started 3 or more times. [GL #4387]
6271. [bug] Fix a shutdown race in dns__catz_update_cb(). [GL #4381]
6269. [maint] B.ROOT-SERVERS.NET addresses are now 170.247.170.2 and
2801:1b8:10::b. [GL #4101]
6267. [func] The timeouts for resending zone refresh queries over UDP
were lowered to enable named to more quickly determine
that a primary is down. [GL #4260]
6265. [bug] Don't schedule resign operations on the raw version
of an inline-signing zone. [GL #4350]
6261. [bug] Fix a possible assertion failure on an error path in
resolver.c:fctx_query(), when using an uninitialized
link. [GL #4331]
6254. [cleanup] Add semantic patch to do an explicit cast from char
to unsigned char in ctype.h class of functions.
[GL #4327]
6252. [test] Python system tests have to be executed by invoking
pytest directly. Executing them with the legacy test
runner is no longer supported. [GL #4250]
6250. [bug] The wrong covered value was being set by
dns_ncache_current for RRSIG records in the returned
rdataset structure. This resulted in TYPE0 being
reported as the covered value of the RRSIG when dumping
the cache contents. [GL #4314]
--- 9.18.19 released ---
6246. [security] Fix use-after-free error in TLS DNS code when sending
data. (CVE-2023-4236) [GL #4242]
6245. [security] Limit the amount of recursion that can be performed
by isccc_cc_fromwire. (CVE-2023-3341) [GL #4152]
6244. [bug] Adjust log levels on malformed messages to NOTICE when
transferring in a zone. [GL #4290]
6241. [bug] Take into account the possibility of partial TLS writes
in TLS DNS code. That helps to prevent DNS messages
corruption on long DNS over TLS streams. [GL #4255]
6240. [bug] Use dedicated per-worker thread jemalloc memory
arenas for send buffers allocation to reduce memory
consumption and avoid lock contention. [GL #4038]
6239. [func] Deprecate the 'dnssec-must-be-secure' option.
[GL #3700]
6237. [bug] Address memory leaks due to not clearing OpenSSL error
stack. [GL #4159]
6235. [doc] Clarify BIND 9 time formats. [GL #4266]
6234. [bug] Restore stale-refresh-time value after flushing the
cache. [GL #4278]
6232. [bug] Following the introduction of krb5-subdomain-self-rhs
and ms-subdomain-self-rhs update rules, removal of
nonexistent PTR and SRV records via UPDATE could fail.
[GL #4280]
6231. [func] Make nsupdate honor -v for SOA requests if the server
is specified. [GL #1181]
6230. [bug] Prevent an unnecessary query restart if a synthesized
CNAME target points to the CNAME owner. [GL #3835]
6227. [bug] Check the statistics-channel HTTP Content-length
to prevent negative or overflowing values from
causing a crash. [GL #4125]
6224. [bug] Check the If-Modified-Since value length to prevent
out-of-bounds write. [GL #4124]
--- 9.18.18 released ---
6220. [func] Deprecate the 'dialup' and 'heartbeat-interval'
options. [GL #3700]
6219. [bug] Ignore 'max-zone-ttl' on 'dnssec-policy insecure'.
[GL #4032]
6215. [protocol] Return REFUSED to GSS-API TKEY requests if GSS-API
support is not configured. [GL #4225]
6213. [bug] Mark a primary server as temporarily unreachable if the
TCP connection attempt times out. [GL #4215]
6212. [bug] Don't process detach and close netmgr events when
the netmgr has been paused. [GL #4200]
--- 9.18.17 released ---
6206. [bug] Add shutdown checks in dns_catz_dbupdate_callback() to
avoid a race with dns_catz_shutdown_catzs(). [GL #4171]
6205. [bug] Restore support to read legacy HMAC-MD5 K file pairs.
[GL #4154]
6204. [bug] Use NS records for relaxed QNAME-minimization mode.
This reduces the number of queries named makes when
resolving, as it allows the non-existence of NS RRsets
at non-referral nodes to be cached in addition to the
referrals that are normally cached. [GL #3325]
6200. [bug] Fix nslookup erroneously reporting a timeout when the
input is delayed. [GL #4044]
6199. [bug] Improve HTTP Connection: header protocol conformance
in the statistics channel. [GL #4126]
6198. [func] Remove the holes in the isc_result_t enum to compact
the isc_result tables. [GL #4149]
6197. [bug] Fix a data race between the dns_zone and dns_catz
modules when registering/unregistering a database
update notification callback for a catalog zone.
[GL #4132]
6196. [cleanup] Report "permission denied" instead of "unexpected error"
when trying to update a zone file on a read-only file
system. Thanks to Midnight Veil. [GL #4134]
6193. [bug] Fix a catz db update notification callback registration
logic error, which could crash named when receiving an
AXFR update for a catalog zone while the previous update
process of the catalog zone was already running.
[GL #4136]
6166. [func] Retry without DNS COOKIE on FORMERR if it appears that
the FORMERR was due to the presence of a DNS COOKIE
option. [GL #4049]
2 November 2023: Wouter
- Set version number to 1.19.0.
- Tag for 1.19.0rc1 release.
1 November 2023: George
- Mention flex and bison in README.md when building from repository
source.
1 November 2023: Wouter
- Fix SSL compile failure for definition in log_crypto_err_io_code_arg.
- Fix SSL compile failure for other missing definitions in
log_crypto_err_io_code_arg.
- Fix compilation without openssl, remove unused function warning.
31 October 2023: George
- Fix#941: dnscrypt doesn't work after upgrade to 1.18 with
suggestion by dukeartem to also fix the udp_ancil with dnscrypt.
30 October 2023: George
- Merge #930 from Stuart Henderson: add void to
log_ident_revert_to_default declaration.
30 October 2023: Wouter
- autoconf.
24 October 2023: George
- Clearer configure text for missing protobuf-c development libraries.
20 October 2023: Wouter
- Merge #951: Cachedb no store. The cachedb-no-store: yes option is
used to stop cachedb from writing messages to the backend storage.
It reads messages when data is available from the backend. The
default is no.
19 October 2023: Wouter
- Fix to print detailed errors when an SSL IO routine fails via
SSL_get_error.
18 October 2023: George
- Mailing list patches from Daniel Gröber for DNS64 fallback to plain
AAAA when no A record exists for synthesis, and minor DNS64 code
refactoring for better readability.
- Fixes for the DNS64 patches.
- Update the dns64_lookup.rpl test for the DNS64 fallback patch.
- Merge #955 from buevsan: fix ipset wrong behavior.
- Update testdata/ipset.tdir test for ipset fix.
17 October 2023: Wouter
- Fix#954: Inconsistent RPZ handling for A record returned along with
CNAME.
16 October 2023: George
- Expose the script filename in the Python module environment 'mod_env'
instead of the config_file structure which includes the linked list
of scripts in a multi Python module setup; fixes#79.
- Expose the configured listening and outgoing interfaces, if any, as
a list of strings in the Python 'config_file' class instead of the
current Swig object proxy; fixes#79.
- For multi Python module setups, clean previously parsed module
functions in __main__'s dictionary, if any, so that only current
module functions are registered.
13 October 2023: George
- Better fix for infinite loop when reading multiple lines of input on
a broken remote control socket, by treating a zero byte line the
same as transmission end. Addesses #947 and #948.
12 October 2023: Wouter
- Merge #944: Disable EDNS DO.
Disable the EDNS DO flag in upstream requests. This can be helpful
for devices that cannot handle DNSSEC information. But it should not
be enabled otherwise, because that would stop DNSSEC validation. The
DNSSEC validation would not work for Unbound itself, and also not
for downstream users. Default is no. The option
is disable-edns-do: no
11 October 2023: George
- Fix#850: [FR] Ability to use specific database in Redis, with new
redis-logical-db configuration option.
11 October 2023: Wouter
- Fix#949: "could not create control compt".
- Fix that cachedb does not warn when serve-expired is disabled about
use of serve-expired-reply-ttl and serve-expired-client-timeout.
- Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.
10 October 2023: George
- Fix infinite loop when reading multiple lines of input on a broken
remote control socket. Addesses #947 and #948.
9 October 2023: Wouter
- Fix edns subnet so that queries with a source prefix of zero cause
the recursor send no edns subnet option to the upstream.
- Fix that printout of EDNS options shows the EDNS cookie option by
name.
4 October 2023: Wouter
- Fix#946: Forwarder returns servfail on upstream response noerror no
data.
3 October 2023: George
- Merge #881: Generalise the proxy protocol code.
2 October 2023: George
- Fix misplaced comment.
22 September 2023: Wouter
- Fix#942: 1.18.0 libunbound DNS regression when built without
OpenSSL.
18 September 2023: Wouter
- Fix rpz tcp-only action with rpz triggers nsdname and nsip.
15 September 2023: Wouter
- Merge #936: Check for c99 with autoconf versions prior to 2.70.
- Fix to remove two c99 notations.
14 September 2023: Wouter
- Fix authority zone answers for obscured DNAMEs and delegations.
8 September 2023: Wouter
- Fix send of udp retries when ENOBUFS is returned. It stops looping
and also waits for the condition to go away. Reported by Florian
Obser.
7 September 2023: Wouter
- Fix to scrub resource records of type A and AAAA that have an
inappropriate size. They are removed from responses.
- Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.
- Fix to add EDE text when RRs have been removed due to length.
- Fix to set ede match in unit test for rr length removal.
- Fix to print EDE text in readable form in output logs.
6 September 2023: Wouter
- Merge #931: Prevent warnings from -Wmissing-prototypes.
31 August 2023: Wouter
- Fix autoconf 2.69 warnings in configure.
- Fix#927: unbound 1.18.0 make test error. Fix make test without SHA1.
30 August 2023: Wouter
- Fix for WKS call to getservbyname that creates allocation on exit
in unit test by testing numbers first and testing from the services
list later.
28 August 2023: Wouter
- Fix for version generation race condition that ignored changes.
25 August 2023: Wouter
- Fix compile error on NetBSD in util/netevent.h.
23 August 2023: Wouter
- Tag for 1.18.0rc1 release. This became the 1.18.0 release on
30 aug 2023, with the fix from 25 aug, fix compile on NetBSD
included. The repository continues with version 1.18.1.
22 August 2023: Wouter
- Set version number to 1.18.0.
21 August 2023: Wouter
- Debug Windows ci workflow.
- Fix windows ci workflow to install bison and flex.
- Fix for #925: unbound.service: Main process exited, code=killed,
status=11/SEGV. Fixes cachedb configuration handling.
- Fix#923: processQueryResponse() THROWAWAY should be mindful of
fail_reply.
- Fix unit test for unbound-control to work when threads are disabled,
and fix cache dump check.
18 August 2023: Wouter
- Fix for iter_dec_attempts that could cause a hang, part of
capsforid and qname minimisation, depending on the settings.
- Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
- Fix stat_values test to work with dig that enables DNS cookies.
17 August 2023: Wouter
- Merge PR #762: Downstream DNS Server Cookies a la RFC7873 and
RFC9018. Create server cookies for clients that send client cookies.
This needs to be explicitly turned on in the config file with:
`answer-cookie: yes`. A `cookie-secret:` can be configured for
anycast setups. Without one, a random cookie secret is generated.
The acl option `allow_cookie` allows queries with either a valid
cookie or over a stateful transport. The statistics output has
`queries_cookie_valid` and `queries_cookie_client` and
`queries_cookie_invalid` information. The `ip\-ratelimit\-cookie:`
value determines a rate limit for queries with cookies, if desired.
- Fix regional_alloc_init for potential unaligned source of the copy.
- Fix ip_ratelimit test to work with dig that enables DNS cookies.
2 August 2023: George
- Move a cache reply callback in worker.c closer to the cache reply
generation.
1 August 2023: George
- Merge #911 from natalie-reece: Exclude EDE before other EDNS options
when there isn't enough space.
- For #911: Try to trim EXTRA-TEXT (and LDNS_EDE_OTHER options
altogether) before giving up on attaching EDE options.
- More braces and formatting for Fix for EDNS EDE size calculation to
avoid future bugs.
- Fix to use the now cached EDE, if any, for CD_bit queries.
1 August 2023: Wouter
- Fix for EDNS EDE size calculation.
31 July 2023: George
- Merge #790 from Tom Carpay: Add support for EDE caching in cachedb
and subnetcache.
31 July 2023: Wouter
- iana portlist update.
30 July 2023: George
- Merge #759 from Tom Carpay: Add EDE (RFC8914) caching.
28 July 2023: George
- Fix unused variable compile warning for kernel timestamps in
netevent.c
21 July 2023: George
- Merge #857 from eaglegai: fix potential memory leaks when errors
happen.
- For #857: fix mixed declarations and code.
- Merge #118 from mibere: Changed verbosity level for Redis init &
deinit.
- Merge #390 from Frank Riley: Add missing callbacks to the python
module.
- Cleaner failure code for callback functions in interface.i.
- Merge #889 from borisVanhoof: Free memory in error case + remove
unused function.
- For #889: use netcat-openbsd instead of netcat-traditional.
- For #889: Account for num_detached_states before possible
mesh_state_delete when erroring out.
20 July 2023: George
- Merge #909 from headshog: Numeric truncation when parsing TYPEXX and
CLASSXX representation.
- For #909: Fix return values.
- Merge #901 from Sergei Trofimovich: config: improve handling of
unknown modules.
20 July 2023: Wouter
- For #909: Fix RR class comparison.
14 July 2023: George
- More clear description of the different auth-zone behaviors on the
man page.
13 July 2023: George
- Merge #880 from chipitsine: services/authzone.c: remove redundant
check.
11 July 2023: George
- Merge #664 from tilan7763: Add prefetch support for subnet cache
entries.
- For #664: Easier code flow for subnetcache prefetching.
- For #664: Add testcase.
- For #664: Rename subnet_prefetch tests to subnet_global_prefetch to
differentiate from the new subnet prefetch support.
3 July 2023: George
- Merge #739: Add SVCB dohpath support.
- Code cleanup for sldns_str2wire_svcparam_key_lookup.
- Merge #802: add validation EDEs to queries where the CD bit is set.
- For #802: Cleanup comments and add RCODE check for CD bit test case.
- Skip the 00-lint test. splint is not maintained; it either does not
work or produces false positives. Static analysis is handled in the
clang test.
3 July 2023: Wouter
- Fix#906: warning: ‘Py_SetProgramName’ is deprecated.
- Fix dereference of NULL variable warning in mesh_do_callback.
29 June 2023: George
- More fixes for reference counting for python module and clean up
failure code.
- Merge #827 from rcmcdonald91: Eliminate unnecessary Python reloading
which causes memory leaks.
29 June 2023: Wouter
- Fix python modules with multiple scripts, by incrementing reference
counts.
27 June 2023: George
- Merge #892: Add cachedb hit stat. Introduces 'num.query.cachedb' as
a new statistical counter.
- Remove warning about unknown cast-function-type warning pragma.
22 June 2023: Wouter
- Merge #903: contrib: add yocto compatible init script.
15 June 2023: Philip
- Fix for issue #887 (Timeouts to forward servers on BSD based
system with ASLR)
- Probably fixes#516 (Stream reuse does not work on Windows) as well
14 June 2023: George
- Properly handle all return values of worker_check_request during
early EDE code.
- Do not check the incoming request more than once.
12 June 2023: Wouter
- Merge #896: Fix: #895: pythonmodule: add all site-packages
directories to sys.path.
- Fix#895: python + sysconfig gives ANOTHER path comparing to
distutils.
- Fix for uncertain unit test for doh buffer size events.
25 May 2023: Wouter
- Fix unbound-dnstap-socket printout when no query is present.
- Fix unbound-dnstap-socket time fraction conversion for printout.
19 May 2023: Wouter
- Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
- Fix to remove unused variables from RPZ clientip data structure.
16 May 2023: Wouter
- Fix#888: [FR] Use kernel timestamps for dnstap.
- Fix to print debug log for ancillary data with correct IP address.
11 May 2023: Wouter
- Fix warning in windows compile, in set_recvtimestamp.
4 May 2023: Wouter
- Fix#885: Error: util/configlexer.c: No such file or directory,
adds error messages explaining to install flex and bison.
- Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.
- Fix doxygen in addr_to_nat64 header definition.
1 May 2023: George
- Merge #722 from David 'eqvinox' Lamparter: NAT64 support.
- For #722: minor fixes, formatting, refactoring.
1 May 2023: Wouter
- Fix RPZ IP responses with trigger rpz-drop on cache entries, that
they are dropped.
26 April 2023: Philip
- Fix issue #860: Bad interaction with 0 TTL records and serve-expired
26 April 2023: Wouter
- Merge #882 from vvfedorenko: Features/dropqueuedpackets, with
sock-queue-timeout option that drops packets that have been in the
socket queue for too long. Added statistics num.queries_timed_out
and query.queue_time_us.max that track the socket queue timeouts.
- Fix for #882: small changes, date updated in Copyright for
util/timeval_func.c and util/timeval_func.h. Man page entries and
example entry.
- Fix for #882: document variable to stop doxygen warning.
19 April 2023: Wouter
- Fix for #878: Invalid IP address in unbound.conf causes Segmentation
Fault on OpenBSD.
14 April 2023: Wouter
- Merge #875: change obsolete txt URL in unbound-anchor.c to point
to RFC 7958, and Fix#874.
13 April 2023: Wouter
- Fix build badge, from failing travis link to github ci action link.
6 April 2023: Wouter
- Fix for #870: Add test case for the qname minimisation and CNAME.
4 April 2023: Wouter
- Fix#870: NXDOMAIN instead of NOERROR rcode when asked for existing
CNAME record.
24 March 2023: Philip
- Fix issue #676: Unencrypted query is sent when
forward-tls-upstream: yes is used without tls-cert-bundle
- Extra consistency check to make sure that when TLS is requested,
either we set up a TLS connection or we return an error.
21 March 2023: Philip
- Fix issue #851: reserved identifier violation
20 March 2023: Wouter
- iana portlist update.
17 March 2023: George
- Fix#812, fix#846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option
to ignore the unexpected eof while reading in openssl >= 3.
16 March 2023: Wouter
- Fix ssl.h include brackets, instead of quotes.
14 March 2023: Wouter
- Fix unbound-dnstap-socket test program to reply the finish frame
over a TLS connection correctly.
23 February 2023: Wouter
- Fix for #852: Completion of error handling.
21 February 2023: Philip
- Fix#825: Unexpected behavior with client-subnet-always-forward
and serve-expired
10 February 2023: George
- Clean up iterator/iterator.c::error_response_cache() and allow for
better interaction with serve-expired, prefetch and cached error
responses.
9 February 2023: George
- Allow TTL refresh of expired error responses.
- Add testcase for refreshing expired error responses.
9 February 2023: Wouter
- Fix to ignore entirely empty responses, and try at another authority.
This turns completely empty responses, a type of noerror/nodata into
a servfail, but they do not conform to RFC2308, and the retry can
fetch improved content.
- Fix unit tests for spurious empty messages.
- Fix consistency of unit test without roundrobin answers for the
cnametooptout unit test.
- Fix to git ignore the library symbol file that configure can create.
8 February 2023: Wouter
- Fix#841: Unbound won't build with aaaa-filter-iterator.patch.
30 January 2023: George
- Add duration variable for speed_local.test.
26 January 2023: Wouter
- Fix acx_nlnetlabs.m4 for -Wstrict-prototypes.
23 January 2023: George
- Fix#833: [FR] Ability to set the Redis password.
23 January 2023: Wouter
- Fix#835: [FR] Ability to use Redis unix sockets.
20 January 2023: Wouter
- Merge #819: Added new static zone type block_a to suppress all A
queries for specific zones.
19 January 2023: Wouter
- Set max-udp-size default to 1232. This is the same default value as
the default value for edns-buffer-size. It restricts client edns
buffer size choices, and makes unbound behave similar to other DNS
resolvers. The new choice, down from 4096 means it is harder to get
large responses from Unbound. Thanks to Xiang Li, from NISL Lab,
Tsinghua University.
- Add harden-unknown-additional option. It removes
unknown records from the authority section and additional section.
Thanks to Xiang Li, from NISL Lab, Tsinghua University.
- Set default for harden-unknown-additional to no. So that it does
not hamper future protocol developments.
- Fix test for new default.
18 January 2023: Wouter
- Fix not following cleared RD flags potentially enables amplification
DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab,
Tsinghua University. The fix stops query loops, by refusing to send
RD=0 queries to a forwarder, they still get answered from cache.
13 January 2023: Wouter
- Merge #826: Аdd a metric about the maximum number of collisions in
lrushah.
- Improve documentation for #826, describe the large collisions amount.
9 January 2023: Wouter
- Fix python module install path detection.
- Fix python version detection in configure.
6 January 2023: Wouter
- Fix#823: Response change to NODATA for some ANY queries since
1.12, tested on 1.16.1.
- Fix wildcard in hyperlocal zone service degradation, reported
by Sergey Kacheev. This fix is included in 1.17.1rc2.
That became 1.17.1 on 12 Jan 2023, the code repo continues
with 1.17.2. 1.17.1 excludes fix#823, it is included forwards.
5 January 2023: Wouter
- Tag for 1.17.1 release.
2 January 2023: Wouter
- Fix windows compile for libunbound subprocess reap comm point closes.
- Update github workflows to use checkout v3.
14 December 2022: George
- Merge #569 from JINMEI Tatuya: add keep-cache option to
'unbound-control reload' to keep caches.
13 December 2022: George
- Expose 'statistics-inhibit-zero' as a configuration option; the
default value retains Unbound's behavior.
- Expose 'max-sent-count' as a configuration option; the
default value retains Unbound's behavior.
- Merge #461 from Christian Allred: Add max-query-restarts option.
Exposes an internal configuration but the default value retains
Unbound's behavior.
13 December 2022: Wouter
- Merge #808: Wrap Makefile script's directory variables in quotes.
- Fix to wrap Makefile scripts directory in quotes for uninstall.
1 December 2022: Wouter
- Fix#773: When used with systemd-networkd, unbound does not start
until systemd-networkd-wait-online.service times out.
30 November 2022: George
- Add SVCB and HTTPS to the types removed by 'unbound-control flush'.
- Clear documentation for interactivity between the subnet module and
the serve-expired and prefetch configuration options.
30 November 2022: Wouter
- Fix#782: Segmentation fault in stats.c:404.
28 November 2022: Wouter
- Fix for the ignore of tcp events for closed comm points, preserve
the use after free protection features.
23 November 2022: Philip
- Merge #720 from jonathangray: fix use after free when
WSACreateEvent() fails.
22 November 2022: George
- Ignore expired error responses.
11 November 2022: Wouter
- Fix#779: [doc] Missing documention in ub_resolve_event() for
callback parameter was_ratelimited.
9 November 2022: George
- Complementary fix for distutils.sysconfig deprecation in Python 3.10
to commit 62c5039ab9da42713e006e840b7578e01d66e7f2.
8 November 2022: Wouter
- Fix to ignore tcp events for closed comm points.
- Fix to make sure to not read again after a tcp comm point is closed.
- Fix#775: libunbound: subprocess reap causes parent process reap
to hang.
- iana portlist update.
21 October 2022: George
- Merge #767 from jonathangray: consistently use IPv4/IPv6 in
unbound.conf.5.
21 October 2022: Wouter
- Fix that cachedb does not store failures in the external cache.
18 October 2022: George
- Clarify the use of MAX_SENT_COUNT in the iterator code.
17 October 2022: Wouter
- testcode/dohclient sets log identity to its name.
14 October 2022: Wouter
- Merge #768 from fobser: Arithmetic on a pointer to void is a GNU
extension.
- In unit test, print python script name list correctly.
13 October 2022: Wouter
- Tag for 1.17.0 release. The code repository continues with 1.17.1.
11 October 2022: George
- Fix PROXYv2 header read for TCP connections when no proxied addresses
are provided.
7 October 2022: Wouter
- Tag for 1.17.0rc1 release.
7 October 2022: George
- Fix to stop possible loops in the tcp reuse code (write_wait list
and tcp_wait list). Based on analysis and patch from Prad Seniappan
and Karthik Umashankar.
- Fix unit test to properly test the reuse_write_wait_pop function.
6 October 2022: Wouter
- Fix to stop responses with TC flag from resulting in partial
responses. It retries to fetch the data elsewhere, or fails the
query and in depth fix removes the TC flag from the cached item.
- Fix proxy length debug output printout typecasts.
5 October 2022: Wouter
- Fix dnscrypt compile for proxy protocol code changes.
5 October 2022: George
- Use DEBUG_TDIR from environment in mini_tdir.sh for debugging.
- Fix string comparison in mini_tdir.sh.
- Make ede.tdir test more predictable by using static data.
- Fix checkconf test for dnscrypt and proxy port.
4 October 2022: George
- Merge #764: Leniency for target discovery when under load (for
NRDelegation changes).
4 October 2022: Wouter
- Fix static analysis report to remove dead code from the
rpz_callback_from_iterator_module function.
- Fix to clean up after the acl_interface unit test.
3 October 2022: George
- Merge #760: PROXYv2 downstream support. (New proxy-protocol-port
configuration option).
3 October 2022: Wouter
- Fix to remove erroneous TC flag from TCP upstream.
- Fix test tdir skip report printout.
- Fix windows compile, the identifier interface is defined in headers.
- Fix to close errno block in comm_point_tcp_handle_read outside of
ifdef.
26 September 2022: George
- Better output for skipped tdir tests.
29 November 2023: Wouter
- Tag for 4.8.0rc1.
28 November 2023: Wouter
- Set up doc/RELNOTES for upcoming release.
- Fix unit test kill_from_pidfile function for nonexistent files
because the argument is evaluated before the test expression.
- Fix rr-test to also convert the contents of the just written output
file.
- Fix test set to remove -f nsd.db and rm nsd.db commands.
- Fix test set to remove difffile option.
27 November 2023: Jeroen
- Fix#14: Set timeout to 3s when servicing remaining TCP connections.
- Fix: Always instate write handler after reading queries from TCP.
- Answer first query on connections accepted just before reload.
27 November 2023: Wouter
- Merge #305: faster stats. Statistics can be gathered while a reload
is in progress.
27 November 2023: Willem
- Merge #302: Test package fixes. Correct Auxfiles, kill_from_pidfile
function and fix drop_updates, rr-test and xfr_update tests.
1 November 2023: Jeroen
- Remove on-disk database.
31 October 2023: Wouter
- Merge #301: improve the logging of ixfr fallbacks to axfr.
30 October 2023: Jeroen
- Fix processing of consolidated IXFRs.
30 October 2023: Wouter
- Fix for interprocess communication to set quit sync command from
main process explicitly.
3 October 2023: Wouter
- Merge #281: Proxy protocol. An implementation of PROXYv2 for NSD.
It can be configured with proxy-protocol-port: portnum with the
port number of the interface on which proxy traffic is handled.
The interface can support proxy traffic for UDP, TCP and TLS.
21 September 2023: Wouter
- Merge #295: Update e-mail addresses, add ref to support contracts
31 August 2023: Wouter
- Fix autoconf 2.69 warnings in configure.
14 July 2023: Wouter
- Merge #287: Update nsd.conf.5.in.
11 July 2023: Wouter
- Fix unused variable warning in unit test of udb.
22 June 2023: Wouter
- Fix#284: dnstap_collector.c: SOCK_NONBLOCK is not available on
Mac/Darwin.
7 June 2023: Wouter
- Merge #282: Improve nsd.conf man page.
- Fix unused but set variable warning.
- Fix#283: Compile failure in remote.c when --disable-bind8-stats
and --without-ssl are specified.
31 May 2023: Wouter
- Add missing items to doc/RELNOTES.
- Tag for 4.7.0rc1. It became release 4.7.0 on 7 june 2023. The code
repository continues with 4.7.1.
30 May 2023: Jeroen
- Fix#240: Prefix messages originating from verifier.
- Fix#275: Drop unnecessary root server checks.
30 May 2023: Wouter
- Next version is 4.7.0, instead of 4.6.2, because of the added
features, like TLS for DNSTAP.
- Fix unused variable warning in unit test, from clang compile.
24 May 2023: Wouter
- For #279: Note that autoreconf -fi creates the configure script
and also the needed auxiliary files, for autoconf 2.69 and 2.71.
4 May 2023: Wouter
- Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.
1 May 2023: Wouter
- make depend.
- Fix for build to run flex and bison before compiling code that needs
the headers.
13 April 2023: Wouter
- Fix cirrus script for submit to coverity scan to libtoolize
the configure script components config.guess and config.sub.
- Fix readme status badge links.
28 March 2023: Wouter
- Fix#273: Large TXT record breaks AXFR.
- Fix ixfr create from adding too many record types.
16 March 2023: Wouter
- Fix include brackets for ssl.h include statements, instead of quotes.
- Fix static analyzer warning about nsd_event_method initialization.
15 March 2023: Wouter
- Dnstap tls code fixes.
14 March 2023: Wouter
- Fix dnstap to not check socket path when using IP address.
- dnstap over TLS, default enabled. Configured with the
options dnstap-tls, dnstap-tls-server-name, dnstap-tls-cert-bundle,
dnstap-tls-client-key-file and dnstap-tls-client-cert-file.
- Fix to compile without ssl with dnstap-tls code.
9 March 2023: Wouter
- Fix#271: DNSTAP over TCP, with dnstap-ip: "127.0.0.1@3333".
- Fix to clean more memory on exit of dnstap collector.
23 February 2023: Wouter
- Fix#270: reserved identifier violation.
20 February 2023: Wouter
- Merge #269 from Fale: Add systemd service unit.
16 February 2023: Wouter
- Fix#266: Fix build with --without-ssl.
- Fix#267: Allow unencrypted local operation of nsd-control.
- Fix for #267: neater variable definitions.
2 February 2023: Wouter
- Merge #265: Fix C99 compatibility issue.
30 January 2023: Wouter
- Merge #263: Add bash autocompletion script for nsd-control.
- Fix for #262: More error logging for SSL read failures for zone
transfers.
27 January 2023: Wouter
- Fix#262: Zone(s) not synchronizing properly via TLS.
- Fix ixfr_and_restart test to wait for processes to come to a stop.
26 January 2023: Wouter
- Fix configure for -Wstrict-prototypes.
10 November 2022: Wouter
- Tag for NSD 4.6.1, the repository continues with version 4.6.2.
- Fix#239: -Wincompatible-pointer-types warning in remote.c.
- Fix unit tests to succeed with --disable-bind8-stats.
1 November 2022: Wouter
- Fixup for non-trailing newline lexer change warnings.
- Update doc/RELNOTES for changes.
- Fix ixfr_gone unit test to not use system default zone list file.
- Fix credns tests for vm usage, and not use system default zone
list file.
- Fix verify tests to use more portable bash location in script.
- Fix verify_again test to use ipv4 address for test.
1 November 2022: Tom
- Add SVCB dohpath support
28 September 2022: Jeroen
- Set ALPN "dot" token during connection establishment as per RFC9103
section 7.1 (Thanks Cesar Kuroiwa).
21 September 2022: Tom
- Change zone parsing to accept non-trailing newline.
1 September 2022: Wouter
- Merge #231 from moritzbuhl: Fix checking if nonblocking sockets work
on OpenBSD.
19 August 2022: Wouter
- Update cirrus build script for newer Ubuntu image, and FreeBSD
build with libtoolize to install auxiliary files.
- Update to clang 14 in cirrus build test on Ubuntu Jammy 22.04.
7 July 2022: Tom
- Fix#212: Change commandline control actions to always log.
1 July 2022: Wouter
- Fix static analyzer reports, fix wrong log print when skipping xfr,
fix to print error on pipe read fail, and assert an xfr is in
progress during packet checks.
https://www.top10vpn.com/research/wifi-vulnerabilities/
PEAP client: Update Phase 2 authentication requirements
The previous PEAP client behavior allowed the server to skip Phase 2
authentication with the expectation that the server was authenticated
during Phase 1 through TLS server certificate validation. Various PEAP
specifications are not exactly clear on what the behavior on this front
is supposed to be and as such, this ended up being more flexible than
the TTLS/FAST/TEAP cases. However, this is not really ideal when
unfortunately common misconfiguration of PEAP is used in deployed
devices where the server trust root (ca_cert) is not configured or the
user has an easy option for allowing this validation step to be skipped.
Change the default PEAP client behavior to be to require Phase 2
authentication to be successfully completed for cases where TLS session
resumption is not used and the client certificate has not been
configured. Those two exceptions are the main cases where a deployed
authentication server might skip Phase 2 and as such, where a more
strict default behavior could result in undesired interoperability
issues. Requiring Phase 2 authentication will end up disabling TLS
session resumption automatically to avoid interoperability issues.
Allow Phase 2 authentication behavior to be configured with a new phase1
configuration parameter option:
'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
tunnel) behavior for PEAP:
* 0 = do not require Phase 2 authentication
* 1 = require Phase 2 authentication when client certificate
(private_key/client_cert) is no used and TLS session resumption was
not used (default)
* 2 = require Phase 2 authentication in all cases
To keep its cache database efficient, `named` running as a recursive
resolver occasionally attempts to clean up the database. It uses
several methods, including some that are asynchronous: a small
chunk of memory pointing to the cache element that can be cleaned
up is first allocated and then queued for later processing. It was
discovered that if the resolver is continuously processing query
patterns triggering this type of cache-database maintenance, `named`
may not be able to handle the cleanup events in a timely manner.
This in turn enables the list of queued cleanup events to grow
infinitely large over time, allowing the configured `max-cache-size`
limit to be significantly exceeded. This issue affects BIND 9
versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.
A bad interaction between DNS64 and serve-stale may cause `named`
to crash with an assertion failure during recursive resolution,
when both of these features are enabled. This issue affects BIND
9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0
through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1
through 9.18.21-S1.
A flaw in query-handling code can cause `named` to exit prematurely
with an assertion failure when: - `nxdomain-redirect <domain>;` is
configured, and - the resolver receives a PTR query for an RFC 1918
address that would normally result in an authoritative NXDOMAIN
response. This issue affects BIND 9 versions 9.12.0 through 9.16.45,
9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through
9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
The DNS message parsing code in `named` includes a section whose
computational complexity is overly high. It does not cause problems
for typical DNS traffic, but crafted queries and responses may
cause excessive CPU load on the affected `named` instance by
exploiting this flaw. This issue affects both authoritative servers
and recursive resolvers. This issue affects BIND 9 versions 9.0.0
through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19,
9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and
9.18.11-S1 through 9.18.21-S1.
reported by Ken Wellsch on port-sparc.
config.guess knows that this CPU is a turbosparc, and that's what
passes "turbosparc" not "sparc" further down.
XXX: pullup-10.
Summary of changes in tzdata2024a (2024-02-01 09:28:56 -0800):
* Kazakhstan unifies on UTC+5.
* Palestine summer time begins a week later than previously predicted
in 2024 and 2025.
* Historic corrections for Asia/Ho_Chi_Minh (1955) America/Toronto (1947-9)
and America/Miquelon (1911).
It breaks builds in xorg-server.old/hw/xfree86/Xorg on alpha,
netwinder, and sgimips (but not vax).
>> dependall ===> external/mit/xorg/server/xorg-server.old/hw/xfree86/Xorg
>> nbmake[13]: don't know how to make [...]/xorg-server.old/hw/xfree86/dixmods/fb/libfb.a. Stop
this enables additional optimisations in GCC. from the README:
isl is a thread-safe C library for manipulating sets and relations
of integer points bounded by affine constraints. The descriptions of
the sets and relations may involve both parameters and existentially
quantified variables. All computations are performed in exact integer
arithmetic using GMP.
isl is released under the MIT license, but depends on the LGPL GMP
library.
Update the RaspberryPI firmware to the version from
https://github.com/raspberrypi/rpi-firmware
commit fdb9eafae4b83e553593937eae8e77b0193903c3
Author: Dom Cobley <popcornmix@gmail.com>
Date: Tue Oct 17 15:59:45 2023 +0100
kernel: Bump to 6.1.58
...
firmware: config: Add [pi5] to config.txt on 2711 and earlier platforms
of the database and update the read-write copy with the new firewall ids.
Before we did not update the state file so it contained the old firewall ids.
December 22, 2023: 3.8.4/3.7.9
==============================
Security: this release adds support to defend against an email
spoofing attack (SMTP smuggling) on recipients at a Postfix server.
For background, see https://www.postfix.org/smtp-smuggling.html.
Sites concerned about SMTP smuggling attacks should enable this
feature on Internet-facing Postfix servers. For compatibility with
non-standard clients, Postfix by default excludes clients in
mynetworks from this countermeasure.
The recommended settings are:
# Optionally disconnect remote SMTP clients that send bare newlines,
# but allow local clients with non-standard SMTP implementations
# such as netcat, fax machines, or load balancer health checks.
#
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
The smtpd_forbid_bare_newline feature is disabled by default.
November 1, 2023: 3.8.3/3.7.8
=============================
Bugfix (defect introduced Postfix 2.5, date 20080104): the Postfix
SMTP server was waiting for a client command instead of replying
immediately, after a client certificate verification error in TLS
wrappermode. Reported by Andreas Kinzler.
Usability: the Postfix SMTP server (finally) attempts to log the
SASL username after authentication failure. In Postfix logging,
this appends ", sasl_username=xxx" after the reason for SASL
authentication failure. The logging replaces an unavailable reason
with "(reason unavailable)", and replaces an unavailable sasl_username
with "(unavailable)". Based on code by Jozsef Kadlecsik.
Compatibility bugfix (defect introduced: Postfix 2.11, date 20130405):
in forward_path, the expression ${recipient_delimiter} would expand
to an empty string when a recipient address had no recipient
delimiter. The compatibility fix is to use a configured recipient
delimiter value instead. Reported by Tod A. Sandman.
September 1, 2023: 3.8.2/3.7.7
==============================
Bugfix (defect introduced: Postfix alpha, 19980207): the valid_hostname()
check in the Postfix DNS client library was blocking unusual but
legitimate wildcard names (*.name) in some DNS lookup results and
lookup requests. Examples:
name class/type result
*.one.example IN CNAME *.other.example
*.other.example IN A 10.0.0.1
*.other.example IN TLSA ..certificate info...
Such syntax is blesed in RFC 1034 section 4.3.3.
Bugfix (defect introduced: Postfix 3.0, 20140218): when an address
verification probe fails during or after an opportunistic TLS
handshake, don't enforce a minimum time-in-queue before falling
back to plaintext. Problem reported by Serg.
June 5, 2023: 3.8.1/3.7.6
=========================
Optional: harden a Postfix SMTP server against remote SMTP clients
that violate RFC 2920 (or 5321) command pipelining constraints.
With "smtpd_forbid_unauth_pipelining = yes", the server disconnects
a client immediately, after responding with "554 5.5.0 Error: SMTP
protocol synchronization" and after logging "improper command
pipelining" with the unexpected remote SMTP client input. This
feature is disabled by default in Postfix 3.5-3.8 to avoid breaking
home-grown utilities, but it is enabled by default in Postfix 3.9.
A similar feature is enabled by default in the Exim SMTP server.
Optional: some OS distributions crank up TLS security to 11, and
in doing so increase the number of plaintext email deliveries. This
introduces basic OpenSSL configuration file support that may be
used to override OS-level settings. Details are in the postconf(5)
manpage under tls_config_file and tls_config_name.
Bugfix (defect introduced: Postfix 1.0): the command "postconf ..
name=v1 .. name=v2 .." (multiple instances of the same parameter
name) created multiple main.cf name=value entries with the same
parameter name. It now logs a warning and skips the earlier name(s)
and value(s). Found during code maintenance.
Bugfix (defect introduced: Postfix 3.3): the command "postconf -M
name1/type1='name2 type2 ...'" died with a segmentation violation
when the request matched multiple master.cf entries. The master.cf
file was not damaged. Problem reported by SATOH Fumiyasu.
Bugfix (defect introduced: Postfix 2.11): the command "postconf -M
name1/type1='name2 type2 ...'" could add a service definition to
master.cf that conflicted with an already existing service definition.
It now replaces all existing service definitions that match the
service pattern 'name1/type1' or the service name and type in 'name2
type2 ...' with a single service definition 'name2 type2 ...'.
Problem reported by SATOH Fumiyasu.
Bugfix (defect introduced: Postfix 3.8) the posttls-finger command
could access uninitialized memory when reconnecting. This also
fixes a malformed warning message when a destination contains
":service" information. Reported by Thomas Korbar.
Bugfix (defect introduced: Postfix 3.2): the MySQL client could
return "not found" instead of "error" (for example, resulting in
a 5XX SMTP status instead of 4XX) during the time that all MySQL
server connections were turned down after error. Found during code
maintenance. File: global/dict_mysql.c. This was already fixed in
Postfix 3.4-3.7.
April 18, 2023: 3.7.5
=====================
Bugfix (problem introduced in Postfix 3.5): check_ccert_access did
not handle inline map specifications. Report and fix by Sean
Gallagher.
Bugfix (problem introduced in Postfix 3.4): the posttls-finger
command failed to detect that a connection was resumed in the case
that a server did not return a certificate. Fix by Viktor Dukhovni.
Workaround: OpenSSL 3.x EVP_get_cipherbyname() can return lazily-bound
handles. Postfix now checks that the expected functionality will
be available instead of failing later. Fix by Viktor Dukhovni.
Safety: the long form "{ name = value }" in import_environment or
export_environment is not documented (with spaces around the '='),
but it was silently accepted, and it was stored in the process
environment as the invalid form "name = value", thus not setting
or overriding an entry for "name". This form is now stored as the
expected "name=value". Found during code maintenance.
Bugfix (problem introduced in Postfix 3.2): the MySQL client could
return "not found" instead of "error" (for example, resulting in
a 5XX SMTP status instead of 4XX) during the time that all MySQL
server connections were turned down after error. Found during code
maintenance.
April 17, 2023: 3.8.0
=====================
Support to look up DNS SRV records in the Postfix SMTP/LMTP client,
Based on code by Tomas Korbar (Red Hat). For example, with
"use_srv_lookup = submission" and "relayhost = example.com:submission",
the Postfix SMTP client will look up DNS SRV records for
_submission._tcp.example.com, and will relay email through the
hosts and ports that are specified with those records.
TLS obsolescence: Postfix now treats the "export" and "low" cipher
grade settings as "medium". The "export" and "low" grades are no
longer supported in OpenSSL 1.1.1, the minimum version required in
Postfix 3.6.0 and later. Also, Postfix default settings now exclude
deprecated or unused ciphers (SEED, IDEA, 3DES, RC2, RC4, RC5),
digest (MD5), key exchange algorithms (DH, ECDH), and public key
algorithm (DSS).
Attack resistance: the Postfix SMTP server can now aggregate
smtpd_client_*_rate and smtpd_client_*_count statistics by network
block instead of by IP address, to raise the bar against a memory
exhaustion attack in the anvil(8) server; Postfix TLS support
unconditionally disables TLS renegotiation in the middle of an SMTP
connection, to avoid a CPU exhaustion attack.
The PostgreSQL client encoding is now configurable with the "encoding"
Postfix configuration file attribute. The default is "UTF8".
Previously the encoding was hard-coded as "LATIN1", which is not
useful in the context of SMTP.
The postconf command now warns for #comment in or after a Postfix
parameter value. Postfix programs do not support #comment after
other text, and treat that as input.
January 12, 2023: 3.7.4
=======================
Workaround: with OpenSSL 3 and later always turn on
SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages and missed
opportunities for TLS session reuse. This is safe because the SMTP
protocol implements application-level framing, and is therefore
not affected by TLS truncation attacks. Fix by Viktor Dukhovni.
Workaround: OpenSSL 3.x EVP_get_digestbyname() can return lazily-bound
handles for digest implementations. In sufficiently hostile
configurations, Postfix could mistakenly believe that a digest
algorithm is available, and fail when it is not. A similar workaround
may be needed for EVP_get_cipherbyname(). Fix by Viktor Dukhovni.
Bugfix (bug introduced in Postfix 2.11): the checkok() macro in
tls/tls_fprint.c evaluated its argument unconditionally; it should
evaluate the argument only if there was no prior error. Found during
code review.
Bugfix (bug introduced in Postfix 2.8): postscreen died with a
segmentation violation when postscreen_dnsbl_threshold < 1. It
should reject such input with a fatal error instead. Discovered by
Benny Pedersen.
Bitrot: fixes for linker warnings from newer Darwin (MacOS) versions.
Viktor Dukhovni.
Portability: Linux 6 support.
Added missing documentation that cidr:, pcre: and regexp: tables
support inline specification only in Postfix 3.7 and later.
Summary of changes in tzdata2023d (2023-12-21 20:02:24 -0800):
* Ittoqqortoormiit, Greenland (America/Scoresbysund) joins most of
the rest of Greenland's timekeeping practice on 2024-03-31, by
changing its time zone from -01/+00 to -02/-01.
* Fix predictions for DST transitions in Palestine in 2072-2075,
correcting a typo introduced in 2023a.
* Various fixes to zones for several Antarctic bases.
According to https://www.rfc-editor.org/rfc/rfc7143#section-11.15,
these are both 2-byte quantities. Loading 4-byte quantities and
passing them through ISCSI_NTOHS might have worked by accident on
x86, but it's not gonna fly on big-endian. (Fortunately sparc64 is
not just big-endian but also strict-alignment so it caught this
problem!)
XXX Is there an upstream for this code? doc/3RDPARTY doesn't cite
any easily-followed references.
PR port-sparc64/57784
XXX pullup-10
XXX pullup-9
XXX pullup-8
Where an output register might be reloaded, and it is a memory
reference, and the address is auto-incremented, any previously
reloaded copy of the address must be invalidated.
XXXKD: Hidden within ``#ifdef NB_FIX_VAX_BACKEND'' and enabled
only for vax at the moment.
* privsep: Stop proxying stderr to console and fix some detachment issues
* non-privsep: Fix launcher hangup
* DHCP6: Allow the invalid interface name - to mean don't assign an address from a delegated prefix
* DHCP6: Load the configuration for the interface being activated from prefix delegation
commit 2e92a49f90f73c8edc44b25c6e669d5e70893c90
Author: Gourav Samaiya <gsamaiya@nvidia.com>
Date: Mon Apr 3 16:13:19 2023 +0530
nvidia: update Tu10x and Tu11x signed firmware to support newer Turing HW
Signed-off-by: Gourav Samaiya <gsamaiya@nvidia.com>
Tested-by: Karol Herbst <kherbst@redhat.com>
Signed-off-by: Josh Boyer <jwboyer@kernel.org>
Difference from previous import:
Import nvidia firmware from linux-firmware repository at commit:
commit 2e92a49f90f73c8edc44b25c6e669d5e70893c90
Author: Gourav Samaiya <gsamaiya@nvidia.com>
Date: Mon Apr 3 16:13:19 2023 +0530
nvidia: update Tu10x and Tu11x signed firmware to support newer Turing HW
commit 2c2be4215fe29870dcd9a059ff8778e73269ddc1
Author: Gourav Samaiya <gsamaiya@nvidia.com>
Date: Wed Apr 6 14:44:32 2022 +0530
nvidia: add GA102/GA103/GA104/GA106/GA107 signed firmware
These NVIDIA-signed firmwares are required to enable the graphics engine
on Ampere GA10{2/3/4/6/7} Gpus.
Note that our drm2 driver won't use the GA10{2/3/4/6/7} firmware yet.
The updated Tu10x and Tu11x signed firmware are needed for at last the
nvidia T400 graphic card.
Add support in dtrace for SMAP, so that actions like copyinstr() work.
It would be better if dtrace could use the SMAP_* hotpatch macros directly,
but the hotpatching code does not currently operate on kernel modules,
so we'll use some tiny functions in the base kernel for now.
inspired by the macos top(1).
the first value displayed is the total in/out bytes since boot,
but each update is the amount since the prior update. the new
fetching code heavily based upon netstat/if.c.
old version:
Swap: 128G Total, 128G Free / Pools: 13G Used
new version:
Swap: 128G Total, 128G Free / Pools: 13G Used, / Network: 26M In, 804K Out
update the list of people who have contributed to m_netbsd.c.
privsep: Notify processes that dhcpcd has daemonised so they dup
stdout and stderr to /dev/null.
This avoids scripts failing with SIGPIPE if they try and write
to these streams.
This means the certificate is trusted for the listed purpose, not as
a CA to issue certificates for the listed purpose.
Clarify warning message in this case.
No change to imported certificates so no need to regen or pull up --
this designator does not actually appear in certdata.txt, only in
Mozilla nss source code.
Summary of changes:
(1) HAVE_AS_CFI_SECTIONS becomes defined.
(2) mempcpy.o is dropped as mempcpy(3) was added to -current
(but not to netbsd-10).
(3) working directories in usr.bin/gcc/arch/vax/configargs.h.
(1) will be pulled up into netbsd-10. I've confirmed that
pkgsrc/lang/perl5 builds and works as before with this change.
For now, (3) is reverted by hand. It would be better to improve mknative
not to leak working directories. But it should be NFC anyway.
For vax, mknative for binutils and gdb does not brings about significant
changes.
For other platforms, mknative for gcc.old makes no significant changes
(actually confirmed only for evbarm64, but it should be enough).
Thanks mrg@ for suggestion.
Add a part of the original diff provided by Kalvis Duckmanton,
which I carelessly dropped during NB_FIX_VAX_BACKEND addition.
Fix ICE in DSE phase for native GCC. Now, pkgsrc/lang/perl5
successfully builds again.
Define separate instruction patterns for extzv for the cases where the fiel
d width and offset happen to be a multiple of a byte or word.
If in PIC mode, and the source operand to extzv is a memory
reference, and the address of the memory location is an external
symbol, load the address into a temporary register before expanding
the instruction.
Adjust the constraints to the zero_extract instruction pattern to
disallow indexed source operands, as the VAX extzv instruction
computes offsets based on the size of a byte (not a word or a
longword)
If in PIC mode, and the source operand to extv is a memory reference, and th
e address of the memory location is an external symbol, load the address into a
temporary register before expanding the instruction.
If in PIC mode, and the source operand to insv is a memory reference,
and the address of the memory location is an external symbol, load the
address into a temporary register before expanding the instruction.
PR port-vax/50384: NetBSD/vax 7.0 gcc-4.8.4 gets ICE by SIGILL
Fix for https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=50384
as encountered in gcc 7 in NetBSD 7.
VAX's FFS instruction as used in GCC's count_zero and ffssi2 instructions
uses the Z flag to indicate whether a set bit was found or not; GCC expects
the Z flag to consistently indicate whether the result is zero.
Bitfield instructions will generate a reserved operand fault if the
operands are not reasonable (size > 32, position > 31 and size not
zero and field in a register). GCC generates code to test for these
conditions but in certain circumstances, the optimiser may decide
that a bitfield extraction instruction is invariant and move it
ahead of the instructions testing its arguments.
Introduce a new target hook to indicate to GCC that a bitfield
instruction may trap and update may_trap_p_1()
XXXRO: Although this patch includes diffs outside gcc/config/vax,
NFC for !TARGET_BITFIELD_MAY_TRAP_P, i.e., other than vax.
A reload for the address of an operand's address should not use the same
register as a reload of an operand's address if the two reloads are for
different operands
XXXRO: Hidden within ``#ifdef NB_FIX_VAX_BACKEND'' and enabled only for
vax at the moment.
load the address operand of a SUBREG into a register to allow virtual
registers to be instantiated
XXXRO: Hidden within ``#ifdef NB_FIX_VAX_BACKEND'' and enabled only for
vax at the moment.
Shift right by positive values that are less than HOST_BITS_PER_WIDE_INT
to avoid illegal instruction exceptions on VAX.
XXXRO: Hidden within ``#ifdef NB_FIX_VAX_BACKEND'' and enabled only for
vax at the moment.
Constrain offsets within subregister expressions to be a multiple of
the size of the data type requested. That is, offsets for a word sized
(2 byte) subregister may only be multiples of 2.
XXXRO: Hidden within ``#ifdef NB_FIX_VAX_BACKEND'' and enabled only for
vax at the moment.
Reduce expressions specifying an address of a 64 bit quantity to
a sequence of assignments to temporary variables; this allows virtual
registers to be inst antiated properly.
Add a special case to the zero_extract instruction to handle the case
where 32 bits are requested (i.e. the entire word). When printing a mask
operand, avoid generating values that might overflow a 32 bit word.
DHCP: Don't crash on a test run
dhcpcd: Fix off-by-one overflow when read() writes full BUFSIZ
privsep: fix strlcpy overflow in psp_ifname
privsep: Fix a FD leak when processes exit
dhcpcd: Use a local variable instead of the optind
dhcpcd: Guard against handling many SIGTERM/SIGINT
DHCP6: Send correct amount of used buffer for prefix exclude option
options: andsf6 is DHCPv6, not DHCP
options: introduce the uri option as opposed to a string
DHCP6: Set all requested addrs as not stale when starting discovery
This has to be able to printf("%c", ...) to emit arbitrary bytes of
output in order to decode the octal-formatted DER data and print it
as raw binary DER data.
Relevant only at import time, doesn't affect builds.
Since <assert.h> 1.26, the 'assert' macro expands to the same text,
whether in lint mode or not.
Defining the NDEBUG macro was redundant, as it is conditionally defined
depending on SQLITE_DEBUG.
This has very little value in itself; it's intended to make a material
change to this file to facilitate rebuilds. Otherwise, people running
update builds on branches will run into mismatches and build failures
after our switch to use arc4random(3). (That is, this change is
intended to be pulled up.)
This is used only by dump and swap, which won't work safely on zvols
anyway. We should make swap work eventually, but right now it's
leading unwary ussers into deadlock scenarios, so let's make it fail
early instead.
pool_cache_invalidate invalidates cached objects, but doesn't return
any backing pages to the underlying page allocator.
pool_cache_reclaim does pool_cache_invalidate _and_ reutrns backing
pages to the underlying page alloator, so it is actually useful for
the page daemon to do when trying to free memory.
PR kern/57558
XXX pullup-10
XXX pullup-9
XXX pullup-8 (by patch to kmem.h instead of kmem.c)
This way, update builds track shlib major bumps correctly.
For example, suppose you had built Heimdal's libkrb5.so.27 and
libgssapi.so.11 linked against it, and then you updated past the recent
shlib major bump raising them to libkrb5.so.28 and libgssapi.so.12.
Without this change, the build will make the following sequence of
targets (interleaved with some others):
1. make dependall in libkrb5
2. make dependall in libgssapi
3. make install in libkrb5
4. make install in libgssapi
The existing .WAIT tags in SUBDIR ensure that (1) happens before (2)
and (3) happens before (4). Unfortunately, this sequence is wrong,
because it will produce the following effect:
1. make dependall in libkrb5 builds libkrb5.so.28
2. make dependall in libgssapi builds libgssapi.so.12, linked against
libkrb5.so.27
3. make install in libkrb5 installs libkrb5.so.28
4. make install in libgssapi installs libgssapi.so.12
Why the out-of-date libkrb5.so.27 in step (2)? Because we just pass
-L${DESTDIR}/usr/lib -lkrb5 to the linker (or the equivalent with
--sysroot and implied -L/usr/lib), and ${DESTDIR}/usr/lib still has
only libkrb5.so.27 by the time of step (2), not libkrb5.so.28.
Now any applications that link against libkrb5.so _and_ libgssapi.so
will get libkrb5.so.28 and libgssapi.so.12 -- but transitively, via
libgssapi.so.12, they will also get libkrb5.so.27, which is a recipe
for disaster.
Splicing the Heimdal library subdirectories into lib/Makefile, as
this does, ensures that we run make dependall _and_ make install in
libkrb5 _before_ make dependall in libgssapi, giving the following
correct sequence:
1. make dependall in libkrb5 builds libkrb5.so.28
2. make install in libkrb5 installs libkrb5.so.28
3. make dependall in libgssapi builds libgssapi.so.12, linked against
libkrb5.so.28
4. make install in libgssapi installs libgssapi.so.12
Note that LIBDPLIBS isn't enough here, as implemented. LIBDPLIBS
ensures that the incremental build will remake libgssapi.so. But it
doesn't ensure that the new libkrb5.so.28 is available before then,
so it doesn't prevent this problem.
We use the same mechanism for crypto/external/bsd/openssl/lib
already; this just extends it to other external library collections.
As an alternative, in principle perhaps we could teach LIBDPLIBS to
ensure that libkrb5.so comes out of the libkrb5 objdir, and not out
of ${DESTDIR}/usr/lib. But that requires some work to make happen,
and make it reliable, whereas this approach we've already confirmed
works without other adverse consequences (besides leaving
grody-looking mechanism lying around) for the libcrypto major bump
already. We need to get this pulled up to the branch so all the
other major bumps it required are handled correctly by update builds.
XXX pullup-10
mrg