diff --git a/backport-CVE-2025-5994.patch b/backport-CVE-2025-5994.patch deleted file mode 100644 index 604809f39521c279d2c4868375f0b25df9b2cf67..0000000000000000000000000000000000000000 --- a/backport-CVE-2025-5994.patch +++ /dev/null @@ -1,273 +0,0 @@ -From 5bf82f246481098a6473f296b21fc1229d276c0f Mon Sep 17 00:00:00 2001 -From: "W.C.A. Wijngaards" -Date: Wed, 16 Jul 2025 10:02:01 +0200 -Subject: [PATCH] - Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li - from AOSP Lab Nankai University. - ---- - edns-subnet/subnetmod.c | 152 ++++++++++++++++++++++++++++++++++++---- - edns-subnet/subnetmod.h | 4 ++ - 2 files changed, 142 insertions(+), 14 deletions(-) - -diff --git a/edns-subnet/subnetmod.c b/edns-subnet/subnetmod.c -index ead720f34..c5e215b8b 100644 ---- a/edns-subnet/subnetmod.c -+++ b/edns-subnet/subnetmod.c -@@ -51,6 +51,7 @@ - #include "services/cache/dns.h" - #include "util/module.h" - #include "util/regional.h" -+#include "util/fptr_wlist.h" - #include "util/storage/slabhash.h" - #include "util/config_file.h" - #include "util/data/msgreply.h" -@@ -155,7 +156,8 @@ int ecs_whitelist_check(struct query_info* qinfo, - - /* Cache by default, might be disabled after parsing EDNS option - * received from nameserver. */ -- if(!iter_stub_fwd_no_cache(qstate, &qstate->qinfo, NULL, NULL, NULL, 0)) { -+ if(!iter_stub_fwd_no_cache(qstate, &qstate->qinfo, NULL, NULL, NULL, 0) -+ && sq->ecs_client_in.subnet_validdata) { - qstate->no_cache_store = 0; - } - -@@ -522,6 +524,69 @@ common_prefix(uint8_t *a, uint8_t *b, uint8_t net) - return !memcmp(a, b, n) && ((net % 8) == 0 || a[n] == b[n]); - } - -+/** -+ * Create sub request that looks up the query. -+ * @param qstate: query state -+ * @param sq: subnet qstate -+ * @return false on failure. -+ */ -+static int -+generate_sub_request(struct module_qstate *qstate, struct subnet_qstate* sq) -+{ -+ struct module_qstate* subq = NULL; -+ uint16_t qflags = 0; /* OPCODE QUERY, no flags */ -+ int prime = 0; -+ int valrec = 0; -+ struct query_info qinf; -+ qinf.qname = qstate->qinfo.qname; -+ qinf.qname_len = qstate->qinfo.qname_len; -+ qinf.qtype = qstate->qinfo.qtype; -+ qinf.qclass = qstate->qinfo.qclass; -+ qinf.local_alias = NULL; -+ -+ qflags |= BIT_RD; -+ if((qstate->query_flags & BIT_CD)!=0) { -+ qflags |= BIT_CD; -+ valrec = 1; -+ } -+ -+ fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub)); -+ if(!(*qstate->env->attach_sub)(qstate, &qinf, qflags, prime, valrec, -+ &subq)) { -+ return 0; -+ } -+ if(subq) { -+ /* It is possible to access the subquery module state. */ -+ if(sq->ecs_client_in.subnet_source_mask == 0 && -+ edns_opt_list_find(qstate->edns_opts_front_in, -+ qstate->env->cfg->client_subnet_opcode)) { -+ subq->no_cache_store = 1; -+ } -+ } -+ return 1; -+} -+ -+/** -+ * Perform the query without subnet -+ * @param qstate: query state -+ * @param sq: subnet qstate -+ * @return module state -+ */ -+static enum module_ext_state -+generate_lookup_without_subnet(struct module_qstate *qstate, -+ struct subnet_qstate* sq) -+{ -+ verbose(VERB_ALGO, "subnetcache: make subquery to look up without subnet"); -+ if(!generate_sub_request(qstate, sq)) { -+ verbose(VERB_ALGO, "Could not generate sub query"); -+ qstate->return_rcode = LDNS_RCODE_FORMERR; -+ qstate->return_msg = NULL; -+ return module_finished; -+ } -+ sq->wait_subquery = 1; -+ return module_wait_subquery; -+} -+ - static enum module_ext_state - eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq) - { -@@ -557,14 +622,7 @@ eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq) - * is still useful to put it in the edns subnet cache for - * when a client explicitly asks for subnet specific answer. */ - verbose(VERB_QUERY, "subnetcache: Authority indicates no support"); -- if(!sq->started_no_cache_store) { -- lock_rw_wrlock(&sne->biglock); -- update_cache(qstate, id); -- lock_rw_unlock(&sne->biglock); -- } -- if (sq->subnet_downstream) -- cp_edns_bad_response(c_out, c_in); -- return module_finished; -+ return generate_lookup_without_subnet(qstate, sq); - } - - /* Purposefully there was no sent subnet, and there is consequently -@@ -589,14 +647,14 @@ eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq) - !common_prefix(s_out->subnet_addr, s_in->subnet_addr, - s_out->subnet_source_mask)) - { -- /* we can not accept, restart query without option */ -+ /* we can not accept, perform query without option */ - verbose(VERB_QUERY, "subnetcache: forged data"); - s_out->subnet_validdata = 0; - (void)edns_opt_list_remove(&qstate->edns_opts_back_out, - qstate->env->cfg->client_subnet_opcode); - sq->subnet_sent = 0; - sq->subnet_sent_no_subnet = 0; -- return module_restart_next; -+ return generate_lookup_without_subnet(qstate, sq); - } - - lock_rw_wrlock(&sne->biglock); -@@ -795,6 +853,9 @@ ecs_edns_back_parsed(struct module_qstate* qstate, int id, - } else if(sq->subnet_sent_no_subnet) { - /* The answer can be stored as scope 0, not in global cache. */ - qstate->no_cache_store = 1; -+ } else if(sq->subnet_sent) { -+ /* Need another query to be able to store in global cache. */ -+ qstate->no_cache_store = 1; - } - - return 1; -@@ -812,6 +873,32 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event, - strmodulevent(event)); - log_query_info(VERB_QUERY, "subnetcache operate: query", &qstate->qinfo); - -+ if(sq && sq->wait_subquery_done) { -+ /* The subquery lookup returned. */ -+ if(sq->ecs_client_in.subnet_source_mask == 0 && -+ edns_opt_list_find(qstate->edns_opts_front_in, -+ qstate->env->cfg->client_subnet_opcode)) { -+ if(!sq->started_no_cache_store && -+ qstate->return_msg) { -+ lock_rw_wrlock(&sne->biglock); -+ update_cache(qstate, id); -+ lock_rw_unlock(&sne->biglock); -+ } -+ if (sq->subnet_downstream) -+ cp_edns_bad_response(&sq->ecs_client_out, -+ &sq->ecs_client_in); -+ /* It is a scope zero lookup, append edns subnet -+ * option to the querier. */ -+ subnet_ecs_opt_list_append(&sq->ecs_client_out, -+ &qstate->edns_opts_front_out, qstate, -+ qstate->region); -+ } -+ sq->wait_subquery_done = 0; -+ qstate->ext_state[id] = module_finished; -+ qstate->no_cache_store = sq->started_no_cache_store; -+ qstate->no_cache_lookup = sq->started_no_cache_lookup; -+ return; -+ } - if((event == module_event_new || event == module_event_pass) && - sq == NULL) { - struct edns_option* ecs_opt; -@@ -822,6 +909,8 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event, - } - - sq = (struct subnet_qstate*)qstate->minfo[id]; -+ if(sq->wait_subquery) -+ return; /* Wait for that subquery to return */ - - if((ecs_opt = edns_opt_list_find( - qstate->edns_opts_front_in, -@@ -851,6 +940,14 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event, - /* No clients are interested in result or we could not - * parse it, we don't do client subnet */ - sq->ecs_server_out.subnet_validdata = 0; -+ if(edns_opt_list_find(qstate->edns_opts_front_in, -+ qstate->env->cfg->client_subnet_opcode)) { -+ /* aggregated this deaggregated state */ -+ qstate->ext_state[id] = -+ generate_lookup_without_subnet( -+ qstate, sq); -+ return; -+ } - verbose(VERB_ALGO, "subnetcache: pass to next module"); - qstate->ext_state[id] = module_wait_module; - return; -@@ -891,6 +988,14 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event, - } - lock_rw_unlock(&sne->biglock); - } -+ if(sq->ecs_client_in.subnet_source_mask == 0 && -+ edns_opt_list_find(qstate->edns_opts_front_in, -+ qstate->env->cfg->client_subnet_opcode)) { -+ /* client asked for resolution without edns subnet */ -+ qstate->ext_state[id] = generate_lookup_without_subnet( -+ qstate, sq); -+ return; -+ } - - sq->ecs_server_out.subnet_addr_fam = - sq->ecs_client_in.subnet_addr_fam; -@@ -927,6 +1032,8 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event, - qstate->ext_state[id] = module_wait_module; - return; - } -+ if(sq && sq->wait_subquery) -+ return; /* Wait for that subquery to return */ - /* Query handed back by next module, we have a 'final' answer */ - if(sq && event == module_event_moddone) { - qstate->ext_state[id] = eval_response(qstate, id, sq); -@@ -975,10 +1082,27 @@ subnetmod_clear(struct module_qstate *ATTR_UNUSED(qstate), - } - - void --subnetmod_inform_super(struct module_qstate *ATTR_UNUSED(qstate), -- int ATTR_UNUSED(id), struct module_qstate *ATTR_UNUSED(super)) -+subnetmod_inform_super(struct module_qstate *qstate, int id, -+ struct module_qstate *super) - { -- /* Not used */ -+ struct subnet_qstate* super_sq = -+ (struct subnet_qstate*)super->minfo[id]; -+ log_query_info(VERB_ALGO, "subnetcache inform_super: query", -+ &super->qinfo); -+ super_sq->wait_subquery = 0; -+ super_sq->wait_subquery_done = 1; -+ if(qstate->return_rcode != LDNS_RCODE_NOERROR || -+ !qstate->return_msg) { -+ super->return_msg = NULL; -+ super->return_rcode = LDNS_RCODE_SERVFAIL; -+ return; -+ } -+ super->return_rcode = LDNS_RCODE_NOERROR; -+ super->return_msg = dns_copy_msg(qstate->return_msg, super->region); -+ if(!super->return_msg) { -+ log_err("subnetcache: copy response, out of memory"); -+ super->return_rcode = LDNS_RCODE_SERVFAIL; -+ } - } - - size_t -diff --git a/edns-subnet/subnetmod.h b/edns-subnet/subnetmod.h -index 1ff8a23ec..3893820fa 100644 ---- a/edns-subnet/subnetmod.h -+++ b/edns-subnet/subnetmod.h -@@ -102,6 +102,10 @@ struct subnet_qstate { - int started_no_cache_store; - /** has the subnet module been started with no_cache_lookup? */ - int started_no_cache_lookup; -+ /** Wait for subquery that has been started for nonsubnet lookup. */ -+ int wait_subquery; -+ /** The subquery waited for is done. */ -+ int wait_subquery_done; - }; - - void subnet_data_delete(void* d, void* ATTR_UNUSED(arg)); diff --git a/backport-check-before-use-daemon-shm_info.patch b/backport-check-before-use-daemon-shm_info.patch deleted file mode 100644 index 0e61e6cee8e3703961e3197b266b181b52777e50..0000000000000000000000000000000000000000 --- a/backport-check-before-use-daemon-shm_info.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 073c7301ebdf7511320ec817ad7ecacf6b45c4be Mon Sep 17 00:00:00 2001 -From: eaglegai <31752768+eaglegai@users.noreply.github.com> -Date: Tue, 21 Jan 2025 22:47:51 +0800 -Subject: [PATCH] check before use daemon->shm_info (#1229) - -fix core after the command `unbound-control stop unbound` - -fix:https://github.com/NLnetLabs/unbound/issues/1228 - -Signed-off-by: eaglegai ---- - util/shm_side/shm_main.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/util/shm_side/shm_main.c b/util/shm_side/shm_main.c -index 6fd1f5ea6..751d6d649 100644 ---- a/util/shm_side/shm_main.c -+++ b/util/shm_side/shm_main.c -@@ -195,7 +195,7 @@ void shm_main_shutdown(struct daemon* daemon) - { - #ifdef HAVE_SHMGET - /* web are OK, just disabled */ -- if(!daemon->cfg->shm_enable) -+ if(!daemon->cfg->shm_enable || !daemon->shm_info) - return; - - verbose(VERB_DETAIL, "SHM shutdown - KEY [%d] - ID CTL [%d] ARR [%d] - PTR CTL [%p] ARR [%p]", diff --git a/backport-unbound-config.patch b/backport-unbound-config.patch index 9fe78c04178acb723b204536599c0e9fdac09446..61292d494178e5490a69d047c96f0724077d771f 100644 --- a/backport-unbound-config.patch +++ b/backport-unbound-config.patch @@ -198,7 +198,7 @@ index 59090c6..33c6209 100644 + harden-referral-path: yes # Harden against algorithm downgrade when multiple algorithms are - # advertised in the DS record. If no, allows the weakest algorithm + # advertised in the DS record. If no, allows any algorithm @@ -567,7 +592,7 @@ server: # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE @@ -304,20 +304,15 @@ index 59090c6..33c6209 100644 # Ignore the CD flag in incoming queries and refuse them bogus data. # Enable it if the only clients of Unbound are legacy servers (w2008) -@@ -731,11 +762,11 @@ server: - +@@ -731,7 +762,7 @@ server: # Serve expired responses from cache, with serve-expired-reply-ttl in - # the response, and then attempt to fetch the data afresh. + # the response. By default it first tries to refresh an expired answer. + # Can be configured with serve-expired-client-timeout. - # serve-expired: no + serve-expired: yes # # Limit serving of expired responses to configured seconds after # expiration. 0 disables the limit. -- # serve-expired-ttl: 0 -+ serve-expired-ttl: 14400 - # - # Set the TTL of expired records to the serve-expired-ttl value after a - # failed attempt to retrieve the record from upstream. This makes sure @@ -762,7 +793,7 @@ server: # Have the validator log failed validations for your diagnosis. @@ -368,8 +363,8 @@ index 59090c6..33c6209 100644 - # ede-serve-expired: no + ede-serve-expired: yes - # Specific options for ipsecmod. Unbound needs to be configured with - # --enable-ipsecmod for these to take effect. + # Enable DNS Error Reporting (RFC9567). + # qname-minimisation is advised to be turned on as well to increase @@ -1083,12 +1120,14 @@ server: # Enable or disable ipsecmod (it still needs to be defined in # module-config above). Can be used when ipsecmod needs to be diff --git a/unbound-1.22.0.tar.gz b/unbound-1.23.1.tar.gz similarity index 49% rename from unbound-1.22.0.tar.gz rename to unbound-1.23.1.tar.gz index d9a7e9346dca4bf5bea9715d68617a6e76631529..31c323b9dc63a3ca813a0f540825718b068ad7cf 100644 Binary files a/unbound-1.22.0.tar.gz and b/unbound-1.23.1.tar.gz differ diff --git a/unbound.spec b/unbound.spec index 292598f2f0d101b6b11ef2a60c08e9b3eccba694..f0cfcf46de2fc95fe96cff4176341e0ea3ed9cce 100644 --- a/unbound.spec +++ b/unbound.spec @@ -1,8 +1,8 @@ %{!?delete_la: %global delete_la find $RPM_BUILD_ROOT -type f -name "*.la" -delete} Name: unbound -Version: 1.22.0 -Release: 3 +Version: 1.23.1 +Release: 1 Summary: Unbound is a validating, recursive, caching DNS resolver License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/about/ @@ -21,9 +21,7 @@ Source12: unbound-anchor.timer Source13: unbound-anchor.service Patch1: unbound-remove-buildin-key.patch -Patch14: backport-check-before-use-daemon-shm_info.patch Patch15: backport-unbound-config.patch -Patch16: backport-CVE-2025-5994.patch Patch17: backport-CVE-2025-5994-after-fix-edns-subnet-when-subquery-is-nonsubnet-and-scopezero.patch Patch18: backport-CVE-2025-5994-after-fix-that-edns-subnet-failure-to-create-a-subquery-errors-as-servfail.patch @@ -263,6 +261,12 @@ popd %{_mandir}/man* %changelog +* Wed Sep 17 2025 gaihuiying - 1.23.1-1 +- Type:requirement +- CVE:NA +- SUG:NA +- DESC:update to 1.23.1 + * Tue Aug 19 2025 gaihuiying - 1.22.0-3 - Type:bugfix - CVE:NA