From nobody Fri Aug 16 09:54:03 2024 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WlclJ17xtz5Sb8q for ; Fri, 16 Aug 2024 09:54:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WlclH4zLLz44Tv for ; Fri, 16 Aug 2024 09:54:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1723802043; a=rsa-sha256; cv=none; b=qDKMNgJc0LD0fhVzJzvRNdWJf0e73uejWVLxmiyaijeymIhhoTjqXxytFNSEsT+uFIf3eh ba36Ds9U0ieoJyBkpbDYk1vR+Shdv59sy5HeIap3FYmsSSiZBbdvnhH1Enu4/aOy4eBRfG E4YSXN71LtggojFQ8a9PbP6UAo1HIKs8vRUVGQR7M/hxndINL1KZV6oXG6VxH2lnkTHd5S VR00w5ojJ/S1iMUK3+Ep5ueAiSYKqvMRA6GthtyQBf+B9TqGoPeblVTtcv7LyHE1G+WSYo PvSY3wpyK15cJT6Dn8OGGnowvDcPTJQ4yMg5lJOyhtCEsTtKDbvs5VbXfsW2SA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1723802043; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GS+i/nOdcujmwn6i3ZZmGEAHexorvL6Dhk+9amYugfY=; b=F/xrBzYr0YOcFiKwCKl07S3FRWQsd4ucdcyiuepf/o6/D7fHbjqPequM2fa6nGy3wR//f5 ogV2uXhywqljUuFWrOY1MFmEEJUbxKHEmQTOhTtjF7/p39rWFQvwILvEX5Asa/pOh24J0i tWQ03/Z6zjZdThyYTWx32kiP8RptyhApu6qCxWgNecN3DdITEP2GlnDSX7+v8pci/9oisq Fxp6NQh+e2/yl/+RGlIMy/5I3GlBvmJ/GT3JmBc/9pA19zNtQnkaqcw4tdMpsVdjDPhnXA n4subhLSwTUaX3LyLlBjKpnQvu2pNcFxPR8g8PSRCRHYfkLg8o0755m95qKO8w== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WlclH4b8Qz124C for ; Fri, 16 Aug 2024 09:54:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 47G9s3V8083984 for ; Fri, 16 Aug 2024 09:54:03 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 47G9s31w083983 for ports-bugs@FreeBSD.org; Fri, 16 Aug 2024 09:54:03 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 280853] dns/unbound: Update to 1.21.0 Date: Fri, 16 Aug 2024 09:54:03 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: jaap@NLnetLabs.nl X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ports-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform bug_file_loc op_sys bug_status bug_severity priority component assigned_to reporter flagtypes.name attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-ports-bugs@freebsd.org Sender: owner-freebsd-ports-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280853 Bug ID: 280853 Summary: dns/unbound: Update to 1.21.0 Product: Ports & Packages Version: Latest Hardware: Any URL: https://nlnetlabs.nl/news/2024/Aug/15/unbound-1.21.0-r eleased/ OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: jaap@NLnetLabs.nl Attachment #252809 maintainer-approval+ Flags: Created attachment 252809 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D252809&action= =3Dedit Patch to upgrade This release has a fix for the CAMP and CacheFlush issues. They have a low severity for Unbound, since it does not affect Unbound so much. The Compositional Amplification (CAMP) type of attacks can lead to DoS atta= cks against DNS servers. In Unbound legitimate client requests to the resolvers under typical workload are not directly affected by CAMP attacks. However we introduce a global quota for 128 outgoing packets per query (and it's subqueries) that is never reset to prevent the combination of CAMP with oth= er amplification attacks in the future. We would like to thank Huayi Duan, Mar= co Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich for discovering and notifying us about the issue. The CacheFlush type of attacks (NSCacheFlush, CNAMECacheFlush) try to evict cached data by utilizing rogue zones and a steady rogue stream to a resolve= r. Based on the zone, the stream, the configured cache size and the legitimate traffic, Unbound could experience a degradation of service if a useful entr= y is evicted and Unbound needs to resolve again. As a mitigation to the NSCacheF= lush attack Unbound is setting a limit of 20 RRs in an NS RRset. We would like to thank Yehuda Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-= Aviv University and Reichman University) for discovering and notifying us about = the issue. Other fixes in this release are bug fixes. Also the unbound control commands that flush the cache can clear both the memory and cachedb module cache. The ipset module can use BSD pf tables. The new option dnstap-sample-rate: 100 = can be used to log 1/N messages, for use in high volume server environments whe= re the log server does not keep up. The new DNSSEC key for the root, 38696 from 2024 has been added. It is adde= d to the default root keys in unbound-anchor. The content can be inspected with unbound-anchor -l. Older versions of Unbound can keep up with the root key = with auto-trust-anchor-file that has RFC5011 key rollover. Also unbound-anchor c= an fetch the keys from the website with a certificate if needed. For cookie secrets, it is possible to perform rollover. The file with cookie secret in use and the staging secret is configured with cookie-secret-file. With the remote control the rollover can be performed, add_cookie_secret, activate_cookie_secret, drop_cookie_secret and print_cookie_secrets can be = used for that. This release has also a fix for module loading on Windows. For a full list of changes, binary and source packages, see the download pa= ge. --=20 You are receiving this mail because: You are the assignee for the bug.=