39 important SUSE ALP Source Standard Core 1.0 Build This update for salt fixes the following issues: - Fix rich rule comparison in firewalld module (bsc#1222684) - test_vultrpy: adjust test expectation to prevent failure after Debian 10 EOL - Make auth.pam more robust with Salt Bundle and fix tests - Fix performance of user.list_groups with many remote groups - Fix "status.diskusage" function and exclude some tests for Salt Bundle - Skip certain tests if necessary for some OSes and set flaky ones - Add a timer to delete old env post update for venv-minion - Several fixes for tests to avoid errors and failures in some OSes - Speed up salt.matcher.confirm_top by using __context__ - Do not call the async wrapper calls with the separate thread - Prevent OOM with high amount of batch async calls (bsc#1216063) - Add missing contextvars dependency in salt.version - Skip tests for unsupported algorithm on old OpenSSL version - Remove redundant `_file_find` call to the master - Prevent possible exception in tornado.concurrent.Future._set_done - Make reactor engine less blocking the EventPublisher - Make salt-master self recoverable on killing EventPublisher - Improve broken events catching and reporting - Make logging calls lighter - Remove unused import causing delays on starting salt-master - Mark python3-CherryPy as recommended package for the testsuite - Make "man" a recommended package instead of required - Convert oscap output to UTF-8 - Make Salt compatible with Python 3.11 - Ignore non-ascii chars in oscap output (bsc#1219001) - Fix detected issues in Salt tests when running on VMs - Make importing seco.range thread safe (bsc#1211649) - Fix problematic tests and allow smooth tests executions on containers - Discover Ansible playbook files as "*.yml" or "*.yaml" files (bsc#1211888) - Provide user(salt)/group(salt) capabilities for RPM 4.19 - Extend dependencies for python3-salt-testsuite and python3-salt packages - Improve Salt and testsuite packages multibuild - Enable multibuilld and create test flavor python3-salt-3006.0-6.8.x86_64.rpm True salt-3006.0-6.8.src.rpm True salt-3006.0-6.8.x86_64.rpm True salt-master-3006.0-6.8.x86_64.rpm True salt-minion-3006.0-6.8.x86_64.rpm True 11 moderate SUSE ALP Source Standard Core 1.0 Build This update for wget fixes the following issues: - CVE-2024-38428: Fix mishandled semicolons in the userinfo subcomponent of a URI. (bsc#1226419) - Update to GNU wget 1.24.5: * Fix how subdomain matches are checked for HSTS. * Wget will now also parse the srcset attribute in <source> HTML tags * Support reading fetchmail style "user" and "passwd" fields from netrc * In some cases, prevent the confusing "Cannot write to... (success)" error messages * Support extremely fast download speeds (TB/s) * Ensure that CSS URLs are corectly quoted * libproxy support is now upstream- drop wget-libproxy.patch wget-1.24.5-1.1.src.rpm wget-1.24.5-1.1.x86_64.rpm wget-debuginfo-1.24.5-1.1.x86_64.rpm wget-debugsource-1.24.5-1.1.x86_64.rpm 10 critical SUSE ALP Source Standard Core 1.0 Build This update for qemu fixes the following issues: - Update to version 8.2.5: * target/loongarch: fix a wrong print in cpu dump * ui/sdl2: Allow host to power down screen * target/i386: fix SSE and SSE2 feature check * target/i386: fix xsave.flat from kvm-unit-tests * disas/riscv: Decode all of the pmpcfg and pmpaddr CSRs * target/riscv/kvm.c: Fix the hart bit setting of AIA * target/riscv: rvzicbo: Fixup CBO extension register calculation * target/riscv: do not set mtval2 for non guest-page faults * target/riscv: prioritize pmp errors in raise_mmu_exception() * target/riscv: rvv: Remove redudant SEW checking for vector fp narrow/widen instructions * target/riscv: rvv: Check single width operator for vfncvt.rod.f.f.w * target/riscv: rvv: Check single width operator for vector fp widen instructions * target/riscv: rvv: Fix Zvfhmin checking for vfwcvt.f.f.v and vfncvt.f.f.w instructions * target/riscv/cpu.c: fix Zvkb extension config * target/riscv: Fix the element agnostic function problem * target/riscv/kvm: tolerate KVM disable ext errors * hw/intc/riscv_aplic: APLICs should add child earlier than realize * iotests: test NBD+TLS+iothread * qio: Inherit follow_coroutine_ctx across TLS * target/arm: Disable SVE extensions when SVE is disabled * hw/intc/arm_gic: Fix handling of NS view of GICC_APR<n> * hvf: arm: Fix encodings for ID_AA64PFR1_EL1 and debug System registers * gitlab: use 'setarch -R' to workaround tsan bug * gitlab: use $MAKE instead of 'make' * dockerfiles: add 'MAKE' env variable to remaining containers * gitlab: Update msys2-64bit runner tags * target/i386: no single-step exception after MOV or POP SS - Update to version 8.2.4. * target/sh4: Fix SUBV opcode * target/sh4: Fix ADDV opcode * hw/arm/npcm7xx: Store derivative OTP fuse key in little endian * hw/dmax/xlnx_dpdma: fix handling of address_extension descriptor fields * hw/ufs: Fix buffer overflow bug * tests/avocado: update sunxi kernel from armbian to 6.6.16 * target/loongarch/cpu.c: typo fix: expection * backends/cryptodev-builtin: Fix local_error leaks * nbd/server: Mark negotiation functions as coroutine_fn * nbd/server: do not poll within a coroutine context * linux-user: do_setsockopt: fix SOL_ALG.ALG_SET_KEY * target/riscv/kvm: change timer regs size to u64 * target/riscv/kvm: change KVM_REG_RISCV_FP_D to u64 * target/riscv/kvm: change KVM_REG_RISCV_FP_F to u32 - Update to version 8.2.3. * Update version for 8.2.3 release * ppc/spapr: Initialize max_cpus limit to SPAPR_IRQ_NR_IPIS. * ppc/spapr: Introduce SPAPR_IRQ_NR_IPIS to refer IRQ range for CPU IPIs. * hw/pci-host/ppc440_pcix: Do not expose a bridge device on PCI bus * hw/isa/vt82c686: Keep track of PIRQ/PINT pins separately * virtio-pci: fix use of a released vector * linux-user/x86_64: Handle the vsyscall page in open_self_maps_{2,4} * hw/audio/virtio-snd: Remove unused assignment * hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() * hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set * hw/net/lan9118: Fix overflow in MIL TX FIFO * hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition * backends/cryptodev: Do not abort for invalid session ID * hw/misc/applesmc: Fix memory leak in reset() handler * hw/block/nand: Fix out-of-bound access in NAND block buffer * hw/block/nand: Have blk_load() take unsigned offset and return boolean * hw/block/nand: Factor nand_load_iolen() method out * qemu-options: Fix CXL Fixed Memory Window interleave-granularity typo * hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs * hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs * hw/display/virtio-gpu: Protect from DMA re-entrancy bugs * mirror: Don't call job_pause_point() under graph lock (bsc#1224179) - Backports and bugfixes: * hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() (bsc#1222841, CVE-2024-3567) * hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs (bsc#1222843, CVE-2024-3446) * hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs (bsc#1222843, CVE-2024-3446) * hw/display/virtio-gpu: Protect from DMA re-entrancy bugs (bsc#1222843, CVE-2024-3446) * hw/virtio: Introduce virtio_bh_new_guarded() helper (bsc#1222843, CVE-2024-3446) * hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set (bsc#1222845, CVE-2024-3447) * hw/nvme: Use pcie_sriov_num_vfs() (bsc#1220065, CVE-2024-26328) - Update to version 8.2.2 * chardev/char-socket: Fix TLS io channels sending too much data to the backend * tests/unit/test-util-sockets: Remove temporary file after test * hw/usb/bus.c: PCAP adding 0xA in Windows version * hw/intc/Kconfig: Fix GIC settings when using "--without-default-devices" * gitlab: force allow use of pip in Cirrus jobs * tests/vm: avoid re-building the VM images all the time * tests/vm: update openbsd image to 7.4 * target/i386: leave the A20 bit set in the final NPT walk * target/i386: remove unnecessary/wrong application of the A20 mask * target/i386: Fix physical address truncation * target/i386: check validity of VMCB addresses * target/i386: mask high bits of CR3 in 32-bit mode * pl031: Update last RTCLR value on write in case it's read back * hw/nvme: fix invalid endian conversion * update edk2 binaries to edk2-stable202402 * update edk2 submodule to edk2-stable202402 * target/ppc: Fix crash on machine check caused by ifetch * target/ppc: Fix lxv/stxv MSR facility check * .gitlab-ci.d/windows.yml: Drop msys2-32bit job * system/vl: Update description for input grab key * docs/system: Update description for input grab key * hw/hppa/Kconfig: Fix building with "configure --without-default-devices" * tests/qtest: Depend on dbus_display1_dep * meson: Explicitly specify dbus-display1.h dependency * audio: Depend on dbus_display1_dep * ui/console: Fix console resize with placeholder surface * ui/clipboard: add asserts for update and request * ui/clipboard: mark type as not available when there is no data * ui: reject extended clipboard message if not activated * target/i386: Generate an illegal opcode exception on cmp instructions with lock prefix * i386/cpuid: Move leaf 7 to correct group * i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1F * i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and FEAT_XSAVE_XSS_HI leafs * i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when CPUID_EXT_XSAVE is not available * .gitlab-ci/windows.yml: Don't install libusb or spice packages on 32-bit * iotests: Make 144 deterministic again * target/arm: Don't get MDCR_EL2 in pmu_counter_enabled() before checking ARM_FEATURE_PMU * target/arm: Fix SVE/SME gross MTE suppression checks * target/arm: Handle mte in do_ldrq, do_ldro - Address bsc#1220310. Backported upstream commits: * ppc/spapr: Initialize max_cpus limit to SPAPR_IRQ_NR_IPIS * ppc/spapr: Introduce SPAPR_IRQ_NR_IPIS to refer IRQ range for CPU IPIs. qemu-8.2.5-1.1.src.rpm qemu-debugsource-8.2.5-1.1.x86_64.rpm qemu-guest-agent-8.2.5-1.1.x86_64.rpm qemu-guest-agent-debuginfo-8.2.5-1.1.x86_64.rpm qemu-hw-display-virtio-gpu-8.2.5-1.1.x86_64.rpm qemu-hw-display-virtio-gpu-debuginfo-8.2.5-1.1.x86_64.rpm qemu-hw-display-virtio-vga-8.2.5-1.1.x86_64.rpm qemu-hw-display-virtio-vga-debuginfo-8.2.5-1.1.x86_64.rpm qemu-hw-usb-redirect-8.2.5-1.1.x86_64.rpm qemu-hw-usb-redirect-debuginfo-8.2.5-1.1.x86_64.rpm 46 moderate SUSE ALP Source Standard Core 1.0 Build This update for podman fixes the following issues: - CVE-2024-6104: Fixed dependency issue with go-retryablehttp: url might write sensitive information to log file (bsc#1227052). - Update to version 4.9.5: * Bump to v4.9.5 * Update release notes for v4.9.5 * fix "concurrent map writes" in network ls compat endpoint * [v4.9] Fix for CVE-2024-3727 * Disable failing bud test * CI Maintenance: Disable machine tests * [CI:DOCS] Allow downgrade of WiX * [CI:DOCS] Force WiX 3.11 * [CI:DOCS] Fix windows installer action * Bump to v4.9.5-dev * Bump to v4.9.4 * Update release notes for v4.9.4 * [v4.9] Bump Buildah to v1.33.7, CVE-2024-1753, CVE-2024-24786 * Add farm command to commands list * Bump to FreeBSD 13.3 (13.2 vanished) * Update health-start-periods docs * Don't update health check status during initialDelaySeconds * image scp: don't require port for ssh URL * Ignore docker's end point config when the final network mode isn't bridge. * Fix running container from docker client with rootful in rootless podman. * [skip-ci] Packit: remove koji and bodhi tasks for v4.9 * Bump to v4.9.4-dev * Remove gitleaks scanning podman-4.9.5-1.1.src.rpm podman-4.9.5-1.1.x86_64.rpm podman-debuginfo-4.9.5-1.1.x86_64.rpm podman-docker-4.9.5-1.1.noarch.rpm podman-remote-4.9.5-1.1.x86_64.rpm podman-remote-debuginfo-4.9.5-1.1.x86_64.rpm 38 moderate SUSE ALP Source Standard Core 1.0 Build This update for transactional-update fixes the following issues: - Version 4.6.8 - tukit: Properly handle overlay syncing failures - soft-reboot: Log requested reboot type - soft-reboot: Don't force hard reboot on version change only - Version 4.6.7 - Add support for snapper 0.11.0; also significantly decreases cleanup time (bsc#1223504) libtukit4-4.8.1-1.1.x86_64.rpm libtukit4-debuginfo-4.8.1-1.1.x86_64.rpm transactional-update-4.8.1-1.1.src.rpm transactional-update-debugsource-4.8.1-1.1.x86_64.rpm tukitd-4.8.1-1.1.x86_64.rpm tukitd-debuginfo-4.8.1-1.1.x86_64.rpm 21 important SUSE ALP Source Standard Core 1.0 Build This update for skopeo fixes the following issues: - Update to version 1.14.4: * CVE-2024-3727: digest type does not guarantee valid type (bsc#1224123) * Packit: update packit targets * Bump gopkg.in/go-jose to v2.6.3 * Bump ocicrypt and go-jose CVE-2024-28180 * Freeze the fedora-minimal image reference at Fedora 38 * Bump c/common to v0.57.4 * Bump google.golang.org/protobuf to v1.33.0 * Bump Skopeo to v1.14.3-dev - Update to version 1.14.2: * Bump c/image to v5.29.2, c/common to v0.57.3 (fixes bsc#1219563) - Update to version 1.14.1: * fix(deps): update module github.com/containers/common to v0.57.2 * fix(deps): update module github.com/containers/image/v5 to v5.29.1 * chore(deps): update dependency containers/automation_images to v20240102 * Fix libsubid detection * fix(deps): update module golang.org/x/term to v0.16.0 * fix(deps): update golang.org/x/exp digest to 02704c9 * chore(deps): update dependency containers/automation_images to v20231208 * [skip-ci] Update actions/stale action to v9 * fix(deps): update module github.com/containers/common to v0.57.1 * fix(deps): update golang.org/x/exp digest to 6522937 * fix(deps): update module golang.org/x/term to v0.15.0 skopeo-1.14.4-1.1.src.rpm skopeo-1.14.4-1.1.x86_64.rpm skopeo-debuginfo-1.14.4-1.1.x86_64.rpm 22 moderate SUSE ALP Source Standard Core 1.0 Build This update for ucode-intel fixes the following issues: - Intel CPU Microcode was updated to the 20240514 release (bsc#1224277) - CVE-2023-45733: Security updates for INTEL-SA-01051 - CVE-2023-46103: Security updates for INTEL-SA-01052 - CVE-2023-45745,CVE-2023-47855: Security updates for INTEL-SA-01036 - Updated to Intel CPU Microcode 20240312 release. (bsc#1221323) - Security updates for INTEL-SA-INTEL-SA-00972 - CVE-2023-39368: Protection mechanism failure of bus lock regulator for some Intel Processors may allow an unauthenticated user to potentially enable denial of service via network access - Security updates for INTEL-SA-INTEL-SA-00982 - CVE-2023-38575: Non-transparent sharing of return predictor targets between contexts in some Intel Processors may allow an authorized user to potentially enable information disclosure via local access. - Security updates for INTEL-SA-INTEL-SA-00898 - CVE-2023-28746: Information exposure through microarchitectural state after transient execution from some register files for some Intel Atom Processors may allow an authenticated user to potentially enable information disclosure via local access. - Security updates for INTEL-SA-INTEL-SA-00960 - CVE-2023-22655 Protection mechanism failure in some 3rd and 4th Generation Intel Xeon Processors when using Intel SGX or Intel TDX may allow a privileged user to potentially enable escalation of privilege via local access. - Security updates for INTEL-SA-INTEL-SA-01045 - CVE-2023-43490: Incorrect calculation in microcode keying mechanism for some Intel Xeon D Processors with Intel SGX may allow a privileged user to potentially enable information disclosure via local access. ucode-intel-20240813-1.1.src.rpm True ucode-intel-20240813-1.1.x86_64.rpm True 9 low SUSE ALP Source Standard Core 1.0 Build This update fixes the following issues: - No change rebuild due to dependency changes. bash-5.2.15-3.1.src.rpm bash-5.2.15-3.1.x86_64.rpm bash-debuginfo-5.2.15-3.1.x86_64.rpm bash-debugsource-5.2.15-3.1.x86_64.rpm bash-sh-5.2.15-3.1.noarch.rpm libcap-ng-0.8.3-4.1.src.rpm libcap-ng-debugsource-0.8.3-4.1.x86_64.rpm libcap-ng0-0.8.3-4.1.x86_64.rpm libcap-ng0-debuginfo-0.8.3-4.1.x86_64.rpm libselinux-3.5-3.1.src.rpm libselinux-debugsource-3.5-3.1.x86_64.rpm libselinux1-3.5-3.1.x86_64.rpm libselinux1-debuginfo-3.5-3.1.x86_64.rpm selinux-tools-3.5-3.1.x86_64.rpm selinux-tools-debuginfo-3.5-3.1.x86_64.rpm libselinux-bindings-3.5-3.1.src.rpm libselinux-bindings-debugsource-3.5-3.1.x86_64.rpm python3-selinux-3.5-3.1.x86_64.rpm python3-selinux-debuginfo-3.5-3.1.x86_64.rpm libsemanage-3.5-3.1.src.rpm libsemanage-conf-3.5-3.1.x86_64.rpm libsemanage-debugsource-3.5-3.1.x86_64.rpm libsemanage2-3.5-3.1.x86_64.rpm libsemanage2-debuginfo-3.5-3.1.x86_64.rpm zypper-1.14.68-2.1.src.rpm zypper-1.14.68-2.1.x86_64.rpm zypper-debuginfo-1.14.68-2.1.x86_64.rpm zypper-debugsource-1.14.68-2.1.x86_64.rpm 31 important SUSE ALP Source Standard Core 1.0 Build This update for unbound fixes the following issues: - Update to 1.20.0: Features: * The config for discard-timeout, wait-limit, wait-limit-cookie, wait-limit-netblock and wait-limit-cookie-netblock was added, for the fix to the DNSBomb issue. * Merge GH#1027: Introduce 'cache-min-negative-ttl' option. * Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support; updates config.guess(2024-01-01) and config.sub(2024-01-01), verified with upstream. * Implement cachedb-check-when-serve-expired: yes option, default is enabled. When serve expired is enabled with cachedb, it first checks cachedb before serving the expired response. * Fix GH#876: [FR] can unbound-checkconf be silenced when configuration is valid? Bug Fixes: * Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li from the Network and Information Security Lab of Tsinghua University for reporting it. * Update doc/unbound.doxygen with 'doxygen -u'. Fixes option deprecation warnings and updates with newer defaults. * Remove unused portion from iter_dname_ttl unit test. * Fix validator classification of qtype DNAME for positive and redirection answers, and fix validator signature routine for dealing with the synthesized CNAME for a DNAME without previously encountering it and also for when the qtype is DNAME. * Fix qname minimisation for reply with a DNAME for qtype CNAME that answers it. * Fix doc test so it ignores but outputs unsupported doxygen options. * Fix GH#1021 Inconsistent Behavior with Changing rpz-cname-override and doing a unbound-control reload. * Merge GH#1028: Clearer documentation for tcp-idle-timeout and edns-tcp-keepalive-timeout. * Fix GH#1029: rpz trigger clientip and action rpz-passthru not working as expected. * Fix rpz that the rpz override is taken in case of clientip triggers. Fix that the clientip passthru action is logged. Fix that the clientip localdata action is logged. Fix rpz override action cname for the clientip trigger. * Fix to unify codepath for local alias for rpz cname action override. * Fix rpz for cname override action after nsdname and nsip triggers. * Fix that addrinfo is not kept around but copied and freed, so that log-destaddr uses a copy of the information, much like NSD does. * Merge GH#1030: Persist the openssl and expat directories for repeated Windows builds. * Fix that rpz CNAME content is limited to the max number of cnames. * Fix rpz, it follows iterator CNAMEs for nsip and nsdname and sets the reply query_info values, that is better for debug logging. * Fix rpz that copies the cname override completely to the temp region, so there are no references to the rpz region. * Add rpz unit test for nsip action override. * Fix rpz for qtype CNAME after nameserver trigger. * Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that clientip and nsip can give a CNAME. * Fix localdata and rpz localdata to match CNAME only if no direct type match is available. * Merge GH#831 from Pierre4012: Improve Windows NSIS installer script (setup.nsi). * For GH#831: Format text, use exclamation icon and explicit label names. * Fix name of unit test for subnet cache response. * Fix GH#1032: The size of subnet_msg_cache calculation mistake cause memory usage increased beyond expectations. * Fix for GH#1032, add safeguard to make table space positive. * Fix comment in lruhash space function. * Fix to add unit test for lruhash space that exercises the routines. * Fix that when the server truncates the pidfile, it does not follow symbolic links. * Fix that the server does not chown the pidfile. * Fix GH#1034: DoT forward-zone via unbound-control. * Fix for crypto related failures to have a better error string. * Fix GH#1035: Potential Bug while parsing port from the "stub-host" string; also affected forward-zones and remote-control host directives. * Fix GH#369: dnstap showing extra responses; for client responses right from the cache when replying with expired data or prefetching. * Fix GH#1040: fix heap-buffer-overflow issue in function cfg_mark_ports of file util/config_file.c. * For GH#1040: adjust error text and disallow negative ports in other parts of cfg_mark_ports. * Fix comment syntax for view function views_find_view. * Fix GH#595: unbound-anchor cannot deal with full disk; it will now first write out to a temp file before replacing the original one, like Unbound already does for auto-trust-anchor-file. * Fixup compile without cachedb. * Add test for cachedb serve expired. * Extended test for cachedb serve expired. * Fix makefile dependencies for fake_event.c. * Fix cachedb for serve-expired with serve-expired-reply-ttl. * Fix to not reply serve expired unless enabled for cachedb. * Fix cachedb for serve-expired with serve-expired-client-timeout. * Fixup unit test for cachedb server expired client timeout with a check if response if from upstream or from cachedb. * Fixup cachedb to not refetch when serve-expired-client-timeout is used. * Merge GH#1049 from Petr Menšík: Py_NoSiteFlag is not needed since Python 3.8 * Fix GH#1048: Update ax_pkg_swig.m4 and ax_pthread.m4. * Fix configure, autoconf for GH#1048. * Add checklock feature verbose_locking to trace locks and unlocks. * Fix edns subnet to sort rrset references when storing messages in the cache. This fixes a race condition in the rrset locks. * Merge GH#1053: Remove child delegations from cache when grandchild delegations are returned from parent. * Fix ci workflow for macos for moved install locations. * Fix configure flto check error, by finding grep for it. * Merge GH#1041: Stub and Forward unshare. This has one structure for them and fixes GH#1038: fatal error: Could not initialize thread / error: reading root hints. * Fix to disable fragmentation on systems with IP_DONTFRAG, with a nonzero value for the socket option argument. * Fix doc unit test for out of directory build. * Fix cachedb with serve-expired-client-timeout disabled. The edns subnet module deletes global cache and cachedb cache when it stores a result, and serve-expired is enabled, so that the global reply, that is older than the ecs reply, does not return after the ecs reply expires. * Add unit tests for cachedb and subnet cache expired data. * Man page entry for unbound-checkconf -q. * Cleanup unnecessary strdup calls for EDE strings. * Fix doxygen comment for errinf_to_str_bogus. - Update to 1.19.3: * Features: - Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672. * Bug Fixes - Fix unit test parse of origin syntax. - Use 127.0.0.1 explicitly in tests to avoid delays and errors on newer systems. - Fix #964: config.h.in~ backup file in release tar balls. - Merge #968: Replace the obsolescent fgrep with grep -F in tests. - Merge #971: fix 'WARNING: Message has 41 extra bytes at end'. - Fix #969: [FR] distinguish Do53, DoT and DoH in the logs. - Fix dnstap that assertion failed on logging other than UDP and TCP traffic. It lists it as TCP traffic. - Fix to sync the tests script file common.sh. - iana portlist update. - Updated IPv4 and IPv6 address for b.root-servers.net in root hints. - Update test script file common.sh. - Fix tests to use new common.sh functions, wait_logfile and kill_from_pidfile. - Fix #974: doc: default number of outgoing ports without libevent. - Merge #975: Fixed some syntax errors in rpl files. - Fix root_zonemd unit test, it checks that the root ZONEMD verifies, now that the root has a valid ZONEMD. - Update example.conf with cookie options. - Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors for non-HTTP/2 DoH clients. - Merge #985: Add DoH and DoT to dnstap message. - Fix #983: Sha1 runtime insecure change was incomplete. - Remove unneeded newlines and improve indentation in remote control code. - Merge #987: skip edns frag retry if advertised udp payload size is not smaller. - Fix unit test for #987 change in udp1xxx retry packet send. - Merge #988: Fix NLnetLabs#981: dump_cache truncates large records. - Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows. - Fix to link with libssp for libcrypto and getaddrinfo check for only header. Also update crosscompile to remove ssp for 32bit. - Merge #993: Update b.root-servers.net also in example config file. - Update workflow for ports to use newer openssl on windows compile. - Fix warning for windres on resource files due to redefinition. - Fix for #997: Print details for SSL certificate failure. - Update error printout for duplicate trust anchors to include the trust anchor name (relates to #920). - Update message TTL when using cached RRSETs. It could result in non-expired messages with expired RRSETs (non-usable messages by Unbound). - Merge #999: Search for protobuf-c with pkg-config. - Fix #1006: Can't find protobuf-c package since #999. - Fix documentation for access-control in the unbound.conf man page. - Merge #1010: Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage. It also fixes the code to match the documentation about clients with a valid cookie that bypass the ratelimit regardless of the allow_cookie acl. - Document the suspend argument for process_ds_response(). - Move github workflows to use checkoutv4. - Fix edns subnet replies for scope zero answers to not get stored in the global cache, and in cachedb, when the upstream replies without an EDNS record. - Fix for #1022: Fix ede prohibited in access control refused answers. - Fix unbound-control-setup.cmd to use 3072 bits so that certificates are long enough for newer OpenSSL versions. - Fix TTL of synthesized CNAME when a DNAME is used from cache. - Fix unbound-control-setup.cmd to have CA v3 basicConstraints, like unbound-control-setup.sh has. - Update to 1.19.2: * Bug Fixes: - Fix CVE-2024-1931, Denial of service when trimming EDE text on positive replies. [bsc#1221164] - Update to 1.19.1: * Bug Fixes: [bsc#1219823, CVE-2023-50387][bsc#1219826, CVE-2023-50868] - Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers. - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU. - as we use --disable-explicit-port-randomisation, also disable outgoing-port-permit and outgoing-port-avoid in config file to suppress the related unbound-checkconf warnings on every start - Update to 1.19.0: * Features: - Fix #850: [FR] Ability to use specific database in Redis, with new redis-logical-db configuration option. - Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream requests. This can be helpful for devices that cannot handle DNSSEC information. But it should not be enabled otherwise, because that would stop DNSSEC validation. The DNSSEC validation would not work for Unbound itself, and also not for downstream users. Default is no. The option is disable-edns-do: no - Expose the script filename in the Python module environment 'mod_env' instead of the config_file structure which includes the linked list of scripts in a multi Python module setup; fixes #79. - Expose the configured listening and outgoing interfaces, if any, as a list of strings in the Python 'config_file' class instead of the current Swig object proxy; fixes #79. - Mailing list patches from Daniel Gröber for DNS64 fallback to plain AAAA when no A record exists for synthesis, and minor DNS64 code refactoring for better readability. - Merge #951: Cachedb no store. The cachedb-no-store: yes option is used to stop cachedb from writing messages to the backend storage. It reads messages when data is available from the backend. The default is no. * Bug Fixes: - Fix for version generation race condition that ignored changes. - Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL. - Fix for WKS call to getservbyname that creates allocation on exit in unit test by testing numbers first and testing from the services list later. - Fix autoconf 2.69 warnings in configure. - Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1. - Merge #931: Prevent warnings from -Wmissing-prototypes. - Fix to scrub resource records of type A and AAAA that have an inappropriate size. They are removed from responses. - Fix to move msgparse_rrset_remove_rr code to util/msgparse.c. - Fix to add EDE text when RRs have been removed due to length. - Fix to set ede match in unit test for rr length removal. - Fix to print EDE text in readable form in output logs. - Fix send of udp retries when ENOBUFS is returned. It stops looping and also waits for the condition to go away. Reported by Florian Obser. - Fix authority zone answers for obscured DNAMEs and delegations. - Merge #936: Check for c99 with autoconf versions prior to 2.70. - Fix to remove two c99 notations. - Fix rpz tcp-only action with rpz triggers nsdname and nsip. - Fix misplaced comment. - Merge #881: Generalise the proxy protocol code. - Fix #946: Forwarder returns servfail on upstream response noerror no data. - Fix edns subnet so that queries with a source prefix of zero cause the recursor send no edns subnet option to the upstream. - Fix that printout of EDNS options shows the EDNS cookie option by name. - Fix infinite loop when reading multiple lines of input on a broken remote control socket. Addesses #947 and #948. - Fix #949: "could not create control compt". - Fix that cachedb does not warn when serve-expired is disabled about use of serve-expired-reply-ttl and serve-expired-client-timeout. - Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x. - Better fix for infinite loop when reading multiple lines of input on a broken remote control socket, by treating a zero byte line the same as transmission end. Addesses #947 and #948. - For multi Python module setups, clean previously parsed module functions in __main__'s dictionary, if any, so that only current module functions are registered. - Fix #954: Inconsistent RPZ handling for A record returned along with CNAME. - Fixes for the DNS64 patches. - Update the dns64_lookup.rpl test for the DNS64 fallback patch. - Merge #955 from buevsan: fix ipset wrong behavior. - Update testdata/ipset.tdir test for ipset fix. - Fix to print detailed errors when an SSL IO routine fails via SSL_get_error. - Clearer configure text for missing protobuf-c development libraries. - autoconf. - Merge #930 from Stuart Henderson: add void to log_ident_revert_to_default declaration. - Fix #941: dnscrypt doesn't work after upgrade to 1.18 with suggestion by dukeartem to also fix the udp_ancil with dnscrypt. - Fix SSL compile failure for definition in log_crypto_err_io_code_arg. - Fix SSL compile failure for other missing definitions in log_crypto_err_io_code_arg. - Fix compilation without openssl, remove unused function warning. - Mention flex and bison in README.md when building from repository source. - Update to 1.18.0: * Features: - Аdd a metric about the maximum number of collisions in lrushah. - Set max-udp-size default to 1232. This is the same default value as the default value for edns-buffer-size. It restricts client edns buffer size choices, and makes unbound behave similar to other DNS resolvers. - Add harden-unknown-additional option. It removes unknown records from the authority section and additional section. - Added new static zone type block_a to suppress all A queries for specific zones. - [FR] Ability to use Redis unix sockets. - [FR] Ability to set the Redis password. - Features/dropqueuedpackets, with sock-queue-timeout option that drops packets that have been in the socket queue for too long. Added statistics num.queries_timed_out and query.queue_time_us.max that track the socket queue timeouts. - 'eqvinox' Lamparter: NAT64 support. - [FR] Use kernel timestamps for dnstap. - Add cachedb hit stat. Introduces 'num.query.cachedb' as a new statistical counter. - Add SVCB dohpath support. - Add validation EDEs to queries where the CD bit is set. - Add prefetch support for subnet cache entries. - Add EDE (RFC8914) caching. - Add support for EDE caching in cachedb and subnetcache. - Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server cookies for clients that send client cookies. This needs to be explicitly turned on in the config file with: `answer-cookie: yes`. * Bug Fixes - Response change to NODATA for some ANY queries since 1.12. - Fix not following cleared RD flags potentially enables amplification DDoS attacks. - Set default for harden-unknown-additional to no. So that it does not hamper future protocol developments. - Fix to ignore entirely empty responses, and try at another authority. This turns completely empty responses, a type of noerror/nodata into a servfail, but they do not conform to RFC2308, and the retry can fetch improved content. - Allow TTL refresh of expired error responses. - Fix: Unexpected behavior with client-subnet-always-forward and serve-expired - Fix unbound-dnstap-socket test program to reply the finish frame over a TLS connection correctly. - Fix: reserved identifier violation - Fix: Unencrypted query is sent when forward-tls-upstream: yes is used without tls-cert-bundle - Extra consistency check to make sure that when TLS is requested, either we set up a TLS connection or we return an error. - Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record. - Fix: Bad interaction with 0 TTL records and serve-expired - Fix RPZ IP responses with trigger rpz-drop on cache entries. - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR. - Fix dereference of NULL variable warning in mesh_do_callback. - Fix ip_ratelimit test to work with dig that enables DNS cookies. - Fix for iter_dec_attempts that could cause a hang, part of capsforid and qname minimisation, depending on the settings. - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg. - Fix stat_values test to work with dig that enables DNS cookies. - unbound.service: Main process exited, code=killed, status=11/SEGV. Fixes cachedb configuration handling. - Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply. - Update to 1.20.0: Features: * The config for discard-timeout, wait-limit, wait-limit-cookie, wait-limit-netblock and wait-limit-cookie-netblock was added, for the fix to the DNSBomb issue. * Merge GH#1027: Introduce 'cache-min-negative-ttl' option. * Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support; updates config.guess(2024-01-01) and config.sub(2024-01-01), verified with upstream. * Implement cachedb-check-when-serve-expired: yes option, default is enabled. When serve expired is enabled with cachedb, it first checks cachedb before serving the expired response. * Fix GH#876: [FR] can unbound-checkconf be silenced when configuration is valid? Bug Fixes: * Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li from the Network and Information Security Lab of Tsinghua University for reporting it. * Update doc/unbound.doxygen with 'doxygen -u'. Fixes option deprecation warnings and updates with newer defaults. * Remove unused portion from iter_dname_ttl unit test. * Fix validator classification of qtype DNAME for positive and redirection answers, and fix validator signature routine for dealing with the synthesized CNAME for a DNAME without previously encountering it and also for when the qtype is DNAME. * Fix qname minimisation for reply with a DNAME for qtype CNAME that answers it. * Fix doc test so it ignores but outputs unsupported doxygen options. * Fix GH#1021 Inconsistent Behavior with Changing rpz-cname-override and doing a unbound-control reload. * Merge GH#1028: Clearer documentation for tcp-idle-timeout and edns-tcp-keepalive-timeout. * Fix GH#1029: rpz trigger clientip and action rpz-passthru not working as expected. * Fix rpz that the rpz override is taken in case of clientip triggers. Fix that the clientip passthru action is logged. Fix that the clientip localdata action is logged. Fix rpz override action cname for the clientip trigger. * Fix to unify codepath for local alias for rpz cname action override. * Fix rpz for cname override action after nsdname and nsip triggers. * Fix that addrinfo is not kept around but copied and freed, so that log-destaddr uses a copy of the information, much like NSD does. * Merge GH#1030: Persist the openssl and expat directories for repeated Windows builds. * Fix that rpz CNAME content is limited to the max number of cnames. * Fix rpz, it follows iterator CNAMEs for nsip and nsdname and sets the reply query_info values, that is better for debug logging. * Fix rpz that copies the cname override completely to the temp region, so there are no references to the rpz region. * Add rpz unit test for nsip action override. * Fix rpz for qtype CNAME after nameserver trigger. * Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that clientip and nsip can give a CNAME. * Fix localdata and rpz localdata to match CNAME only if no direct type match is available. * Merge GH#831 from Pierre4012: Improve Windows NSIS installer script (setup.nsi). * For GH#831: Format text, use exclamation icon and explicit label names. * Fix name of unit test for subnet cache response. * Fix GH#1032: The size of subnet_msg_cache calculation mistake cause memory usage increased beyond expectations. * Fix for GH#1032, add safeguard to make table space positive. * Fix comment in lruhash space function. * Fix to add unit test for lruhash space that exercises the routines. * Fix that when the server truncates the pidfile, it does not follow symbolic links. * Fix that the server does not chown the pidfile. * Fix GH#1034: DoT forward-zone via unbound-control. * Fix for crypto related failures to have a better error string. * Fix GH#1035: Potential Bug while parsing port from the "stub-host" string; also affected forward-zones and remote-control host directives. * Fix GH#369: dnstap showing extra responses; for client responses right from the cache when replying with expired data or prefetching. * Fix GH#1040: fix heap-buffer-overflow issue in function cfg_mark_ports of file util/config_file.c. * For GH#1040: adjust error text and disallow negative ports in other parts of cfg_mark_ports. * Fix comment syntax for view function views_find_view. * Fix GH#595: unbound-anchor cannot deal with full disk; it will now first write out to a temp file before replacing the original one, like Unbound already does for auto-trust-anchor-file. * Fixup compile without cachedb. * Add test for cachedb serve expired. * Extended test for cachedb serve expired. * Fix makefile dependencies for fake_event.c. * Fix cachedb for serve-expired with serve-expired-reply-ttl. * Fix to not reply serve expired unless enabled for cachedb. * Fix cachedb for serve-expired with serve-expired-client-timeout. * Fixup unit test for cachedb server expired client timeout with a check if response if from upstream or from cachedb. * Fixup cachedb to not refetch when serve-expired-client-timeout is used. * Merge GH#1049 from Petr Menšík: Py_NoSiteFlag is not needed since Python 3.8 * Fix GH#1048: Update ax_pkg_swig.m4 and ax_pthread.m4. * Fix configure, autoconf for GH#1048. * Add checklock feature verbose_locking to trace locks and unlocks. * Fix edns subnet to sort rrset references when storing messages in the cache. This fixes a race condition in the rrset locks. * Merge GH#1053: Remove child delegations from cache when grandchild delegations are returned from parent. * Fix ci workflow for macos for moved install locations. * Fix configure flto check error, by finding grep for it. * Merge GH#1041: Stub and Forward unshare. This has one structure for them and fixes GH#1038: fatal error: Could not initialize thread / error: reading root hints. * Fix to disable fragmentation on systems with IP_DONTFRAG, with a nonzero value for the socket option argument. * Fix doc unit test for out of directory build. * Fix cachedb with serve-expired-client-timeout disabled. The edns subnet module deletes global cache and cachedb cache when it stores a result, and serve-expired is enabled, so that the global reply, that is older than the ecs reply, does not return after the ecs reply expires. * Add unit tests for cachedb and subnet cache expired data. * Man page entry for unbound-checkconf -q. * Cleanup unnecessary strdup calls for EDE strings. * Fix doxygen comment for errinf_to_str_bogus. - Update to 1.19.3: * Features: - Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672. * Bug Fixes - Fix unit test parse of origin syntax. - Use 127.0.0.1 explicitly in tests to avoid delays and errors on newer systems. - Fix #964: config.h.in~ backup file in release tar balls. - Merge #968: Replace the obsolescent fgrep with grep -F in tests. - Merge #971: fix 'WARNING: Message has 41 extra bytes at end'. - Fix #969: [FR] distinguish Do53, DoT and DoH in the logs. - Fix dnstap that assertion failed on logging other than UDP and TCP traffic. It lists it as TCP traffic. - Fix to sync the tests script file common.sh. - iana portlist update. - Updated IPv4 and IPv6 address for b.root-servers.net in root hints. - Update test script file common.sh. - Fix tests to use new common.sh functions, wait_logfile and kill_from_pidfile. - Fix #974: doc: default number of outgoing ports without libevent. - Merge #975: Fixed some syntax errors in rpl files. - Fix root_zonemd unit test, it checks that the root ZONEMD verifies, now that the root has a valid ZONEMD. - Update example.conf with cookie options. - Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors for non-HTTP/2 DoH clients. - Merge #985: Add DoH and DoT to dnstap message. - Fix #983: Sha1 runtime insecure change was incomplete. - Remove unneeded newlines and improve indentation in remote control code. - Merge #987: skip edns frag retry if advertised udp payload size is not smaller. - Fix unit test for #987 change in udp1xxx retry packet send. - Merge #988: Fix NLnetLabs#981: dump_cache truncates large records. - Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows. - Fix to link with libssp for libcrypto and getaddrinfo check for only header. Also update crosscompile to remove ssp for 32bit. - Merge #993: Update b.root-servers.net also in example config file. - Update workflow for ports to use newer openssl on windows compile. - Fix warning for windres on resource files due to redefinition. - Fix for #997: Print details for SSL certificate failure. - Update error printout for duplicate trust anchors to include the trust anchor name (relates to #920). - Update message TTL when using cached RRSETs. It could result in non-expired messages with expired RRSETs (non-usable messages by Unbound). - Merge #999: Search for protobuf-c with pkg-config. - Fix #1006: Can't find protobuf-c package since #999. - Fix documentation for access-control in the unbound.conf man page. - Merge #1010: Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage. It also fixes the code to match the documentation about clients with a valid cookie that bypass the ratelimit regardless of the allow_cookie acl. - Document the suspend argument for process_ds_response(). - Move github workflows to use checkoutv4. - Fix edns subnet replies for scope zero answers to not get stored in the global cache, and in cachedb, when the upstream replies without an EDNS record. - Fix for #1022: Fix ede prohibited in access control refused answers. - Fix unbound-control-setup.cmd to use 3072 bits so that certificates are long enough for newer OpenSSL versions. - Fix TTL of synthesized CNAME when a DNAME is used from cache. - Fix unbound-control-setup.cmd to have CA v3 basicConstraints, like unbound-control-setup.sh has. - Update to 1.19.2: * Bug Fixes: - Fix CVE-2024-1931, Denial of service when trimming EDE text on positive replies. [bsc#1221164] - Update to 1.19.1: * Bug Fixes: [bsc#1219823, CVE-2023-50387][bsc#1219826, CVE-2023-50868] - Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers. - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU. - as we use --disable-explicit-port-randomisation, also disable outgoing-port-permit and outgoing-port-avoid in config file to suppress the related unbound-checkconf warnings on every start - Use prefixes instead of sudo in unbound.service (bsc#1215628) - Update to 1.19.0: * Features: - Fix #850: [FR] Ability to use specific database in Redis, with new redis-logical-db configuration option. - Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream requests. This can be helpful for devices that cannot handle DNSSEC information. But it should not be enabled otherwise, because that would stop DNSSEC validation. The DNSSEC validation would not work for Unbound itself, and also not for downstream users. Default is no. The option is disable-edns-do: no - Expose the script filename in the Python module environment 'mod_env' instead of the config_file structure which includes the linked list of scripts in a multi Python module setup; fixes #79. - Expose the configured listening and outgoing interfaces, if any, as a list of strings in the Python 'config_file' class instead of the current Swig object proxy; fixes #79. - Mailing list patches from Daniel Gröber for DNS64 fallback to plain AAAA when no A record exists for synthesis, and minor DNS64 code refactoring for better readability. - Merge #951: Cachedb no store. The cachedb-no-store: yes option is used to stop cachedb from writing messages to the backend storage. It reads messages when data is available from the backend. The default is no. * Bug Fixes: - Fix for version generation race condition that ignored changes. - Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL. - Fix for WKS call to getservbyname that creates allocation on exit in unit test by testing numbers first and testing from the services list later. - Fix autoconf 2.69 warnings in configure. - Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1. - Merge #931: Prevent warnings from -Wmissing-prototypes. - Fix to scrub resource records of type A and AAAA that have an inappropriate size. They are removed from responses. - Fix to move msgparse_rrset_remove_rr code to util/msgparse.c. - Fix to add EDE text when RRs have been removed due to length. - Fix to set ede match in unit test for rr length removal. - Fix to print EDE text in readable form in output logs. - Fix send of udp retries when ENOBUFS is returned. It stops looping and also waits for the condition to go away. Reported by Florian Obser. - Fix authority zone answers for obscured DNAMEs and delegations. - Merge #936: Check for c99 with autoconf versions prior to 2.70. - Fix to remove two c99 notations. - Fix rpz tcp-only action with rpz triggers nsdname and nsip. - Fix misplaced comment. - Merge #881: Generalise the proxy protocol code. - Fix #946: Forwarder returns servfail on upstream response noerror no data. - Fix edns subnet so that queries with a source prefix of zero cause the recursor send no edns subnet option to the upstream. - Fix that printout of EDNS options shows the EDNS cookie option by name. - Fix infinite loop when reading multiple lines of input on a broken remote control socket. Addesses #947 and #948. - Fix #949: "could not create control compt". - Fix that cachedb does not warn when serve-expired is disabled about use of serve-expired-reply-ttl and serve-expired-client-timeout. - Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x. - Better fix for infinite loop when reading multiple lines of input on a broken remote control socket, by treating a zero byte line the same as transmission end. Addesses #947 and #948. - For multi Python module setups, clean previously parsed module functions in __main__'s dictionary, if any, so that only current module functions are registered. - Fix #954: Inconsistent RPZ handling for A record returned along with CNAME. - Fixes for the DNS64 patches. - Update the dns64_lookup.rpl test for the DNS64 fallback patch. - Merge #955 from buevsan: fix ipset wrong behavior. - Update testdata/ipset.tdir test for ipset fix. - Fix to print detailed errors when an SSL IO routine fails via SSL_get_error. - Clearer configure text for missing protobuf-c development libraries. - autoconf. - Merge #930 from Stuart Henderson: add void to log_ident_revert_to_default declaration. - Fix #941: dnscrypt doesn't work after upgrade to 1.18 with suggestion by dukeartem to also fix the udp_ancil with dnscrypt. - Fix SSL compile failure for definition in log_crypto_err_io_code_arg. - Fix SSL compile failure for other missing definitions in log_crypto_err_io_code_arg. - Fix compilation without openssl, remove unused function warning. - Mention flex and bison in README.md when building from repository source. - Update to 1.18.0: * Features: - Аdd a metric about the maximum number of collisions in lrushah. - Set max-udp-size default to 1232. This is the same default value as the default value for edns-buffer-size. It restricts client edns buffer size choices, and makes unbound behave similar to other DNS resolvers. - Add harden-unknown-additional option. It removes unknown records from the authority section and additional section. - Added new static zone type block_a to suppress all A queries for specific zones. - [FR] Ability to use Redis unix sockets. - [FR] Ability to set the Redis password. - Features/dropqueuedpackets, with sock-queue-timeout option that drops packets that have been in the socket queue for too long. Added statistics num.queries_timed_out and query.queue_time_us.max that track the socket queue timeouts. - 'eqvinox' Lamparter: NAT64 support. - [FR] Use kernel timestamps for dnstap. - Add cachedb hit stat. Introduces 'num.query.cachedb' as a new statistical counter. - Add SVCB dohpath support. - Add validation EDEs to queries where the CD bit is set. - Add prefetch support for subnet cache entries. - Add EDE (RFC8914) caching. - Add support for EDE caching in cachedb and subnetcache. - Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server cookies for clients that send client cookies. This needs to be explicitly turned on in the config file with: `answer-cookie: yes`. * Bug Fixes - Response change to NODATA for some ANY queries since 1.12. - Fix not following cleared RD flags potentially enables amplification DDoS attacks. - Set default for harden-unknown-additional to no. So that it does not hamper future protocol developments. - Fix to ignore entirely empty responses, and try at another authority. This turns completely empty responses, a type of noerror/nodata into a servfail, but they do not conform to RFC2308, and the retry can fetch improved content. - Allow TTL refresh of expired error responses. - Fix: Unexpected behavior with client-subnet-always-forward and serve-expired - Fix unbound-dnstap-socket test program to reply the finish frame over a TLS connection correctly. - Fix: reserved identifier violation - Fix: Unencrypted query is sent when forward-tls-upstream: yes is used without tls-cert-bundle - Extra consistency check to make sure that when TLS is requested, either we set up a TLS connection or we return an error. - Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record. - Fix: Bad interaction with 0 TTL records and serve-expired - Fix RPZ IP responses with trigger rpz-drop on cache entries. - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR. - Fix dereference of NULL variable warning in mesh_do_callback. - Fix ip_ratelimit test to work with dig that enables DNS cookies. - Fix for iter_dec_attempts that could cause a hang, part of capsforid and qname minimisation, depending on the settings. - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg. - Fix stat_values test to work with dig that enables DNS cookies. - unbound.service: Main process exited, code=killed, status=11/SEGV. Fixes cachedb configuration handling. - Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply. libunbound8-1.21.0-1.1.x86_64.rpm libunbound8-debuginfo-1.21.0-1.1.x86_64.rpm unbound-1.21.0-1.1.src.rpm unbound-anchor-1.21.0-1.1.x86_64.rpm unbound-anchor-debuginfo-1.21.0-1.1.x86_64.rpm unbound-debugsource-1.21.0-1.1.x86_64.rpm 23 important SUSE ALP Source Standard Core 1.0 Build This update for python311, python-rpm-macros fixes the following issues: python311: - CVE-2024-0450: Fixed zipfile module vulnerability with "quoted-overlap" zipbomb (bsc#1221854) - CVE-2024-4032: Fixed incorrect IPv4 and IPv6 private ranges (bsc#1226448) - CVE-2024-0397: Fixed memory race condition in ssl.SSLContext certificate store methods (bsc#1226447) - CVE-2024-6923: Prevent email header injection due to unquoted newlines (bsc#1228780) - Fixed executable bits for /usr/bin/idle* (bsc#1227378). python-rpm-macros: - Update to version 20240618.c146b29: * Add %FLAVOR_pytest and %FLAVOR_pyunittest variants - Update to version 20240618.1e386da: * Fix python_clone sed regex - Update to version 20240614.02920b8: * Make sure that RPM_BUILD_ROOT env is set * don't eliminate any cmdline arguments in the shebang line * Create python313 macros - Update to version 20240415.c664b45: * Fix typo 310 -> 312 in default-prjconf - Update to version 20240202.501440e: * SPEC0: Drop python39, add python312 to buildset (#169) - Update to version 20231220.98427f3: * fix python2_compile macro - Update to version 20231207.46c2ec3: * make FLAVOR_compile compatible with python2 - Update to version 20231204.dd64e74: * Combine fix_shebang in one line * New macro FLAVOR_fix_shebang_path * Use realpath in %python_clone macro shebang replacement * Compile and fix_shebang in %python_install macros - Update to version 20231010.0a1f0d9: * Revert "Compile and fix_shebang in %python_install macros" * gh#openSUSE/python-rpm-macros#163 - Update to version 20231010.a32e110: * Compile and fix_shebang in %python_install macros - Update to version 20231005.bf2d3ab: * Fix shebang also in sbin with macro _fix_shebang python311-3.11.8-3.1.src.rpm python311-3.11.8-3.1.x86_64.rpm python311-debuginfo-3.11.8-3.1.x86_64.rpm python311-debugsource-3.11.8-3.1.x86_64.rpm libpython3_11-1_0-3.11.8-3.1.x86_64.rpm libpython3_11-1_0-debuginfo-3.11.8-3.1.x86_64.rpm python311-base-3.11.8-3.1.x86_64.rpm python311-base-debuginfo-3.11.8-3.1.x86_64.rpm python311-core-3.11.8-3.1.src.rpm python311-core-debugsource-3.11.8-3.1.x86_64.rpm 30 moderate SUSE ALP Source Standard Core 1.0 Build This update for curl fixes the following issues: Security issues fixed: - CVE-2024-7264: ASN.1 date parser overread (bsc#1228535) - CVE-2024-6197: Freeing stack buffer in utf8asn1str (bsc#1227888) - CVE-2024-2379: QUIC certificate check bypass with wolfSSL (bsc#1221666) - CVE-2024-2466: TLS certificate check bypass with mbedTLS (bsc#1221668) - CVE-2024-2004: Usage of disabled protocol (bsc#1221665) - CVE-2024-2398: HTTP/2 push headers memory-leak (bsc#1221667) Non-security issue fixed: - Fixed various TLS related issues including FTP over SSL transmission timeouts. curl-8.6.0-1.2.src.rpm curl-8.6.0-1.2.x86_64.rpm curl-debuginfo-8.6.0-1.2.x86_64.rpm curl-debugsource-8.6.0-1.2.x86_64.rpm libcurl4-8.6.0-1.2.x86_64.rpm libcurl4-debuginfo-8.6.0-1.2.x86_64.rpm 28 moderate SUSE ALP Source Standard Core 1.0 Build This update for python-requests fixes the following issues: - Update to 2.32.2 * To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0. - Update to 2.32.1 * Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (bsc#1224788, CVE-2024-35195) * verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. * Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. * Requests has officially added support for CPython 3.12 and dropped support for CPython 3.7. * Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system using hatchling. python-requests-2.32.2-1.1.src.rpm python311-requests-2.32.2-1.1.noarch.rpm 37 moderate SUSE ALP Source Standard Core 1.0 Build This update for python-Jinja2 fixes the following issues: - CVE-2024-34064, CVE-2024-22195: HTML attribute injection when passing user input as keys to xmlattr filter (bsc#1223980, bsc#1218722) python-Jinja2-3.1.2-6.1.src.rpm python311-Jinja2-3.1.2-6.1.x86_64.rpm SUSE_ALP_Source_Standard_Core_1.0_Build important SUSE ALP Source Standard Core 1.0 Build This update for qemu fixes the following issues: - Fix bsc#1221812: * block: Reschedule query-block during qcow2 invalidation (bsc#1221812) - Fix bsc#1229007, CVE-2024-7409: * nbd/server: CVE-2024-7409: Close stray clients at server-stop (bsc#1229007) * nbd/server: CVE-2024-7409: Drop non-negotiating clients (bsc#1229007) * nbd/server: CVE-2024-7409: Cap default max-connections to 100 (bsc#1229007) * nbd/server: Plumb in new args to nbd_client_add() (bsc#1229007, CVE-2024-7409) * nbd: Minor style and typo fixes (bsc#1229007, CVE-2024-7409) - Update to version 8.2.6: Full backport lists (from the various releases) here: https://lore.kernel.org/qemu-devel/1721203806.547734.831464.nullmailer@tls.msk.ru/ Some of the upstream backports are: hw/nvme: fix number of PIDs for FDP RUH update sphinx/qapidoc: Fix to generate doc for explicit, unboxed arguments char-stdio: Restore blocking mode of stdout on exit virtio: remove virtio_tswap16s() call in vring_packed_event_read() virtio-pci: Fix the failure process in kvm_virtio_pci_vector_use_one() block: Parse filenames only when explicitly requested iotests/270: Don't store data-file with json: prefix in image iotests/244: Don't store data-file with protocol in image qcow2: Don't open data_file with BDRV_O_NO_IO (bsc#1227322, CVE-2024-4467) target/arm: Fix FJCVTZS vs flush-to-zero target/arm: Fix VCMLA Dd, Dn, Dm[idx] i386/cpu: fixup number of addressable IDs for processor cores in the physical package tests: Update our CI to use CentOS Stream 9 instead of 8 migration: Fix file migration with fdset tcg/loongarch64: Fix tcg_out_movi vs some pcrel pointers target/sparc: use signed denominator in sdiv helper linux-user: Make TARGET_NR_setgroups affect only the current thread accel/tcg: Fix typo causing tb->page_addr[1] to not be recorded stdvga: fix screen blanking hw/audio/virtio-snd: Always use little endian audio format ui/gtk: Draw guest frame at refresh cycle virtio-net: drop too short packets early target/i386: fix size of EBP writeback in gen_enter() qemu-8.2.6-1.1.src.rpm qemu-debugsource-8.2.6-1.1.x86_64.rpm qemu-guest-agent-8.2.6-1.1.x86_64.rpm qemu-guest-agent-debuginfo-8.2.6-1.1.x86_64.rpm qemu-hw-display-virtio-gpu-8.2.6-1.1.x86_64.rpm qemu-hw-display-virtio-gpu-debuginfo-8.2.6-1.1.x86_64.rpm qemu-hw-display-virtio-vga-8.2.6-1.1.x86_64.rpm qemu-hw-display-virtio-vga-debuginfo-8.2.6-1.1.x86_64.rpm qemu-hw-usb-redirect-8.2.6-1.1.x86_64.rpm qemu-hw-usb-redirect-debuginfo-8.2.6-1.1.x86_64.rpm 36 moderate SUSE ALP Source Standard Core 1.0 Build This update for python-urllib3 fixes the following issues: - CVE-2024-37891: Fixed issue where proxy-authorization request header was not stripped during cross-origin redirects (bsc#1226469) python-urllib3-2.1.0-2.1.src.rpm python311-urllib3-2.1.0-2.1.noarch.rpm 43 important SUSE ALP Source Standard Core 1.0 Build This update for selinux-policy fixes the following issues: Update to version 20230523+git25.ad22dd7f: * Backport wtmpdb label change to have the same wtmpdb label as in SL Micro 6.1 (bsc#1229132) * Add auth_rw_wtmpdb_login_records to domains using auth_manage_login_records * Add auth_rw_wtmpdb_login_records to modules * Allow xdm_t to read-write to wtmpdb (bsc#1225984) * Introduce types for wtmpdb and rw interface * Introduce wtmp_file_type attribute * Revert "Add policy for wtmpdb (bsc#1210717)" Update to version 20230523+git18.f44daf8a: * Provide type for sysstat lock files (bsc#1228247) Update to version 20230523+git16.0849f54c: * allow firewalld access to /dev/random and write HW acceleration logs (bsc#1215405, bsc#1227930) selinux-policy-20230523+git25.ad22dd7f-1.1.noarch.rpm selinux-policy-20230523+git25.ad22dd7f-1.1.src.rpm selinux-policy-devel-20230523+git25.ad22dd7f-1.1.noarch.rpm selinux-policy-targeted-20230523+git25.ad22dd7f-1.1.noarch.rpm 44 important SUSE ALP Source Standard Core 1.0 Build This update for expat fixes the following issues: - CVE-2024-45492: detect integer overflow in function nextScaffoldPart (bsc#1229932) - CVE-2024-45491: detect integer overflow in dtdCopy (bsc#1229931) - CVE-2024-45490: reject negative len for XML_ParseBuffer (bsc#1229930) - CVE-2024-28757: XML Entity Expansion attack when there is isolated use of external parsers (bsc#1221289) expat-2.5.0-2.188.src.rpm expat-debugsource-2.5.0-2.188.x86_64.rpm libexpat1-2.5.0-2.188.x86_64.rpm libexpat1-debuginfo-2.5.0-2.188.x86_64.rpm 42 critical SUSE ALP Source Standard Core 1.0 Build This update for perl-Bootloader fixes the following issues: - bootloader_entry script can have an optional 'force-default' argument (bsc#1215064) This fixes the %post section for kernel-rt. perl-Bootloader-1.6-3.1.src.rpm perl-Bootloader-1.6-3.1.x86_64.rpm SUSE_ALP_Source_Standard_Core_1.0_Build moderate SUSE ALP Source Standard Core 1.0 Build This update for ucode-intel fixes the following issues: - Intel CPU Microcode was updated to the 20240910 release (bsc#1230400) - CVE-2024-23984: Observable discrepancy in RAPL interface for some Intel Processors may allow a privileged user to potentially enable information disclosure via local access. - CVE-2024-24968: Improper finite state machines (FSMs) in hardware logic in some Intel Processors may allow an privileged user to potentially enable a denial of service via local access ### New Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | TWL | N0 | 06-be-00/19 | | 0000001a | Core i3-N305/N300, N50/N97/N100/N200, Atom x7211E/x7213E/x7425E ### Updated Platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | ADL | C0 | 06-97-02/07 | 00000035 | 00000036 | Core Gen12 | ADL | H0 | 06-97-05/07 | 00000035 | 00000036 | Core Gen12 | ADL | L0 | 06-9a-03/80 | 00000433 | 00000434 | Core Gen12 | ADL | R0 | 06-9a-04/80 | 00000433 | 00000434 | Core Gen12 | ADL-N | N0 | 06-be-00/11 | 00000017 | 0000001a | Core i3-N305/N300, N50/N97/N100/N200, Atom x7211E/x7213E/x7425E | MTL | C0 | 06-aa-04/e6 | 0000001e | 0000001f | Core Ultra Processor | RPL-E/HX/S | B0 | 06-b7-01/32 | 00000123 | 00000129 | Core Gen13/Gen14 | RPL-H/P/PX 6+8 | J0 | 06-ba-02/e0 | 00004121 | 00004122 | Core Gen13 | RPL-HX/S | C0 | 06-bf-02/07 | 00000035 | 00000036 | Core Gen13/Gen14 | RPL-S | H0 | 06-bf-05/07 | 00000035 | 00000036 | Core Gen13/Gen14 | RPL-U 2+8 | Q0 | 06-ba-03/e0 | 00004121 | 00004122 | Core Gen13 ucode-intel-20240910-1.1.src.rpm True ucode-intel-20240910-1.1.x86_64.rpm True