mirror of
https://git.openwrt.org/feed/packages.git
synced 2024-06-18 21:33:53 +02:00
d421db0527
Updated 010-configure-uname.patch as source changed. Removed 100-example-conf-in.patch as not needed any more. Release message: This release has a fix for the DNSBomb issue CVE-2024-33655. This has a low severity for Unbound, since it makes Unbound complicit in targeting others, but does not affect Unbound so much. To mitigate the issue new configuration options are introduced. The options discard-timeout: 1900, wait-limit: 1000 and wait-limit-cookie: 10000 are enabled by default. They limit the number of outstanding queries that a querier can have. This limits the reply pulse, and make Unbound less favorable for the issue. With the config wait-limit-netblock and wait-limit-cookie-netblock the parameters can be fine tuned for specific destinations. More information on the attack and Unbound's mitigations are presented further down. Other fixes in this release are that Unbound no longer follows symlinks when truncating the pidfile. Unbound also does not chown the pidfile, this is for safety reasons. There are also a number of fixes for RPZ, in handling CNAMEs. There is a memory leak fix for the edns client subnet cache. For DNSSEC validation a case is fixed when the query is of type DNAME. The unbound-anchor program is fixed to first write to a temporary file, before replacing the original. This handles disk full situations, and because of it unbound-anchor needs permission to create that file, in the same directory as the original file. There is also a fix for IP_DONTFRAG, to disable fragmentation instead of the opposite. The option cache-min-negative-ttl can be used to set the minimum TTL for negative responses in the cache. It complements existing options to set the maximum ttl for negative responses and to set the minimum and maximum ttl but not specifically for negative responses. The option cachedb-check-when-serve-expired option makes Unbound use cachedb to check for expired responses, when serve-expired is enabled, and cachedb is used. It is enabled by default. The -q option for unbound-checkconf can be added to silence it when there are no errors. Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
15 lines
438 B
Diff
15 lines
438 B
Diff
OpenWrt (modification):
|
|
Fix cross compile errors by inserting an environment variable for the
|
|
target. Use "uname" on host only if "UNAME" variable is empty.
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -849,7 +849,7 @@ if test x_$ub_test_python != x_no; then
|
|
fi
|
|
fi
|
|
|
|
-if test "`uname`" = "NetBSD"; then
|
|
+if test "${UNAME:-`uname`}" = "NetBSD"; then
|
|
NETBSD_LINTFLAGS='"-D__RENAME(x)=" -D_NETINET_IN_H_'
|
|
AC_SUBST(NETBSD_LINTFLAGS)
|
|
fi
|