2010年3月12日

[installer 2282] unbound-1.4.3

unbound-1.4.3 出ています。

1.4.3 の修正では、64bit 環境におけるリモートからの DoS ぜい弱性の
修正が含まれています。

☆ unbound-1.4.3
http://unbound.net/
http://unbound.net/downloads/unbound-1.4.3.tar.gz


http://www.unbound.net/download.html より:

Unbound 1.4.3
Download: unbound-1.4.3.tar.gz
SHA1 checksum: 4b4b979683993452359eccf4f60cf9404600da9d
SHA256 checksum: 7c212228234547af776d51067a04a8c32f572e5db493e16a269370da4413070f
Date: 11 March, 2010

Bug Fixes

o Fix for memory alignment in struct sock_list allocation. This is a
remote denial of service vulnerability, as it could make unbound crash
on 64bit systems if triggered.
o Fix for MacPorts ldns without ssl default, unbound checks if ldns
has dnssec functionality and uses the builtin if not.
o Fix daemonize on Solaris 10, it did not detach from terminal.

Unbound 1.4.2
Download: unbound-1.4.2.tar.gz
SHA1 checksum: bad6b453924c853b177234890522a05904b2e5f9
SHA256 checksum: 9b2821eeb9fee3145ac04c7dc648ea1ae7d9a600de6b0a1ffacebe7643b913e1
Date: 9 March, 2010

Features

o unbound-control list_stubs, list_forwards, list_local_zones,
list_local_data, log_reopen, set_option and get_option.
o libunbound ub_ctx_get_option() added.
o --enable-checking: enables assertions but does not look
nonproduction.
o nicer VERB_DETAIL (verbosity 2, unbound-host -d) output, with nxdomain
and nodata distinguished.
o prefetch-key option that performs DNSKEY queries earlier in the
validation process, and that could halve the latency on DNSSEC
queries. It takes some extra processing (CPU, a cache is needed).
o prefetch option that prefetches popular queries before they expire.
o change unbound-control-setup from 1024(sha1) to 1536(sha256).

Bug Fixes

o Re-query pattern changed on validation failure. To protect troubled
authority servers, unbound caches a failure for the DNSKEY or DS
records for the entire zone, and only retries that 900 seconds
later. This implies that only a handful of packets are sent extra to
the authority if the zone fails. We made the choice to send out more
conservatively, protecting against an aggregate effect more than
protecting a single user (from their own folly, perhaps in case of
misconfig).
o Fix crash in control channel code.
o iana portlist updated.
o make install depends on make all.
o Fix 5011 auto-trust-anchor-file initial read to skip RRSIGs.
o ldns tarball updated: long label length syntax error fix, libdl
compile fix.
o --disable-rpath fixed for libtool not found errors.
o Fixup prototype for lexer cleanup in daemon code.
o Fix scrubber bug that potentially let NS records through. Reported by
Amanda Constant.
o Also delete potential poison references from additional.
o Fix: no classification of a forwarder as lame, throwaway instead.
o More strict DS scrubbing.
o No more blacklisting of unresponsive servers, a 2 minute timeout is
backed off to.
o RD flag not enabled for dnssec-blacklisted tries, unless necessary.
o log 'tcp connect: connection timed out' only in high verbosity.
o Disregard DNSKEY from authority section for chain of trust. DS records
that are irrelevant to a referral scrubbed. Anti-poison.
o Check for 'no space left on device' (or other errors) when writing
updated autotrust anchors and print errno to log.
o Fixup in compat snprintf routine, %f 1.02 and %g support.
o include math.h for testbound test compile portability.
o Updated url of IANA itar, interim trust anchor repository, in script.
o configure test for memcmp portability.
o removed warning on format string in validator error log statement.
o libtool finish the install of unbound python dynamic library.
o Fixup lookup trouble for parent-child domains on the first query.
o Fixup ldns detection to also check for header files.
o Fix unbound-checkconf for auto-trust-anchor-file present checks.
o Fix for parent-child disagreement code which could have trouble when
(a) ipv6 was disabled and (b) the TTL for parent and child were
different. There were two bugs, the parent-side information is fixed
to no longer block lookup of child side information and the iterator
is fixed to no longer attempt to get ipv6 when it is not enabled and
then give up in failure.
o Fixup python documentation (thanks Leo Vandewoestijne).
o [bugzilla: 291 ]
DNS wireformat max is 255. dname_valid allowed 256 length.
o verbose output includes parent-side-address notion for lameness.
o documented val-log-level: 2 setting in example.conf and man page.

----
こがよういちろう


投稿者 xml-rpc : 2010年3月12日 14:24
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/94091
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。