unbound: Vendor import 1.16.2

Security update to unbound. PR: 265645 Security: CVE-2022-30698, CVE-2022-30699 Security: bc43a578-14ec-11ed-856e-d4c9ef517024

unbound: Vendor import 1.16.2
Security update to unbound. PR: 265645 Security: CVE-2022-30698, CVE-2022-30699 Security: bc43a578-14ec-11ed-856e-d4c9ef517024
9b76d32f · Cy Schubert · d5735146 · 9b76d32f · 9b76d32f · 9b76d32f
Commit 9b76d32f authored Aug 05, 2022 by Cy Schubert
--- a/SECURITY.md
+++ b/SECURITY.md
+# Security Policy
+
+## Supported Versions
+
+NLnet Labs adheres to the straightforward, semantic versioning scheme that is
+commonly used in the software industry.
+
+Support is provided in respect of the latest release, i.e. releases with the
+highest minor and patch version level. We do not backport security fixes to
+older (minor) versions. In the event a new major version is released (e.g.  from
+3.2.18 to 4.0.0), support will also be provided on the latest minor  version of
+the previous major version (3.2.18) for a period of one year from the release of
+the new major version (4.0.0).
+
+In the event that, during this period, a new patch or minor version of the
+previous major version is released, then support on these versions will only be
+provided for the remainder of the one-year-period.
+
+You can find detailed information on our software support policy here:
+
+https://www.nlnetlabs.nl/support/software-support-policy/
+
+## Reporting a Vulnerability
+
+We take security very seriously. If you have discovered a security vulnerability
+in one of our projects and you would like to report it to us, you can send an
+encrypted message to our Security Entry Point.
+
+Details are described here:
+
+https://www.nlnetlabs.nl/security-report/
--- a/cachedb/cachedb.c
+++ b/cachedb/cachedb.c
@@ -662,7 +662,7 @@ cachedb_intcache_store(struct module_qstate* qstate)
 		return;
 	(void)dns_cache_store(qstate->env, &qstate->qinfo,
 		qstate->return_msg->rep, 0, qstate->prefetch_leeway, 0,
-		qstate->region, store_flags);
+		qstate->region, store_flags, qstate->qstarttime);
 }

 /**

--- a/configure
+++ b/configure
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.16.1.
+# Generated by GNU Autoconf 2.69 for unbound 1.16.2.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.16.1'
-PACKAGE_STRING='unbound 1.16.1'
+PACKAGE_VERSION='1.16.2'
+PACKAGE_STRING='unbound 1.16.2'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
  
@@ -1477,7 +1477,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures unbound 1.16.1 to adapt to many kinds of systems.
+\`configure' configures unbound 1.16.2 to adapt to many kinds of systems.
  
 Usage: $0 [OPTION]... [VAR=VALUE]...
  
@@ -1543,7 +1543,7 @@ fi
  
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.16.1:";;
+     short | recursive ) echo "Configuration of unbound 1.16.2:";;
   esac
  cat <<\_ACEOF
  
@@ -1785,7 +1785,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-unbound configure 1.16.1
+unbound configure 1.16.2
 generated by GNU Autoconf 2.69
  
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2494,7 +2494,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
  
-It was created by unbound $as_me 1.16.1, which was
+It was created by unbound $as_me 1.16.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  
  $ $0 $@
@@ -2846,11 +2846,11 @@ UNBOUND_VERSION_MAJOR=1
  
 UNBOUND_VERSION_MINOR=16
  
-UNBOUND_VERSION_MICRO=1
+UNBOUND_VERSION_MICRO=2
  
  
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=17
+LIBUNBOUND_REVISION=18
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2935,6 +2935,7 @@ LIBUNBOUND_AGE=1
 # 1.15.0 had 9:15:1
 # 1.16.0 had 9:16:1
 # 1.16.1 had 9:17:1
+# 1.16.2 had 9:18:1
  
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -22013,7 +22014,7 @@ _ACEOF
  
  
  
-version=1.16.1
+version=1.16.2
  
 date=`date +'%b %e, %Y'`
  
@@ -22532,7 +22533,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.16.1, which was
+This file was extended by unbound $as_me 1.16.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  
  CONFIG_FILES    = $CONFIG_FILES
@@ -22598,7 +22599,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.16.1
+unbound config.status 1.16.2
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
  

--- a/configure.ac
+++ b/configure.ac
@@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
 m4_define([VERSION_MINOR],[16])
-m4_define([VERSION_MICRO],[1])
+m4_define([VERSION_MICRO],[2])
 AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])

 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=17
+LIBUNBOUND_REVISION=18
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -103,6 +103,7 @@ LIBUNBOUND_AGE=1
 # 1.15.0 had 9:15:1
 # 1.16.0 had 9:16:1
 # 1.16.1 had 9:17:1
+# 1.16.2 had 9:18:1

 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary

--- a/daemon/cachedump.c
+++ b/daemon/cachedump.c
@@ -679,7 +679,8 @@ load_msg(RES* ssl, sldns_buffer* buf, struct worker* worker)
 	if(!go_on) 
 		return 1; /* skip this one, not all references satisfied */

-	if(!dns_cache_store(&worker->env, &qinf, &rep, 0, 0, 0, NULL, flags)) {
+	if(!dns_cache_store(&worker->env, &qinf, &rep, 0, 0, 0, NULL, flags,
+		*worker->env.now)) {
 		log_warn("error out of memory");
 		return 0;
 	}
@@ -850,7 +851,7 @@ int print_deleg_lookup(RES* ssl, struct worker* worker, uint8_t* nm,
 	while(1) {
 		dp = dns_cache_find_delegation(&worker->env, nm, nmlen, 
 			qinfo.qtype, qinfo.qclass, region, &msg, 
-			*worker->env.now);
+			*worker->env.now, 0, NULL, 0);
 		if(!dp) {
 			return ssl_printf(ssl, "no delegation from "
 				"cache; goes to configured roots\n");

--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -459,7 +459,7 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,

 	dp = dns_cache_find_delegation(&worker->env, qinfo->qname, 
 		qinfo->qname_len, qinfo->qtype, qinfo->qclass,
-		worker->scratchpad, &msg, timenow);
+		worker->scratchpad, &msg, timenow, 0, NULL, 0);
 	if(!dp) { /* no delegation, need to reprime */
 		return 0;
 	}

--- a/dns64/dns64.c
+++ b/dns64/dns64.c
@@ -652,7 +652,7 @@ handle_event_moddone(struct module_qstate* qstate, int id)
 	if ( (!iq || !iq->started_no_cache_store) &&
 		qstate->return_msg && qstate->return_msg->rep &&
 		!dns_cache_store(qstate->env, &qstate->qinfo, qstate->return_msg->rep,
-		0, 0, 0, NULL, qstate->query_flags))
+		0, 0, 0, NULL, qstate->query_flags, qstate->qstarttime))
 		log_err("out of memory");

 	/* do nothing */
@@ -991,7 +991,7 @@ dns64_inform_super(struct module_qstate* qstate, int id,
 	/* Store the generated response in cache. */
 	if ( (!super_dq || !super_dq->started_no_cache_store) &&
 		!dns_cache_store(super->env, &super->qinfo, super->return_msg->rep,
-		0, 0, 0, NULL, super->query_flags))
+		0, 0, 0, NULL, super->query_flags, qstate->qstarttime))
 		log_err("out of memory");
 }


--- a/doc/Changelog
+++ b/doc/Changelog
+1 August 2022: Wouter
+	- Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
+	- Tests for ghost domain fixes.
+
+19 July 2022: George
+	- Update documentation for 'outbound-msg-retry:'.
+
+19 July 2022: Wouter
+	- Merge #718: Introduce infra-cache-max-rtt option to config max
+	  retransmit timeout.
+
+15 July 2022: Wouter
+	- Merge PR 714: Avoid treat normal hosts as unresponsive servers.
+	  And fixup the lock code.
+	- iana portlist update.
+
+12 July 2022: George
+	- For windows crosscompile, fix setting the IPV6_MTU socket option
+	  equivalent (IPV6_USER_MTU); allows cross compiling with latest
+	  cross-compiler versions.
+
+12 July 2022: Wouter
+	- Fix dname count in sldns parse type descriptor for SVCB and HTTPS.
+
+11 July 2022: Wouter
+	- Fix verbose EDE error printout.
+
 4 July 2022: George
 	- Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for
 	  one loop pass'.
@@ -5,7 +32,8 @@
 	  outbound tcp sockets.

 4 July 2022: Wouter
-	- Tag for 1.16.1rc1 release.
+	- Tag for 1.16.1rc1 release. This became 1.16.1 on 11 July 2022.
+	  The code repo continues with version 1.16.2 under development.

 3 July 2022: George
 	- Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS

--- a/doc/README
+++ b/doc/README
-README for Unbound 1.16.1
+README for Unbound 1.16.2
 Copyright 2007 NLnet Labs
 http://unbound.net


--- a/doc/example.conf.in
+++ b/doc/example.conf.in
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.16.1.
+# See unbound.conf(5) man page, version 1.16.2.
 #
 # this is a comment.

@@ -168,7 +168,8 @@ server:
 	# perform connect for UDP sockets to mitigate ICMP side channel.
 	# udp-connect: yes

-	# The number of retries when a non-positive response is received.
+	# The number of retries, per upstream nameserver in a delegation, when
+	# a throwaway response (also timeouts) is received.
 	# outbound-msg-retry: 5

 	# msec for waiting for an unknown server to reply.  Increase if you
@@ -202,6 +203,9 @@ server:
 	# minimum wait time for responses, increase if uplink is long. In msec.
 	# infra-cache-min-rtt: 50

+	# maximum wait time for responses. In msec.
+	# infra-cache-max-rtt: 120000
+
 	# enable to make server probe down hosts more frequently.
 	# infra-keep-probing: no


--- a/doc/libunbound.3.in
+++ b/doc/libunbound.3.in
-.TH "libunbound" "3" "Jul 11, 2022" "NLnet Labs" "unbound 1.16.1"
+.TH "libunbound" "3" "Aug  1, 2022" "NLnet Labs" "unbound 1.16.2"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -44,7 +44,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.16.1 functions.
+\- Unbound DNS validating resolver 1.16.2 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP

--- a/doc/unbound-anchor.8.in
+++ b/doc/unbound-anchor.8.in
-.TH "unbound-anchor" "8" "Jul 11, 2022" "NLnet Labs" "unbound 1.16.1"
+.TH "unbound-anchor" "8" "Aug  1, 2022" "NLnet Labs" "unbound 1.16.2"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"

--- a/doc/unbound-checkconf.8.in
+++ b/doc/unbound-checkconf.8.in
-.TH "unbound-checkconf" "8" "Jul 11, 2022" "NLnet Labs" "unbound 1.16.1"
+.TH "unbound-checkconf" "8" "Aug  1, 2022" "NLnet Labs" "unbound 1.16.2"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"

--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
-.TH "unbound-control" "8" "Jul 11, 2022" "NLnet Labs" "unbound 1.16.1"
+.TH "unbound-control" "8" "Aug  1, 2022" "NLnet Labs" "unbound 1.16.2"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"

--- a/doc/unbound-host.1.in
+++ b/doc/unbound-host.1.in
-.TH "unbound\-host" "1" "Jul 11, 2022" "NLnet Labs" "unbound 1.16.1"
+.TH "unbound\-host" "1" "Aug  1, 2022" "NLnet Labs" "unbound 1.16.2"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"

--- a/doc/unbound.8.in
+++ b/doc/unbound.8.in
-.TH "unbound" "8" "Jul 11, 2022" "NLnet Labs" "unbound 1.16.1"
+.TH "unbound" "8" "Aug  1, 2022" "NLnet Labs" "unbound 1.16.2"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.16.1.
+\- Unbound DNS validating resolver 1.16.2.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]

--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
-.TH "unbound.conf" "5" "Jul 11, 2022" "NLnet Labs" "unbound 1.16.1"
+.TH "unbound.conf" "5" "Aug  1, 2022" "NLnet Labs" "unbound 1.16.2"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -395,6 +395,10 @@ Lower limit for dynamic retransmit timeout calculation in infrastructure
 cache. Default is 50 milliseconds. Increase this value if using forwarders
 needing more time to do recursive name resolution.
 .TP
+.B infra\-cache\-max\-rtt: \fI<msec>
+Upper limit for dynamic retransmit timeout calculation in infrastructure
+cache. Default is 2 minutes.
+.TP
 .B infra\-keep\-probing: \fI<yes or no>
 If enabled the server keeps probing hosts that are down, in the one probe
 at a time regime.  Default is no.  Hosts that are down, eg. they did
@@ -1758,9 +1762,12 @@ set ip\-ratelimit to a suspicious rate to aggressively limit unusually high
 traffic.  Default is off.
 .TP 5
 .B outbound\-msg\-retry: \fI<number>
-The number of retries Unbound will do in case of a non positive response is
-received. If a forward nameserver is used, this is the number of retries per
-forward nameserver in case of throwaway response.
+The number of retries, per upstream nameserver in a delegation, that Unbound
+will attempt in case a throwaway response is received.
+No response (timeout) contributes to the retry counter.
+If a forward/stub zone is used, this is the number of retries per nameserver in
+the zone.
+Default is 5.
 .TP 5
 .B fast\-server\-permil: \fI<number>
 Specify how many times out of 1000 to pick from the set of fastest servers.

--- a/ipsecmod/ipsecmod.c
+++ b/ipsecmod/ipsecmod.c
@@ -456,7 +456,7 @@ ipsecmod_handle_query(struct module_qstate* qstate,
 	/* Store A/AAAA in cache. */
 	if(!dns_cache_store(qstate->env, &qstate->qinfo,
 		qstate->return_msg->rep, 0, qstate->prefetch_leeway,
-		0, qstate->region, qstate->query_flags)) {
+		0, qstate->region, qstate->query_flags, qstate->qstarttime)) {
 		log_err("ipsecmod: out of memory caching record");
 	}
 	qstate->ext_state[id] = module_finished;

--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -70,8 +70,6 @@

 /** time when nameserver glue is said to be 'recent' */
 #define SUSPICION_RECENT_EXPIRY 86400
-/** penalty to validation failed blacklisted IPs */
-#define BLACKLIST_PENALTY (USEFUL_SERVER_TOP_TIMEOUT*4)

 /** fillup fetch policy array */
 static void
@@ -661,10 +659,10 @@ dns_copy_msg(struct dns_msg* from, struct regional* region)
 void
 iter_dns_store(struct module_env* env, struct query_info* msgqinf,
 	struct reply_info* msgrep, int is_referral, time_t leeway, int pside,
-	struct regional* region, uint16_t flags)
+	struct regional* region, uint16_t flags, time_t qstarttime)
 {
 	if(!dns_cache_store(env, msgqinf, msgrep, is_referral, leeway,
-		pside, region, flags))
+		pside, region, flags, qstarttime))
 		log_err("out of memory: cannot store data in cache");
 }


--- a/iterator/iter_utils.h
+++ b/iterator/iter_utils.h
@@ -132,6 +132,7 @@ struct dns_msg* dns_copy_msg(struct dns_msg* from, struct regional* regional);
 * 	can be prefetch-updates.
 * @param region: to copy modified (cache is better) rrs back to.
 * @param flags: with BIT_CD for dns64 AAAA translated queries.
+ * @param qstarttime: time of query start.
 * return void, because we are not interested in alloc errors,
 * 	the iterator and validator can operate on the results in their
 * 	scratch space (the qstate.region) and are not dependent on the cache.
@@ -140,7 +141,7 @@ struct dns_msg* dns_copy_msg(struct dns_msg* from, struct regional* regional);
 */
 void iter_dns_store(struct module_env* env, struct query_info* qinf,
 	struct reply_info* rep, int is_referral, time_t leeway, int pside,
-	struct regional* region, uint16_t flags);
+	struct regional* region, uint16_t flags, time_t qstarttime);

 /**
 * Select randomly with n/m probability.