From 1996a427c80099fb75c487fd0f8e3fdeef7d1171 Mon Sep 17 00:00:00 2001 From: sthen Date: Mon, 29 Aug 2022 16:03:46 +0000 Subject: [PATCH] import unbound 1.16.2, ok florian@ tb@ also tested by Alex Holst --- usr.sbin/unbound/SECURITY.md | 31 ++++++++++++++++++++++++++ usr.sbin/unbound/testcode/dohclient.c | 2 +- usr.sbin/unbound/testcode/mini_tdir.sh | 23 ++++++++++++++----- usr.sbin/unbound/testcode/unitmain.c | 2 +- usr.sbin/unbound/util/rtt.c | 3 +++ 5 files changed, 53 insertions(+), 8 deletions(-) create mode 100644 usr.sbin/unbound/SECURITY.md diff --git a/usr.sbin/unbound/SECURITY.md b/usr.sbin/unbound/SECURITY.md new file mode 100644 index 00000000000..5770ccd7991 --- /dev/null +++ b/usr.sbin/unbound/SECURITY.md @@ -0,0 +1,31 @@ +# Security Policy + +## Supported Versions + +NLnet Labs adheres to the straightforward, semantic versioning scheme that is +commonly used in the software industry. + +Support is provided in respect of the latest release, i.e. releases with the +highest minor and patch version level. We do not backport security fixes to +older (minor) versions. In the event a new major version is released (e.g. from +3.2.18 to 4.0.0), support will also be provided on the latest minor version of +the previous major version (3.2.18) for a period of one year from the release of +the new major version (4.0.0). + +In the event that, during this period, a new patch or minor version of the +previous major version is released, then support on these versions will only be +provided for the remainder of the one-year-period. + +You can find detailed information on our software support policy here: + +https://www.nlnetlabs.nl/support/software-support-policy/ + +## Reporting a Vulnerability + +We take security very seriously. If you have discovered a security vulnerability +in one of our projects and you would like to report it to us, you can send an +encrypted message to our Security Entry Point. + +Details are described here: + +https://www.nlnetlabs.nl/security-report/ diff --git a/usr.sbin/unbound/testcode/dohclient.c b/usr.sbin/unbound/testcode/dohclient.c index d35f5a82c66..82e522f90d5 100644 --- a/usr.sbin/unbound/testcode/dohclient.c +++ b/usr.sbin/unbound/testcode/dohclient.c @@ -551,7 +551,7 @@ run(struct http2_session* h2_session, int port, int no_tls, int count, char** q) if(ctx) { SSL_CTX_free(ctx); } - close(fd); + sock_close(fd); } /** getopt global, in case header files fail to declare it. */ diff --git a/usr.sbin/unbound/testcode/mini_tdir.sh b/usr.sbin/unbound/testcode/mini_tdir.sh index 0457a95e709..6bbece8d936 100755 --- a/usr.sbin/unbound/testcode/mini_tdir.sh +++ b/usr.sbin/unbound/testcode/mini_tdir.sh @@ -5,6 +5,10 @@ if test "$1" = "-a"; then shift shift fi + +# This will keep the temporary directory around and return 1 when the test failed. +DEBUG=0 + quiet=0 if test "$1" = "-q"; then quiet=1 @@ -184,11 +188,18 @@ echo "DateRunEnd: "`date "+%s" 2>/dev/null` >> $result mv $result .. cd .. -rm -rf $dir -# compat for windows where deletion may not succeed initially (files locked -# by processes that still have to exit). -if test $? -eq 1; then - echo "minitdir waiting for processes to terminate" - sleep 2 # some time to exit, and try again +if test $DEBUG -eq 0; then rm -rf $dir + # compat for windows where deletion may not succeed initially (files locked + # by processes that still have to exit). + if test $? -eq 1; then + echo "minitdir waiting for processes to terminate" + sleep 2 # some time to exit, and try again + rm -rf $dir + fi +else + if test $success == "no"; then + exit 1 + fi + exit 0 fi diff --git a/usr.sbin/unbound/testcode/unitmain.c b/usr.sbin/unbound/testcode/unitmain.c index 16aa8845021..b6dac5507fa 100644 --- a/usr.sbin/unbound/testcode/unitmain.c +++ b/usr.sbin/unbound/testcode/unitmain.c @@ -918,7 +918,7 @@ main(int argc, char* argv[]) checklock_stop(); printf("%d checks ok.\n", testcount); #ifdef HAVE_SSL -# if defined(USE_GOST) && defined(HAVE_LDNS_KEY_EVP_UNLOAD_GOST) +# if defined(USE_GOST) sldns_key_EVP_unload_gost(); # endif # ifdef HAVE_OPENSSL_CONFIG diff --git a/usr.sbin/unbound/util/rtt.c b/usr.sbin/unbound/util/rtt.c index f51576fb57f..b64206ecad1 100644 --- a/usr.sbin/unbound/util/rtt.c +++ b/usr.sbin/unbound/util/rtt.c @@ -45,6 +45,9 @@ /* overwritten by config: infra_cache_min_rtt: */ int RTT_MIN_TIMEOUT = 50; +/* overwritten by config: infra_cache_max_rtt: */ +int RTT_MAX_TIMEOUT = 120000; + /** calculate RTO from rtt information */ static int calc_rto(const struct rtt_info* rtt) -- 2.20.1