!6 update unbound version to 1.10.1

Merge pull request !6 from eaglegai/master

CVE-2019-18934.patch

@@ -1,227 +0,0 @@
-From 34e52a4313d59b9d57e928c44300fd81e1a48910 Mon Sep 17 00:00:00 2001
-From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
-Date: Tue, 19 Nov 2019 07:49:59 +0100
-Subject: [PATCH] Fix CVE-2019-18934, shell execution in ipsecmod.
-
----
- ipsecmod/ipsecmod.c | 147 ++++++++++++++++++++++++++++++++++++--------
- 1 file changed, 120 insertions(+), 27 deletions(-)
-
-diff --git a/ipsecmod/ipsecmod.c b/ipsecmod/ipsecmod.c
-index c8400c633..9e916d604 100644
---- a/ipsecmod/ipsecmod.c
-+++ b/ipsecmod/ipsecmod.c
-@@ -161,6 +161,71 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name,
- 	return 1;
- }
- 
-+/**
-+ * Check if the string passed is a valid domain name with safe characters to
-+ * pass to a shell.
-+ * This will only allow:
-+ *  - digits
-+ *  - alphas
-+ *  - hyphen (not at the start)
-+ *  - dot (not at the start, or the only character)
-+ *  - underscore
-+ * @param s: pointer to the string.
-+ * @param slen: string's length.
-+ * @return true if s only contains safe characters; false otherwise.
-+ */
-+static int
-+domainname_has_safe_characters(char* s, size_t slen) {
-+	size_t i;
-+	for(i = 0; i < slen; i++) {
-+		if(s[i] == '\0') return 1;
-+		if((s[i] == '-' && i != 0)
-+			|| (s[i] == '.' && (i != 0 || s[1] == '\0'))
-+			|| (s[i] == '_') || (s[i] >= '0' && s[i] <= '9')
-+			|| (s[i] >= 'A' && s[i] <= 'Z')
-+			|| (s[i] >= 'a' && s[i] <= 'z')) {
-+			continue;
-+		}
-+		return 0;
-+	}
-+	return 1;
-+}
-+
-+/**
-+ * Check if the stringified IPSECKEY RDATA contains safe characters to pass to
-+ * a shell.
-+ * This is only relevant for checking the gateway when the gateway type is 3
-+ * (domainname).
-+ * @param s: pointer to the string.
-+ * @param slen: string's length.
-+ * @return true if s contains only safe characters; false otherwise.
-+ */
-+static int
-+ipseckey_has_safe_characters(char* s, size_t slen) {
-+	int precedence, gateway_type, algorithm;
-+	char* gateway;
-+	gateway = (char*)calloc(slen, sizeof(char));
-+	if(!gateway) {
-+		log_err("ipsecmod: out of memory when calling the hook");
-+		return 0;
-+	}
-+	if(sscanf(s, "%d %d %d %s ",
-+			&precedence, &gateway_type, &algorithm, gateway) != 4) {
-+		free(gateway);
-+		return 0;
-+	}
-+	if(gateway_type != 3) {
-+		free(gateway);
-+		return 1;
-+	}
-+	if(domainname_has_safe_characters(gateway, slen)) {
-+		free(gateway);
-+		return 1;
-+	}
-+	free(gateway);
-+	return 0;
-+}
-+
- /**
-  *  Prepare the data and call the hook.
-  *
-@@ -175,7 +240,7 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
- {
- 	size_t slen, tempdata_len, tempstring_len, i;
- 	char str[65535], *s, *tempstring;
--	int w;
-+	int w = 0, w_temp, qtype;
- 	struct ub_packed_rrset_key* rrset_key;
- 	struct packed_rrset_data* rrset_data;
- 	uint8_t *tempdata;
-@@ -192,9 +257,9 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
- 	memset(s, 0, slen);
-
- 	/* Copy the hook into the buffer. */
--	sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
-+	w += sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
- 	/* Put space into the buffer. */
--	sldns_str_print(&s, &slen, " ");
-+	w += sldns_str_print(&s, &slen, " ");
- 	/* Copy the qname into the buffer. */
- 	tempstring = sldns_wire2str_dname(qstate->qinfo.qname,
- 		qstate->qinfo.qname_len);
-@@ -202,68 +267,96 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
- 		log_err("ipsecmod: out of memory when calling the hook");
- 		return 0;
- 	}
--	sldns_str_print(&s, &slen, "\"%s\"", tempstring);
-+	if(!domainname_has_safe_characters(tempstring, strlen(tempstring))) {
-+		log_err("ipsecmod: qname has unsafe characters");
-+		free(tempstring);
-+		return 0;
-+	}
-+	w += sldns_str_print(&s, &slen, "\"%s\"", tempstring);
- 	free(tempstring);
- 	/* Put space into the buffer. */
--	sldns_str_print(&s, &slen, " ");
-+	w += sldns_str_print(&s, &slen, " ");
- 	/* Copy the IPSECKEY TTL into the buffer. */
- 	rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
--	sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
-+	w += sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
- 	/* Put space into the buffer. */
--	sldns_str_print(&s, &slen, " ");
--	/* Copy the A/AAAA record(s) into the buffer. Start and end this section
--	 * with a double quote. */
-+	w += sldns_str_print(&s, &slen, " ");
- 	rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
- 		qstate->return_msg->rep);
-+	/* Double check that the records are indeed A/AAAA.
-+	 * This should never happen as this function is only executed for A/AAAA
-+	 * queries but make sure we don't pass anything other than A/AAAA to the
-+	 * shell. */
-+	qtype = ntohs(rrset_key->rk.type);
-+	if(qtype != LDNS_RR_TYPE_AAAA && qtype != LDNS_RR_TYPE_A) {
-+		log_err("ipsecmod: Answer is not of A or AAAA type");
-+		return 0;
-+	}
- 	rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
--	sldns_str_print(&s, &slen, "\"");
-+	/* Copy the A/AAAA record(s) into the buffer. Start and end this section
-+	 * with a double quote. */
-+	w += sldns_str_print(&s, &slen, "\"");
- 	for(i=0; i<rrset_data->count; i++) {
- 		if(i > 0) {
- 			/* Put space into the buffer. */
--			sldns_str_print(&s, &slen, " ");
-+			w += sldns_str_print(&s, &slen, " ");
- 		}
- 		/* Ignore the first two bytes, they are the rr_data len. */
--		w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
-+		w_temp = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
- 			rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype);
--		if(w < 0) {
-+		if(w_temp < 0) {
- 			/* Error in printout. */
--			return -1;
--		} else if((size_t)w >= slen) {
-+			log_err("ipsecmod: Error in printing IP address");
-+			return 0;
-+		} else if((size_t)w_temp >= slen) {
- 			s = NULL; /* We do not want str to point outside of buffer. */
- 			slen = 0;
--			return -1;
-+			log_err("ipsecmod: shell command too long");
-+			return 0;
- 		} else {
--			s += w;
--			slen -= w;
-+			s += w_temp;
-+			slen -= w_temp;
-+			w += w_temp;
- 		}
- 	}
--	sldns_str_print(&s, &slen, "\"");
-+	w += sldns_str_print(&s, &slen, "\"");
- 	/* Put space into the buffer. */
--	sldns_str_print(&s, &slen, " ");
-+	w += sldns_str_print(&s, &slen, " ");
- 	/* Copy the IPSECKEY record(s) into the buffer. Start and end this section
- 	 * with a double quote. */
--	sldns_str_print(&s, &slen, "\"");
-+	w += sldns_str_print(&s, &slen, "\"");
- 	rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
- 	for(i=0; i<rrset_data->count; i++) {
- 		if(i > 0) {
- 			/* Put space into the buffer. */
--			sldns_str_print(&s, &slen, " ");
-+			w += sldns_str_print(&s, &slen, " ");
- 		}
- 		/* Ignore the first two bytes, they are the rr_data len. */
- 		tempdata = rrset_data->rr_data[i] + 2;
- 		tempdata_len = rrset_data->rr_len[i] - 2;
- 		/* Save the buffer pointers. */
- 		tempstring = s; tempstring_len = slen;
--		w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen,
--			NULL, 0);
-+		w_temp = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s,
-+			&slen, NULL, 0);
- 		/* There was an error when parsing the IPSECKEY; reset the buffer
- 		 * pointers to their previous values. */
--		if(w == -1){
-+		if(w_temp == -1) {
- 			s = tempstring; slen = tempstring_len;
-+		} else if(w_temp > 0) {
-+			if(!ipseckey_has_safe_characters(
-+					tempstring, tempstring_len - slen)) {
-+				log_err("ipsecmod: ipseckey has unsafe characters");
-+				return 0;
-+			}
-+			w += w_temp;
- 		}
- 	}
--	sldns_str_print(&s, &slen, "\"");
--	verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str);
-+	w += sldns_str_print(&s, &slen, "\"");
-+	if(w >= (int)sizeof(str)) {
-+		log_err("ipsecmod: shell command too long");
-+		return 0;
-+	}
-+	verbose(VERB_ALGO, "ipsecmod: shell command: '%s'", str);
- 	/* ipsecmod-hook should return 0 on success. */
- 	if(system(str) != 0)
- 		return 0;

unbound-1.10.0-auth-callback.patch

@@ -0,0 +1,74 @@
+--- a/services/authzone.c	2020-04-16 13:01:10.550618034 +0200
++++ b/services/authzone.c	2020-04-16 13:07:04.624476160 +0200
+@@ -5331,7 +5331,7 @@
+ 	log_assert(xfr->task_transfer);
+ 	lock_basic_lock(&xfr->lock);
+ 	env = xfr->task_transfer->env;
+-	if(env->outnet->want_to_quit) {
++	if(!env || env->outnet->want_to_quit) {
+ 		lock_basic_unlock(&xfr->lock);
+ 		return; /* stop on quit */
+ 	}
+@@ -5770,7 +5770,7 @@
+ 	log_assert(xfr->task_transfer);
+ 	lock_basic_lock(&xfr->lock);
+ 	env = xfr->task_transfer->env;
+-	if(env->outnet->want_to_quit) {
++	if(!env || env->outnet->want_to_quit) {
+ 		lock_basic_unlock(&xfr->lock);
+ 		return; /* stop on quit */
+ 	}
+@@ -5812,7 +5812,7 @@
+ 	log_assert(xfr->task_transfer);
+ 	lock_basic_lock(&xfr->lock);
+ 	env = xfr->task_transfer->env;
+-	if(env->outnet->want_to_quit) {
++	if(!env || env->outnet->want_to_quit) {
+ 		lock_basic_unlock(&xfr->lock);
+ 		return 0; /* stop on quit */
+ 	}
+@@ -5893,7 +5893,7 @@
+ 	log_assert(xfr->task_transfer);
+ 	lock_basic_lock(&xfr->lock);
+ 	env = xfr->task_transfer->env;
+-	if(env->outnet->want_to_quit) {
++	if(!env || env->outnet->want_to_quit) {
+ 		lock_basic_unlock(&xfr->lock);
+ 		return 0; /* stop on quit */
+ 	}
+@@ -6107,7 +6107,7 @@
+ 	log_assert(xfr->task_probe);
+ 	lock_basic_lock(&xfr->lock);
+ 	env = xfr->task_probe->env;
+-	if(env->outnet->want_to_quit) {
++	if(!env || env->outnet->want_to_quit) {
+ 		lock_basic_unlock(&xfr->lock);
+ 		return; /* stop on quit */
+ 	}
+@@ -6143,7 +6143,7 @@
+ 	log_assert(xfr->task_probe);
+ 	lock_basic_lock(&xfr->lock);
+ 	env = xfr->task_probe->env;
+-	if(env->outnet->want_to_quit) {
++	if(!env || env->outnet->want_to_quit) {
+ 		lock_basic_unlock(&xfr->lock);
+ 		return 0; /* stop on quit */
+ 	}
+@@ -6388,7 +6388,7 @@
+ 	log_assert(xfr->task_probe);
+ 	lock_basic_lock(&xfr->lock);
+ 	env = xfr->task_probe->env;
+-	if(env->outnet->want_to_quit) {
++	if(!env || env->outnet->want_to_quit) {
+ 		lock_basic_unlock(&xfr->lock);
+ 		return; /* stop on quit */
+ 	}
+@@ -6465,7 +6465,7 @@
+ 	log_assert(xfr->task_nextprobe);
+ 	lock_basic_lock(&xfr->lock);
+ 	env = xfr->task_nextprobe->env;
+-	if(env->outnet->want_to_quit) {
++	if(!env || env->outnet->want_to_quit) {
+ 		lock_basic_unlock(&xfr->lock);
+ 		return; /* stop on quit */
+ 	}

unbound-1.7.2-python3-devel.patch

@@ -1,320 +0,0 @@
-From b5aab36d41f374eddb0f66f28f251588f53a1e1e Mon Sep 17 00:00:00 2001
-From: Wouter Wijngaards <wouter@nlnetlabs.nl>
-Date: Wed, 27 Jun 2018 05:46:36 +0000
-Subject: [PATCH 1/2] - #4109: Fix that package config depends on python
- unconditionally.
-
-git-svn-id: file:///svn/unbound/trunk@4757 be551aaa-1e26-0410-a405-d3ace91eadb9
----
- configure    | 257 +++++++++++++++++++++++++++++++----------------------------
- configure.ac |   5 +-
- 2 files changed, 137 insertions(+), 125 deletions(-)
-
-diff --git a/configure b/configure
-index 3f1c372a..2a1687ae 100755
---- a/configure
-+++ b/configure
-@@ -670,9 +670,6 @@ SYSTEMD_DAEMON_LIBS
- SYSTEMD_DAEMON_CFLAGS
- SYSTEMD_LIBS
- SYSTEMD_CFLAGS
--PKG_CONFIG_LIBDIR
--PKG_CONFIG_PATH
--PKG_CONFIG
- staticexe
- PC_LIBEVENT_DEPENDENCY
- UNBOUND_EVENT_UNINSTALL
-@@ -697,6 +694,9 @@ swig
- SWIG_LIB
- SWIG
- PC_PY_DEPENDENCY
-+PKG_CONFIG_LIBDIR
-+PKG_CONFIG_PATH
-+PKG_CONFIG
- PY_MAJOR_VERSION
- PYTHON_SITE_PKG
- PYTHON_LDFLAGS
-@@ -16930,7 +16930,136 @@ $as_echo "#define HAVE_PYTHON 1" >>confdefs.h
-         CPPFLAGS="$PYTHON_CPPFLAGS"
-       fi
-       ub_have_python=yes
--      PC_PY_DEPENDENCY="python"
-+
-+
-+
-+
-+
-+
-+
-+if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
-+	if test -n "$ac_tool_prefix"; then
-+  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
-+set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if ${ac_cv_path_PKG_CONFIG+:} false; then :
-+  $as_echo_n "(cached) " >&6
-+else
-+  case $PKG_CONFIG in
-+  [\\/]* | ?:[\\/]*)
-+  ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
-+  ;;
-+  *)
-+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+for as_dir in $PATH
-+do
-+  IFS=$as_save_IFS
-+  test -z "$as_dir" && as_dir=.
-+    for ac_exec_ext in '' $ac_executable_extensions; do
-+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-+    ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
-+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-+    break 2
-+  fi
-+done
-+  done
-+IFS=$as_save_IFS
-+
-+  ;;
-+esac
-+fi
-+PKG_CONFIG=$ac_cv_path_PKG_CONFIG
-+if test -n "$PKG_CONFIG"; then
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
-+$as_echo "$PKG_CONFIG" >&6; }
-+else
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
-+fi
-+
-+
-+fi
-+if test -z "$ac_cv_path_PKG_CONFIG"; then
-+  ac_pt_PKG_CONFIG=$PKG_CONFIG
-+  # Extract the first word of "pkg-config", so it can be a program name with args.
-+set dummy pkg-config; ac_word=$2
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
-+  $as_echo_n "(cached) " >&6
-+else
-+  case $ac_pt_PKG_CONFIG in
-+  [\\/]* | ?:[\\/]*)
-+  ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
-+  ;;
-+  *)
-+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+for as_dir in $PATH
-+do
-+  IFS=$as_save_IFS
-+  test -z "$as_dir" && as_dir=.
-+    for ac_exec_ext in '' $ac_executable_extensions; do
-+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-+    ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
-+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-+    break 2
-+  fi
-+done
-+  done
-+IFS=$as_save_IFS
-+
-+  ;;
-+esac
-+fi
-+ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
-+if test -n "$ac_pt_PKG_CONFIG"; then
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5
-+$as_echo "$ac_pt_PKG_CONFIG" >&6; }
-+else
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
-+fi
-+
-+  if test "x$ac_pt_PKG_CONFIG" = x; then
-+    PKG_CONFIG=""
-+  else
-+    case $cross_compiling:$ac_tool_warned in
-+yes:)
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
-+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
-+ac_tool_warned=yes ;;
-+esac
-+    PKG_CONFIG=$ac_pt_PKG_CONFIG
-+  fi
-+else
-+  PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
-+fi
-+
-+fi
-+if test -n "$PKG_CONFIG"; then
-+	_pkg_min_version=0.9.0
-+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5
-+$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; }
-+	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
-+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-+$as_echo "yes" >&6; }
-+	else
-+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
-+		PKG_CONFIG=""
-+	fi
-+fi
-+      if test -n "$PKG_CONFIG" && \
-+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"\"python\${PY_MAJOR_VERSION}\"\""; } >&5
-+  ($PKG_CONFIG --exists --print-errors ""python${PY_MAJOR_VERSION}"") 2>&5
-+  ac_status=$?
-+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+  test $ac_status = 0; }; then
-+  PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}"
-+else
-+  PC_PY_DEPENDENCY="python"
-+fi
- 
- 
-       # Check for SWIG
-@@ -18960,126 +19089,6 @@ else
- fi
- 
- have_systemd=no
--
--
--
--
--
--
--
--if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
--	if test -n "$ac_tool_prefix"; then
--  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
--set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
--$as_echo_n "checking for $ac_word... " >&6; }
--if ${ac_cv_path_PKG_CONFIG+:} false; then :
--  $as_echo_n "(cached) " >&6
--else
--  case $PKG_CONFIG in
--  [\\/]* | ?:[\\/]*)
--  ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
--  ;;
--  *)
--  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
--for as_dir in $PATH
--do
--  IFS=$as_save_IFS
--  test -z "$as_dir" && as_dir=.
--    for ac_exec_ext in '' $ac_executable_extensions; do
--  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
--    ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
--    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
--    break 2
--  fi
--done
--  done
--IFS=$as_save_IFS
--
--  ;;
--esac
--fi
--PKG_CONFIG=$ac_cv_path_PKG_CONFIG
--if test -n "$PKG_CONFIG"; then
--  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
--$as_echo "$PKG_CONFIG" >&6; }
--else
--  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
--fi
--
--
--fi
--if test -z "$ac_cv_path_PKG_CONFIG"; then
--  ac_pt_PKG_CONFIG=$PKG_CONFIG
--  # Extract the first word of "pkg-config", so it can be a program name with args.
--set dummy pkg-config; ac_word=$2
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
--$as_echo_n "checking for $ac_word... " >&6; }
--if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
--  $as_echo_n "(cached) " >&6
--else
--  case $ac_pt_PKG_CONFIG in
--  [\\/]* | ?:[\\/]*)
--  ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
--  ;;
--  *)
--  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
--for as_dir in $PATH
--do
--  IFS=$as_save_IFS
--  test -z "$as_dir" && as_dir=.
--    for ac_exec_ext in '' $ac_executable_extensions; do
--  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
--    ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
--    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
--    break 2
--  fi
--done
--  done
--IFS=$as_save_IFS
--
--  ;;
--esac
--fi
--ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
--if test -n "$ac_pt_PKG_CONFIG"; then
--  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5
--$as_echo "$ac_pt_PKG_CONFIG" >&6; }
--else
--  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
--fi
--
--  if test "x$ac_pt_PKG_CONFIG" = x; then
--    PKG_CONFIG=""
--  else
--    case $cross_compiling:$ac_tool_warned in
--yes:)
--{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
--$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
--ac_tool_warned=yes ;;
--esac
--    PKG_CONFIG=$ac_pt_PKG_CONFIG
--  fi
--else
--  PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
--fi
--
--fi
--if test -n "$PKG_CONFIG"; then
--	_pkg_min_version=0.9.0
--	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5
--$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; }
--	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
--		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
--$as_echo "yes" >&6; }
--	else
--		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
--		PKG_CONFIG=""
--	fi
--fi
- if test "x$enable_systemd" != xno; then :
- 
- 
-diff --git a/configure.ac b/configure.ac
-index 1828253c..b2c95d1a 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -586,7 +586,10 @@ if test x_$ub_test_python != x_no; then
-         CPPFLAGS="$PYTHON_CPPFLAGS"
-       fi
-       ub_have_python=yes
--      PC_PY_DEPENDENCY="python"
-+      PKG_PROG_PKG_CONFIG
-+      PKG_CHECK_EXISTS(["python${PY_MAJOR_VERSION}"],
-+                       [PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}"],
-+                       [PC_PY_DEPENDENCY="python"])
-       AC_SUBST(PC_PY_DEPENDENCY)
- 
-       # Check for SWIG
--- 
-2.14.4
-

unbound-1.7.2-python3-pkgconfig.patch

@@ -1,31 +0,0 @@
-From bca54a8b252d4a75e940424dc761c6a4e487eb84 Mon Sep 17 00:00:00 2001
-From: Wouter Wijngaards <wouter@nlnetlabs.nl>
-Date: Wed, 27 Jun 2018 06:07:31 +0000
-Subject: [PATCH 2/2] =?UTF-8?q?-=20Patch,=20do=20not=20export=20python=20f?=
- =?UTF-8?q?rom=20pkg-config,=20from=20Petr=20Men=C5=A1=C3=ADk.?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-git-svn-id: file:///svn/unbound/trunk@4758 be551aaa-1e26-0410-a405-d3ace91eadb9
----
- contrib/libunbound.pc.in | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/contrib/libunbound.pc.in b/contrib/libunbound.pc.in
-index 0cb9f875..810c5713 100644
---- a/contrib/libunbound.pc.in
-+++ b/contrib/libunbound.pc.in
-@@ -7,7 +7,8 @@ Name: unbound
- Description: Library with validating, recursive, and caching DNS resolver
- URL: http://www.unbound.net
- Version: @PACKAGE_VERSION@
--Requires: @PC_LIBEVENT_DEPENDENCY@ @PC_PY_DEPENDENCY@
-+Requires: libcrypto libssl @PC_LIBEVENT_DEPENDENCY@
-+Requires.private: @PC_PY_DEPENDENCY@
- Libs: -L${libdir} -lunbound -lssl -lcrypto
- Libs.private: @SSLLIB@ @LIBS@
- Cflags: -I${includedir} 
--- 
-2.14.4
-

unbound-1.7.3-anchor-fallback.patch

@@ -1,182 +0,0 @@
-From 81e9f82a8ddd811d7ebafe2fd0ee5af836d0b405 Mon Sep 17 00:00:00 2001
-From: Wouter Wijngaards <wouter@nlnetlabs.nl>
-Date: Wed, 4 Jul 2018 10:02:16 +0000
-Subject: [PATCH] - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will
- not pass   if DNSSEC is not enabled.  New option -R allows fallback from  
- resolv.conf to direct queries.
-
-git-svn-id: file:///svn/unbound/trunk@4770 be551aaa-1e26-0410-a405-d3ace91eadb9
----
- doc/unbound-anchor.8.in   |  5 ++++
- smallapp/unbound-anchor.c | 66 ++++++++++++++++++++++++++++++++++-------------
- 2 files changed, 53 insertions(+), 18 deletions(-)
-
-diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
-index 02a3e781..e114eb25 100644
---- a/doc/unbound-anchor.8.in
-+++ b/doc/unbound-anchor.8.in
-@@ -109,6 +109,11 @@ It does so, because the tool when used for bootstrapping the recursive
- resolver, cannot use that recursive resolver itself because it is bootstrapping
- that server.
- .TP
-+.B \-R
-+Allow fallback from \-f resolv.conf file to direct root servers query.
-+It allows you to prefer local resolvers, but fallback automatically
-+to direct root query if they do not respond or do not support DNSSEC.
-+.TP
- .B \-v
- More verbose. Once prints informational messages, multiple times may enable
- large debug amounts (such as full certificates or byte\-dumps of downloaded
-diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
-index b3009108..f3985090 100644
---- a/smallapp/unbound-anchor.c
-+++ b/smallapp/unbound-anchor.c
-@@ -192,9 +192,10 @@ usage(void)
- 	printf("-n name		signer's subject emailAddress, default %s\n", P7SIGNER);
- 	printf("-4		work using IPv4 only\n");
- 	printf("-6		work using IPv6 only\n");
--	printf("-f resolv.conf	use given resolv.conf to resolve -u name\n");
--	printf("-r root.hints	use given root.hints to resolve -u name\n"
-+	printf("-f resolv.conf	use given resolv.conf\n");
-+	printf("-r root.hints	use given root.hints\n"
- 		"		builtin root hints are used by default\n");
-+	printf("-R		fallback from -f to root query on error\n");
- 	printf("-v		more verbose\n");
- 	printf("-C conf		debug, read config\n");
- 	printf("-P port		use port for https connect, default 443\n");
-@@ -1920,8 +1921,7 @@ static int
- do_certupdate(const char* root_anchor_file, const char* root_cert_file,
- 	const char* urlname, const char* xmlname, const char* p7sname,
- 	const char* p7signer, const char* res_conf, const char* root_hints,
--	const char* debugconf, int ip4only, int ip6only, int port,
--	struct ub_result* dnskey)
-+	const char* debugconf, int ip4only, int ip6only, int port)
- {
- 	STACK_OF(X509)* cert;
- 	BIO *xml, *p7s;
-@@ -1961,7 +1961,6 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file,
- #ifndef S_SPLINT_S
- 	sk_X509_pop_free(cert, X509_free);
- #endif
--	ub_resolve_free(dnskey);
- 	ip_list_free(ip_list);
- 	return 1;
- }
-@@ -2199,16 +2198,33 @@ probe_date_allows_certupdate(const char* root_anchor_file)
- 	return 0;
- }
- 
-+static struct ub_result *
-+fetch_root_key(const char* root_anchor_file, const char* res_conf,
-+	const char* root_hints, const char* debugconf,
-+	int ip4only, int ip6only)
-+{
-+	struct ub_ctx* ctx;
-+	struct ub_result* dnskey;
-+
-+	ctx = create_unbound_context(res_conf, root_hints, debugconf,
-+		ip4only, ip6only);
-+	add_5011_probe_root(ctx, root_anchor_file);
-+	dnskey = prime_root_key(ctx);
-+	ub_ctx_delete(ctx);
-+	return dnskey;
-+}
-+
- /** perform the unbound-anchor work */
- static int
- do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
- 	const char* urlname, const char* xmlname, const char* p7sname,
- 	const char* p7signer, const char* res_conf, const char* root_hints,
--	const char* debugconf, int ip4only, int ip6only, int force, int port)
-+	const char* debugconf, int ip4only, int ip6only, int force,
-+	int res_conf_fallback, int port)
- {
--	struct ub_ctx* ctx;
- 	struct ub_result* dnskey;
- 	int used_builtin = 0;
-+	int rcode;
- 
- 	/* see if builtin rootanchor needs to be provided, or if
- 	 * rootanchor is 'revoked-trust-point' */
-@@ -2217,12 +2233,22 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
- 
- 	/* make unbound context with 5011-probe for root anchor,
- 	 * and probe . DNSKEY */
--	ctx = create_unbound_context(res_conf, root_hints, debugconf,
--		ip4only, ip6only);
--	add_5011_probe_root(ctx, root_anchor_file);
--	dnskey = prime_root_key(ctx);
--	ub_ctx_delete(ctx);
--	
-+	dnskey = fetch_root_key(root_anchor_file, res_conf,
-+		root_hints, debugconf, ip4only, ip6only);
-+	rcode = dnskey->rcode;
-+
-+	if (res_conf_fallback && res_conf && !dnskey->secure) {
-+		if (verb) printf("%s failed, retrying direct\n", res_conf);
-+		ub_resolve_free(dnskey);
-+		/* try direct query without res_conf */
-+		dnskey = fetch_root_key(root_anchor_file, NULL,
-+			root_hints, debugconf, ip4only, ip6only);
-+		if (rcode != 0 && dnskey->rcode == 0) {
-+			res_conf = NULL;
-+			rcode = 0;
-+		}
-+	}
-+
- 	/* if secure: exit */
- 	if(dnskey->secure && !force) {
- 		if(verb) printf("success: the anchor is ok\n");
-@@ -2230,18 +2256,18 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
- 		return used_builtin;
- 	}
- 	if(force && verb) printf("debug cert update forced\n");
-+	ub_resolve_free(dnskey);
- 
- 	/* if not (and NOERROR): check date and do certupdate */
--	if((dnskey->rcode == 0 &&
-+	if((rcode == 0 &&
- 		probe_date_allows_certupdate(root_anchor_file)) || force) {
- 		if(do_certupdate(root_anchor_file, root_cert_file, urlname,
- 			xmlname, p7sname, p7signer, res_conf, root_hints,
--			debugconf, ip4only, ip6only, port, dnskey))
-+			debugconf, ip4only, ip6only, port))
- 			return 1;
- 		return used_builtin;
- 	}
- 	if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n");
--	ub_resolve_free(dnskey);
- 	return used_builtin;
- }
- 
-@@ -2264,8 +2290,9 @@ int main(int argc, char* argv[])
- 	const char* root_hints = NULL;
- 	const char* debugconf = NULL;
- 	int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
-+	int res_conf_fallback = 0;
- 	/* parse the options */
--	while( (c=getopt(argc, argv, "46C:FP:a:c:f:hln:r:s:u:vx:")) != -1) {
-+	while( (c=getopt(argc, argv, "46C:FRP:a:c:f:hln:r:s:u:vx:")) != -1) {
- 		switch(c) {
- 		case 'l':
- 			dolist = 1;
-@@ -2300,6 +2327,9 @@ int main(int argc, char* argv[])
- 		case 'r':
- 			root_hints = optarg;
- 			break;
-+		case 'R':
-+			res_conf_fallback = 1;
-+			break;
- 		case 'C':
- 			debugconf = optarg;
- 			break;
-@@ -2346,5 +2376,5 @@ int main(int argc, char* argv[])
- 
- 	return do_root_update_work(root_anchor_file, root_cert_file, urlname,
- 		xmlname, p7sname, p7signer, res_conf, root_hints, debugconf,
--		ip4only, ip6only, force, port);
-+		ip4only, ip6only, force, res_conf_fallback, port);
- }
--- 
-2.14.4
-

unbound-1.7.3-host-any.patch

@@ -1,12 +0,0 @@
-diff --git a/smallapp/unbound-host.c b/smallapp/unbound-host.c
-index 53bf3277..f02511fe 100644
---- a/smallapp/unbound-host.c
-+++ b/smallapp/unbound-host.c
-@@ -340,6 +340,7 @@ pretty_output(char* q, int t, int c, struct ub_result* result, int docname)
- 					exit(1);
- 				}
- 				printf("%s\n", s);
-+				free(s);
- 			} else	printf(" has no %s record", tstr);
- 			printf(" %s\n", secstatus);
- 		}

unbound.conf

@@ -105,6 +105,7 @@ server:
 	# are present, they are processed in order.
 	# Our SElinux policy does not allow non-ephemeral ports to be used
 	outgoing-port-avoid: 0-32767
+	outgoing-port-avoid: 61000-65535
 
 	# number of outgoing simultaneous tcp buffers to hold per thread.
 	# outgoing-num-tcp: 10

unbound.spec

@@ -1,8 +1,8 @@
 %{!?delete_la: %global delete_la  find $RPM_BUILD_ROOT -type f -name "*.la" -delete}
 
 Name:          unbound
-Version:       1.7.3
-Release:       14
+Version:       1.10.1
+Release:       1
 Summary:       Unbound is a validating, recursive, caching DNS resolver
 License:       BSD
 Url:           https://nlnetlabs.nl/projects/unbound/about/
@@ -21,14 +21,11 @@ Source11:      unbound.sysconfig
 Source12:      unbound-anchor.timer
 Source13:      unbound-anchor.service
 
-Patch0001:     unbound-1.7.2-python3-devel.patch
-Patch0002:     unbound-1.7.2-python3-pkgconfig.patch
-Patch0003:     unbound-1.7.3-anchor-fallback.patch
-Patch0004:     unbound-1.7.3-host-any.patch
-Patch0005:     CVE-2019-18934.patch
+Patch0001:     unbound-1.10.0-auth-callback.patch
 
 BuildRequires: make flex swig pkgconfig systemd python-unversioned-command
 BuildRequires: libevent-devel expat-devel openssl-devel python3-devel
+BuildRequires: unbound-libs
 
 %{?systemd_requires}
 Requires:      %{name}-libs = %{version}-%{release}
@@ -75,10 +72,9 @@ Package help includes includes man pages for unbound.
 %setup -qcn %{name}-%{version}
 
 pushd %{name}-%{version}
-%patch0001 -p1 -b .python3
-%patch0002 -p1 -b .python3
-%patch0003 -p1 -b .anchor-fallback
-%patch0004 -p1 -b .host-any
+
+%patch0001 -p1
+
 cp -pr doc pythonmod libunbound ../
 popd
 
@@ -121,7 +117,7 @@ install -p -m 0644 %{SOURCE11} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/unbound
 install -p -m 0644 %{SOURCE12} $RPM_BUILD_ROOT%{_unitdir}/unbound-anchor.timer
 install -p -m 0644 %{SOURCE13} $RPM_BUILD_ROOT%{_unitdir}/unbound-anchor.service
 
-
+cp -a %{_libdir}/libunbound.so.2* %{buildroot}%{_libdir}
 
 
 %delete_la
@@ -233,6 +229,12 @@ popd
 %{_mandir}/man*
 
 %changelog
+* Tue Jul 28 2020 gaihuiying <gaihuiying1@huawei.com> - 1.10.1-1
+- Type:requirement
+- ID:NA
+- SUG:NA
+- DESC:update unbound version to 1.10.1
+
 * Wed Feb 19 2020 hexiujun <hexiujun1@huawei.com> - 1.7.3-14
 - Type:enhancement
 - ID:NA