!6 update unbound version to 1.10.1

Merge pull request !6 from eaglegai/master
2020-07-29 09:44:46 +08:00 · 2020-07-29 09:44:46 +08:00 · 9f9eef1c04
commit 9f9eef1c04
parent c6d2edc56f 7e83f0b568
10 changed files with 89 additions and 784 deletions
--- a/CVE-2019-18934.patch
+++ b/CVE-2019-18934.patch
@ -1,227 +0,0 @@
 From 34e52a4313d59b9d57e928c44300fd81e1a48910 Mon Sep 17 00:00:00 2001
 From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
 Date: Tue, 19 Nov 2019 07:49:59 +0100
 Subject: [PATCH] Fix CVE-2019-18934, shell execution in ipsecmod.
 ---
 ipsecmod/ipsecmod.c | 147 ++++++++++++++++++++++++++++++++++++--------
 1 file changed, 120 insertions(+), 27 deletions(-)
 diff --git a/ipsecmod/ipsecmod.c b/ipsecmod/ipsecmod.c
 index c8400c633..9e916d604 100644
 --- a/ipsecmod/ipsecmod.c
 +++ b/ipsecmod/ipsecmod.c
@@ -161,6 +161,71 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name,
 	return 1;
 }
 +/**
 + * Check if the string passed is a valid domain name with safe characters to
 + * pass to a shell.
 + * This will only allow:
 + *  - digits
 + *  - alphas
 + *  - hyphen (not at the start)
 + *  - dot (not at the start, or the only character)
 + *  - underscore
 + * @param s: pointer to the string.
 + * @param slen: string's length.
 + * @return true if s only contains safe characters; false otherwise.
 + */
 +static int
 +domainname_has_safe_characters(char* s, size_t slen) {
 +	size_t i;
 +	for(i = 0; i < slen; i++) {
 +		if(s[i] == '\0') return 1;
 +		if((s[i] == '-' && i != 0)
 +			|| (s[i] == '.' && (i != 0 || s[1] == '\0'))
 +			|| (s[i] == '_') || (s[i] >= '0' && s[i] <= '9')
 +			|| (s[i] >= 'A' && s[i] <= 'Z')
 +			|| (s[i] >= 'a' && s[i] <= 'z')) {
 +			continue;
 +		}
 +		return 0;
 +	}
 +	return 1;
 +}
 +
 +/**
 + * Check if the stringified IPSECKEY RDATA contains safe characters to pass to
 + * a shell.
 + * This is only relevant for checking the gateway when the gateway type is 3
 + * (domainname).
 + * @param s: pointer to the string.
 + * @param slen: string's length.
 + * @return true if s contains only safe characters; false otherwise.
 + */
 +static int
 +ipseckey_has_safe_characters(char* s, size_t slen) {
 +	int precedence, gateway_type, algorithm;
 +	char* gateway;
 +	gateway = (char*)calloc(slen, sizeof(char));
 +	if(!gateway) {
 +		log_err("ipsecmod: out of memory when calling the hook");
 +		return 0;
 +	}
 +	if(sscanf(s, "%d %d %d %s ",
 +			&precedence, &gateway_type, &algorithm, gateway) != 4) {
 +		free(gateway);
 +		return 0;
 +	}
 +	if(gateway_type != 3) {
 +		free(gateway);
 +		return 1;
 +	}
 +	if(domainname_has_safe_characters(gateway, slen)) {
 +		free(gateway);
 +		return 1;
 +	}
 +	free(gateway);
 +	return 0;
 +}
 +
 /**
  *  Prepare the data and call the hook.
  *
@@ -175,7 +240,7 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
 {
 	size_t slen, tempdata_len, tempstring_len, i;
 	char str[65535], *s, *tempstring;
 -	int w;
 +	int w = 0, w_temp, qtype;
 	struct ub_packed_rrset_key* rrset_key;
 	struct packed_rrset_data* rrset_data;
 	uint8_t *tempdata;
@@ -192,9 +257,9 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
 	memset(s, 0, slen);
 	/* Copy the hook into the buffer. */
 -	sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
 +	w += sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
 	/* Put space into the buffer. */
 -	sldns_str_print(&s, &slen, " ");
 +	w += sldns_str_print(&s, &slen, " ");
 	/* Copy the qname into the buffer. */
 	tempstring = sldns_wire2str_dname(qstate->qinfo.qname,
 		qstate->qinfo.qname_len);
@@ -202,68 +267,96 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
 		log_err("ipsecmod: out of memory when calling the hook");
 		return 0;
 	}
 -	sldns_str_print(&s, &slen, "\"%s\"", tempstring);
 +	if(!domainname_has_safe_characters(tempstring, strlen(tempstring))) {
 +		log_err("ipsecmod: qname has unsafe characters");
 +		free(tempstring);
 +		return 0;
 +	}
 +	w += sldns_str_print(&s, &slen, "\"%s\"", tempstring);
 	free(tempstring);
 	/* Put space into the buffer. */
 -	sldns_str_print(&s, &slen, " ");
 +	w += sldns_str_print(&s, &slen, " ");
 	/* Copy the IPSECKEY TTL into the buffer. */
 	rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
 -	sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
 +	w += sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
 	/* Put space into the buffer. */
 -	sldns_str_print(&s, &slen, " ");
 -	/* Copy the A/AAAA record(s) into the buffer. Start and end this section
 -	 * with a double quote. */
 +	w += sldns_str_print(&s, &slen, " ");
 	rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
 		qstate->return_msg->rep);
 +	/* Double check that the records are indeed A/AAAA.
 +	 * This should never happen as this function is only executed for A/AAAA
 +	 * queries but make sure we don't pass anything other than A/AAAA to the
 +	 * shell. */
 +	qtype = ntohs(rrset_key->rk.type);
 +	if(qtype != LDNS_RR_TYPE_AAAA && qtype != LDNS_RR_TYPE_A) {
 +		log_err("ipsecmod: Answer is not of A or AAAA type");
 +		return 0;
 +	}
 	rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
 -	sldns_str_print(&s, &slen, "\"");
 +	/* Copy the A/AAAA record(s) into the buffer. Start and end this section
 +	 * with a double quote. */
 +	w += sldns_str_print(&s, &slen, "\"");
 	for(i=0; i<rrset_data->count; i++) {
 		if(i > 0) {
 			/* Put space into the buffer. */
 -			sldns_str_print(&s, &slen, " ");
 +			w += sldns_str_print(&s, &slen, " ");
 		}
 		/* Ignore the first two bytes, they are the rr_data len. */
 -		w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
 +		w_temp = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
 			rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype);
 -		if(w < 0) {
 +		if(w_temp < 0) {
 			/* Error in printout. */
 -			return -1;
 -		} else if((size_t)w >= slen) {
 +			log_err("ipsecmod: Error in printing IP address");
 +			return 0;
 +		} else if((size_t)w_temp >= slen) {
 			s = NULL; /* We do not want str to point outside of buffer. */
 			slen = 0;
 -			return -1;
 +			log_err("ipsecmod: shell command too long");
 +			return 0;
 		} else {
 -			s += w;
 -			slen -= w;
 +			s += w_temp;
 +			slen -= w_temp;
 +			w += w_temp;
 		}
 	}
 -	sldns_str_print(&s, &slen, "\"");
 +	w += sldns_str_print(&s, &slen, "\"");
 	/* Put space into the buffer. */
 -	sldns_str_print(&s, &slen, " ");
 +	w += sldns_str_print(&s, &slen, " ");
 	/* Copy the IPSECKEY record(s) into the buffer. Start and end this section
 	 * with a double quote. */
 -	sldns_str_print(&s, &slen, "\"");
 +	w += sldns_str_print(&s, &slen, "\"");
 	rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
 	for(i=0; i<rrset_data->count; i++) {
 		if(i > 0) {
 			/* Put space into the buffer. */
 -			sldns_str_print(&s, &slen, " ");
 +			w += sldns_str_print(&s, &slen, " ");
 		}
 		/* Ignore the first two bytes, they are the rr_data len. */
 		tempdata = rrset_data->rr_data[i] + 2;
 		tempdata_len = rrset_data->rr_len[i] - 2;
 		/* Save the buffer pointers. */
 		tempstring = s; tempstring_len = slen;
 -		w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen,
 -			NULL, 0);
 +		w_temp = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s,
 +			&slen, NULL, 0);
 		/* There was an error when parsing the IPSECKEY; reset the buffer
 		 * pointers to their previous values. */
 -		if(w == -1){
 +		if(w_temp == -1) {
 			s = tempstring; slen = tempstring_len;
 +		} else if(w_temp > 0) {
 +			if(!ipseckey_has_safe_characters(
 +					tempstring, tempstring_len - slen)) {
 +				log_err("ipsecmod: ipseckey has unsafe characters");
 +				return 0;
 +			}
 +			w += w_temp;
 		}
 	}
 -	sldns_str_print(&s, &slen, "\"");
 -	verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str);
 +	w += sldns_str_print(&s, &slen, "\"");
 +	if(w >= (int)sizeof(str)) {
 +		log_err("ipsecmod: shell command too long");
 +		return 0;
 +	}
 +	verbose(VERB_ALGO, "ipsecmod: shell command: '%s'", str);
 	/* ipsecmod-hook should return 0 on success. */
 	if(system(str) != 0)
 		return 0;
--- a/unbound-1.10.0-auth-callback.patch
+++ b/unbound-1.10.0-auth-callback.patch
@ -0,0 +1,74 @@
 --- a/services/authzone.c	2020-04-16 13:01:10.550618034 +0200
 +++ b/services/authzone.c	2020-04-16 13:07:04.624476160 +0200
@@ -5331,7 +5331,7 @@
 	log_assert(xfr->task_transfer);
 	lock_basic_lock(&xfr->lock);
 	env = xfr->task_transfer->env;
 -	if(env->outnet->want_to_quit) {
 +	if(!env || env->outnet->want_to_quit) {
 		lock_basic_unlock(&xfr->lock);
 		return; /* stop on quit */
 	}
@@ -5770,7 +5770,7 @@
 	log_assert(xfr->task_transfer);
 	lock_basic_lock(&xfr->lock);
 	env = xfr->task_transfer->env;
 -	if(env->outnet->want_to_quit) {
 +	if(!env || env->outnet->want_to_quit) {
 		lock_basic_unlock(&xfr->lock);
 		return; /* stop on quit */
 	}
@@ -5812,7 +5812,7 @@
 	log_assert(xfr->task_transfer);
 	lock_basic_lock(&xfr->lock);
 	env = xfr->task_transfer->env;
 -	if(env->outnet->want_to_quit) {
 +	if(!env || env->outnet->want_to_quit) {
 		lock_basic_unlock(&xfr->lock);
 		return 0; /* stop on quit */
 	}
@@ -5893,7 +5893,7 @@
 	log_assert(xfr->task_transfer);
 	lock_basic_lock(&xfr->lock);
 	env = xfr->task_transfer->env;
 -	if(env->outnet->want_to_quit) {
 +	if(!env || env->outnet->want_to_quit) {
 		lock_basic_unlock(&xfr->lock);
 		return 0; /* stop on quit */
 	}
@@ -6107,7 +6107,7 @@
 	log_assert(xfr->task_probe);
 	lock_basic_lock(&xfr->lock);
 	env = xfr->task_probe->env;
 -	if(env->outnet->want_to_quit) {
 +	if(!env || env->outnet->want_to_quit) {
 		lock_basic_unlock(&xfr->lock);
 		return; /* stop on quit */
 	}
@@ -6143,7 +6143,7 @@
 	log_assert(xfr->task_probe);
 	lock_basic_lock(&xfr->lock);
 	env = xfr->task_probe->env;
 -	if(env->outnet->want_to_quit) {
 +	if(!env || env->outnet->want_to_quit) {
 		lock_basic_unlock(&xfr->lock);
 		return 0; /* stop on quit */
 	}
@@ -6388,7 +6388,7 @@
 	log_assert(xfr->task_probe);
 	lock_basic_lock(&xfr->lock);
 	env = xfr->task_probe->env;
 -	if(env->outnet->want_to_quit) {
 +	if(!env || env->outnet->want_to_quit) {
 		lock_basic_unlock(&xfr->lock);
 		return; /* stop on quit */
 	}
@@ -6465,7 +6465,7 @@
 	log_assert(xfr->task_nextprobe);
 	lock_basic_lock(&xfr->lock);
 	env = xfr->task_nextprobe->env;
 -	if(env->outnet->want_to_quit) {
 +	if(!env || env->outnet->want_to_quit) {
 		lock_basic_unlock(&xfr->lock);
 		return; /* stop on quit */
 	}
--- a/unbound-1.10.1.tar.gz
+++ b/unbound-1.10.1.tar.gz
--- a/unbound-1.7.2-python3-devel.patch
+++ b/unbound-1.7.2-python3-devel.patch
@ -1,320 +0,0 @@
 From b5aab36d41f374eddb0f66f28f251588f53a1e1e Mon Sep 17 00:00:00 2001
 From: Wouter Wijngaards <wouter@nlnetlabs.nl>
 Date: Wed, 27 Jun 2018 05:46:36 +0000
 Subject: [PATCH 1/2] - #4109: Fix that package config depends on python
 unconditionally.
 git-svn-id: file:///svn/unbound/trunk@4757 be551aaa-1e26-0410-a405-d3ace91eadb9
 ---
 configure    | 257 +++++++++++++++++++++++++++++++----------------------------
 configure.ac |   5 +-
 2 files changed, 137 insertions(+), 125 deletions(-)
 diff --git a/configure b/configure
 index 3f1c372a..2a1687ae 100755
 --- a/configure
 +++ b/configure
@@ -670,9 +670,6 @@ SYSTEMD_DAEMON_LIBS
 SYSTEMD_DAEMON_CFLAGS
 SYSTEMD_LIBS
 SYSTEMD_CFLAGS
 -PKG_CONFIG_LIBDIR
 -PKG_CONFIG_PATH
 -PKG_CONFIG
 staticexe
 PC_LIBEVENT_DEPENDENCY
 UNBOUND_EVENT_UNINSTALL
@@ -697,6 +694,9 @@ swig
 SWIG_LIB
 SWIG
 PC_PY_DEPENDENCY
 +PKG_CONFIG_LIBDIR
 +PKG_CONFIG_PATH
 +PKG_CONFIG
 PY_MAJOR_VERSION
 PYTHON_SITE_PKG
 PYTHON_LDFLAGS
@@ -16930,7 +16930,136 @@ $as_echo "#define HAVE_PYTHON 1" >>confdefs.h
         CPPFLAGS="$PYTHON_CPPFLAGS"
       fi
       ub_have_python=yes
 -      PC_PY_DEPENDENCY="python"
 +
 +
 +
 +
 +
 +
 +
 +if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
 +	if test -n "$ac_tool_prefix"; then
 +  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
 +set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 +$as_echo_n "checking for $ac_word... " >&6; }
 +if ${ac_cv_path_PKG_CONFIG+:} false; then :
 +  $as_echo_n "(cached) " >&6
 +else
 +  case $PKG_CONFIG in
 +  [\\/]* | ?:[\\/]*)
 +  ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
 +  ;;
 +  *)
 +  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 +for as_dir in $PATH
 +do
 +  IFS=$as_save_IFS
 +  test -z "$as_dir" && as_dir=.
 +    for ac_exec_ext in '' $ac_executable_extensions; do
 +  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
 +    ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
 +    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
 +    break 2
 +  fi
 +done
 +  done
 +IFS=$as_save_IFS
 +
 +  ;;
 +esac
 +fi
 +PKG_CONFIG=$ac_cv_path_PKG_CONFIG
 +if test -n "$PKG_CONFIG"; then
 +  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
 +$as_echo "$PKG_CONFIG" >&6; }
 +else
 +  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 +$as_echo "no" >&6; }
 +fi
 +
 +
 +fi
 +if test -z "$ac_cv_path_PKG_CONFIG"; then
 +  ac_pt_PKG_CONFIG=$PKG_CONFIG
 +  # Extract the first word of "pkg-config", so it can be a program name with args.
 +set dummy pkg-config; ac_word=$2
 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 +$as_echo_n "checking for $ac_word... " >&6; }
 +if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
 +  $as_echo_n "(cached) " >&6
 +else
 +  case $ac_pt_PKG_CONFIG in
 +  [\\/]* | ?:[\\/]*)
 +  ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
 +  ;;
 +  *)
 +  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 +for as_dir in $PATH
 +do
 +  IFS=$as_save_IFS
 +  test -z "$as_dir" && as_dir=.
 +    for ac_exec_ext in '' $ac_executable_extensions; do
 +  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
 +    ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
 +    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
 +    break 2
 +  fi
 +done
 +  done
 +IFS=$as_save_IFS
 +
 +  ;;
 +esac
 +fi
 +ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
 +if test -n "$ac_pt_PKG_CONFIG"; then
 +  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5
 +$as_echo "$ac_pt_PKG_CONFIG" >&6; }
 +else
 +  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 +$as_echo "no" >&6; }
 +fi
 +
 +  if test "x$ac_pt_PKG_CONFIG" = x; then
 +    PKG_CONFIG=""
 +  else
 +    case $cross_compiling:$ac_tool_warned in
 +yes:)
 +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 +ac_tool_warned=yes ;;
 +esac
 +    PKG_CONFIG=$ac_pt_PKG_CONFIG
 +  fi
 +else
 +  PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
 +fi
 +
 +fi
 +if test -n "$PKG_CONFIG"; then
 +	_pkg_min_version=0.9.0
 +	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5
 +$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; }
 +	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
 +		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 +$as_echo "yes" >&6; }
 +	else
 +		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 +$as_echo "no" >&6; }
 +		PKG_CONFIG=""
 +	fi
 +fi
 +      if test -n "$PKG_CONFIG" && \
 +    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"\"python\${PY_MAJOR_VERSION}\"\""; } >&5
 +  ($PKG_CONFIG --exists --print-errors ""python${PY_MAJOR_VERSION}"") 2>&5
 +  ac_status=$?
 +  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
 +  test $ac_status = 0; }; then
 +  PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}"
 +else
 +  PC_PY_DEPENDENCY="python"
 +fi
       # Check for SWIG
@@ -18960,126 +19089,6 @@ else
 fi
 have_systemd=no
 -
 -
 -
 -
 -
 -
 -
 -if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
 -	if test -n "$ac_tool_prefix"; then
 -  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
 -set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 -$as_echo_n "checking for $ac_word... " >&6; }
 -if ${ac_cv_path_PKG_CONFIG+:} false; then :
 -  $as_echo_n "(cached) " >&6
 -else
 -  case $PKG_CONFIG in
 -  [\\/]* | ?:[\\/]*)
 -  ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
 -  ;;
 -  *)
 -  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 -for as_dir in $PATH
 -do
 -  IFS=$as_save_IFS
 -  test -z "$as_dir" && as_dir=.
 -    for ac_exec_ext in '' $ac_executable_extensions; do
 -  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
 -    ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
 -    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
 -    break 2
 -  fi
 -done
 -  done
 -IFS=$as_save_IFS
 -
 -  ;;
 -esac
 -fi
 -PKG_CONFIG=$ac_cv_path_PKG_CONFIG
 -if test -n "$PKG_CONFIG"; then
 -  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
 -$as_echo "$PKG_CONFIG" >&6; }
 -else
 -  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 -$as_echo "no" >&6; }
 -fi
 -
 -
 -fi
 -if test -z "$ac_cv_path_PKG_CONFIG"; then
 -  ac_pt_PKG_CONFIG=$PKG_CONFIG
 -  # Extract the first word of "pkg-config", so it can be a program name with args.
 -set dummy pkg-config; ac_word=$2
 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
 -$as_echo_n "checking for $ac_word... " >&6; }
 -if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
 -  $as_echo_n "(cached) " >&6
 -else
 -  case $ac_pt_PKG_CONFIG in
 -  [\\/]* | ?:[\\/]*)
 -  ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
 -  ;;
 -  *)
 -  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 -for as_dir in $PATH
 -do
 -  IFS=$as_save_IFS
 -  test -z "$as_dir" && as_dir=.
 -    for ac_exec_ext in '' $ac_executable_extensions; do
 -  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
 -    ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
 -    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
 -    break 2
 -  fi
 -done
 -  done
 -IFS=$as_save_IFS
 -
 -  ;;
 -esac
 -fi
 -ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
 -if test -n "$ac_pt_PKG_CONFIG"; then
 -  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5
 -$as_echo "$ac_pt_PKG_CONFIG" >&6; }
 -else
 -  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 -$as_echo "no" >&6; }
 -fi
 -
 -  if test "x$ac_pt_PKG_CONFIG" = x; then
 -    PKG_CONFIG=""
 -  else
 -    case $cross_compiling:$ac_tool_warned in
 -yes:)
 -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
 -$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
 -ac_tool_warned=yes ;;
 -esac
 -    PKG_CONFIG=$ac_pt_PKG_CONFIG
 -  fi
 -else
 -  PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
 -fi
 -
 -fi
 -if test -n "$PKG_CONFIG"; then
 -	_pkg_min_version=0.9.0
 -	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5
 -$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; }
 -	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
 -		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 -$as_echo "yes" >&6; }
 -	else
 -		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 -$as_echo "no" >&6; }
 -		PKG_CONFIG=""
 -	fi
 -fi
 if test "x$enable_systemd" != xno; then :
 diff --git a/configure.ac b/configure.ac
 index 1828253c..b2c95d1a 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -586,7 +586,10 @@ if test x_$ub_test_python != x_no; then
         CPPFLAGS="$PYTHON_CPPFLAGS"
       fi
       ub_have_python=yes
 -      PC_PY_DEPENDENCY="python"
 +      PKG_PROG_PKG_CONFIG
 +      PKG_CHECK_EXISTS(["python${PY_MAJOR_VERSION}"],
 +                       [PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}"],
 +                       [PC_PY_DEPENDENCY="python"])
       AC_SUBST(PC_PY_DEPENDENCY)
       # Check for SWIG
 -- 
 2.14.4
--- a/unbound-1.7.2-python3-pkgconfig.patch
+++ b/unbound-1.7.2-python3-pkgconfig.patch
@ -1,31 +0,0 @@
 From bca54a8b252d4a75e940424dc761c6a4e487eb84 Mon Sep 17 00:00:00 2001
 From: Wouter Wijngaards <wouter@nlnetlabs.nl>
 Date: Wed, 27 Jun 2018 06:07:31 +0000
 Subject: [PATCH 2/2] =?UTF-8?q?-=20Patch,=20do=20not=20export=20python=20f?=
 =?UTF-8?q?rom=20pkg-config,=20from=20Petr=20Men=C5=A1=C3=ADk.?=
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 git-svn-id: file:///svn/unbound/trunk@4758 be551aaa-1e26-0410-a405-d3ace91eadb9
 ---
 contrib/libunbound.pc.in | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/contrib/libunbound.pc.in b/contrib/libunbound.pc.in
 index 0cb9f875..810c5713 100644
 --- a/contrib/libunbound.pc.in
 +++ b/contrib/libunbound.pc.in
@@ -7,7 +7,8 @@ Name: unbound
 Description: Library with validating, recursive, and caching DNS resolver
 URL: http://www.unbound.net
 Version: @PACKAGE_VERSION@
 -Requires: @PC_LIBEVENT_DEPENDENCY@ @PC_PY_DEPENDENCY@
 +Requires: libcrypto libssl @PC_LIBEVENT_DEPENDENCY@
 +Requires.private: @PC_PY_DEPENDENCY@
 Libs: -L${libdir} -lunbound -lssl -lcrypto
 Libs.private: @SSLLIB@ @LIBS@
 Cflags: -I${includedir} 
 -- 
 2.14.4
--- a/unbound-1.7.3-anchor-fallback.patch
+++ b/unbound-1.7.3-anchor-fallback.patch
@ -1,182 +0,0 @@
 From 81e9f82a8ddd811d7ebafe2fd0ee5af836d0b405 Mon Sep 17 00:00:00 2001
 From: Wouter Wijngaards <wouter@nlnetlabs.nl>
 Date: Wed, 4 Jul 2018 10:02:16 +0000
 Subject: [PATCH] - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will
 not pass   if DNSSEC is not enabled.  New option -R allows fallback from  
 resolv.conf to direct queries.
 git-svn-id: file:///svn/unbound/trunk@4770 be551aaa-1e26-0410-a405-d3ace91eadb9
 ---
 doc/unbound-anchor.8.in   |  5 ++++
 smallapp/unbound-anchor.c | 66 ++++++++++++++++++++++++++++++++++-------------
 2 files changed, 53 insertions(+), 18 deletions(-)
 diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
 index 02a3e781..e114eb25 100644
 --- a/doc/unbound-anchor.8.in
 +++ b/doc/unbound-anchor.8.in
@@ -109,6 +109,11 @@ It does so, because the tool when used for bootstrapping the recursive
 resolver, cannot use that recursive resolver itself because it is bootstrapping
 that server.
 .TP
 +.B \-R
 +Allow fallback from \-f resolv.conf file to direct root servers query.
 +It allows you to prefer local resolvers, but fallback automatically
 +to direct root query if they do not respond or do not support DNSSEC.
 +.TP
 .B \-v
 More verbose. Once prints informational messages, multiple times may enable
 large debug amounts (such as full certificates or byte\-dumps of downloaded
 diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
 index b3009108..f3985090 100644
 --- a/smallapp/unbound-anchor.c
 +++ b/smallapp/unbound-anchor.c
@@ -192,9 +192,10 @@ usage(void)
 	printf("-n name		signer's subject emailAddress, default %s\n", P7SIGNER);
 	printf("-4		work using IPv4 only\n");
 	printf("-6		work using IPv6 only\n");
 -	printf("-f resolv.conf	use given resolv.conf to resolve -u name\n");
 -	printf("-r root.hints	use given root.hints to resolve -u name\n"
 +	printf("-f resolv.conf	use given resolv.conf\n");
 +	printf("-r root.hints	use given root.hints\n"
 		"		builtin root hints are used by default\n");
 +	printf("-R		fallback from -f to root query on error\n");
 	printf("-v		more verbose\n");
 	printf("-C conf		debug, read config\n");
 	printf("-P port		use port for https connect, default 443\n");
@@ -1920,8 +1921,7 @@ static int
 do_certupdate(const char* root_anchor_file, const char* root_cert_file,
 	const char* urlname, const char* xmlname, const char* p7sname,
 	const char* p7signer, const char* res_conf, const char* root_hints,
 -	const char* debugconf, int ip4only, int ip6only, int port,
 -	struct ub_result* dnskey)
 +	const char* debugconf, int ip4only, int ip6only, int port)
 {
 	STACK_OF(X509)* cert;
 	BIO *xml, *p7s;
@@ -1961,7 +1961,6 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file,
 #ifndef S_SPLINT_S
 	sk_X509_pop_free(cert, X509_free);
 #endif
 -	ub_resolve_free(dnskey);
 	ip_list_free(ip_list);
 	return 1;
 }
@@ -2199,16 +2198,33 @@ probe_date_allows_certupdate(const char* root_anchor_file)
 	return 0;
 }
 +static struct ub_result *
 +fetch_root_key(const char* root_anchor_file, const char* res_conf,
 +	const char* root_hints, const char* debugconf,
 +	int ip4only, int ip6only)
 +{
 +	struct ub_ctx* ctx;
 +	struct ub_result* dnskey;
 +
 +	ctx = create_unbound_context(res_conf, root_hints, debugconf,
 +		ip4only, ip6only);
 +	add_5011_probe_root(ctx, root_anchor_file);
 +	dnskey = prime_root_key(ctx);
 +	ub_ctx_delete(ctx);
 +	return dnskey;
 +}
 +
 /** perform the unbound-anchor work */
 static int
 do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
 	const char* urlname, const char* xmlname, const char* p7sname,
 	const char* p7signer, const char* res_conf, const char* root_hints,
 -	const char* debugconf, int ip4only, int ip6only, int force, int port)
 +	const char* debugconf, int ip4only, int ip6only, int force,
 +	int res_conf_fallback, int port)
 {
 -	struct ub_ctx* ctx;
 	struct ub_result* dnskey;
 	int used_builtin = 0;
 +	int rcode;
 	/* see if builtin rootanchor needs to be provided, or if
 	 * rootanchor is 'revoked-trust-point' */
@@ -2217,12 +2233,22 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
 	/* make unbound context with 5011-probe for root anchor,
 	 * and probe . DNSKEY */
 -	ctx = create_unbound_context(res_conf, root_hints, debugconf,
 -		ip4only, ip6only);
 -	add_5011_probe_root(ctx, root_anchor_file);
 -	dnskey = prime_root_key(ctx);
 -	ub_ctx_delete(ctx);
 -	
 +	dnskey = fetch_root_key(root_anchor_file, res_conf,
 +		root_hints, debugconf, ip4only, ip6only);
 +	rcode = dnskey->rcode;
 +
 +	if (res_conf_fallback && res_conf && !dnskey->secure) {
 +		if (verb) printf("%s failed, retrying direct\n", res_conf);
 +		ub_resolve_free(dnskey);
 +		/* try direct query without res_conf */
 +		dnskey = fetch_root_key(root_anchor_file, NULL,
 +			root_hints, debugconf, ip4only, ip6only);
 +		if (rcode != 0 && dnskey->rcode == 0) {
 +			res_conf = NULL;
 +			rcode = 0;
 +		}
 +	}
 +
 	/* if secure: exit */
 	if(dnskey->secure && !force) {
 		if(verb) printf("success: the anchor is ok\n");
@@ -2230,18 +2256,18 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
 		return used_builtin;
 	}
 	if(force && verb) printf("debug cert update forced\n");
 +	ub_resolve_free(dnskey);
 	/* if not (and NOERROR): check date and do certupdate */
 -	if((dnskey->rcode == 0 &&
 +	if((rcode == 0 &&
 		probe_date_allows_certupdate(root_anchor_file)) || force) {
 		if(do_certupdate(root_anchor_file, root_cert_file, urlname,
 			xmlname, p7sname, p7signer, res_conf, root_hints,
 -			debugconf, ip4only, ip6only, port, dnskey))
 +			debugconf, ip4only, ip6only, port))
 			return 1;
 		return used_builtin;
 	}
 	if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n");
 -	ub_resolve_free(dnskey);
 	return used_builtin;
 }
@@ -2264,8 +2290,9 @@ int main(int argc, char* argv[])
 	const char* root_hints = NULL;
 	const char* debugconf = NULL;
 	int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
 +	int res_conf_fallback = 0;
 	/* parse the options */
 -	while( (c=getopt(argc, argv, "46C:FP:a:c:f:hln:r:s:u:vx:")) != -1) {
 +	while( (c=getopt(argc, argv, "46C:FRP:a:c:f:hln:r:s:u:vx:")) != -1) {
 		switch(c) {
 		case 'l':
 			dolist = 1;
@@ -2300,6 +2327,9 @@ int main(int argc, char* argv[])
 		case 'r':
 			root_hints = optarg;
 			break;
 +		case 'R':
 +			res_conf_fallback = 1;
 +			break;
 		case 'C':
 			debugconf = optarg;
 			break;
@@ -2346,5 +2376,5 @@ int main(int argc, char* argv[])
 	return do_root_update_work(root_anchor_file, root_cert_file, urlname,
 		xmlname, p7sname, p7signer, res_conf, root_hints, debugconf,
 -		ip4only, ip6only, force, port);
 +		ip4only, ip6only, force, res_conf_fallback, port);
 }
 -- 
 2.14.4
--- a/unbound-1.7.3-host-any.patch
+++ b/unbound-1.7.3-host-any.patch
@ -1,12 +0,0 @@
 diff --git a/smallapp/unbound-host.c b/smallapp/unbound-host.c
 index 53bf3277..f02511fe 100644
 --- a/smallapp/unbound-host.c
 +++ b/smallapp/unbound-host.c
@@ -340,6 +340,7 @@ pretty_output(char* q, int t, int c, struct ub_result* result, int docname)
 					exit(1);
 				}
 				printf("%s\n", s);
 +				free(s);
 			} else	printf(" has no %s record", tstr);
 			printf(" %s\n", secstatus);
 		}
--- a/unbound-1.7.3.tar.gz
+++ b/unbound-1.7.3.tar.gz
--- a/unbound.conf
+++ b/unbound.conf
@ -105,6 +105,7 @@ server:
 	# are present, they are processed in order.
 	# Our SElinux policy does not allow non-ephemeral ports to be used
 	outgoing-port-avoid: 0-32767
 	outgoing-port-avoid: 61000-65535
 	# number of outgoing simultaneous tcp buffers to hold per thread.
 	# outgoing-num-tcp: 10
--- a/unbound.spec
+++ b/unbound.spec
@ -1,8 +1,8 @@
 %{!?delete_la: %global delete_la  find $RPM_BUILD_ROOT -type f -name "*.la" -delete}
 Name:          unbound
-Version:       1.7.3
+Version:       1.10.1
-Release:       14
+Release:       1
 Summary:       Unbound is a validating, recursive, caching DNS resolver
 License:       BSD
 Url:           https://nlnetlabs.nl/projects/unbound/about/
@ -21,14 +21,11 @@ Source11:      unbound.sysconfig
 Source12:      unbound-anchor.timer
 Source13:      unbound-anchor.service
-Patch0001:     unbound-1.7.2-python3-devel.patch
+Patch0001:     unbound-1.10.0-auth-callback.patch
 Patch0002:     unbound-1.7.2-python3-pkgconfig.patch
 Patch0003:     unbound-1.7.3-anchor-fallback.patch
 Patch0004:     unbound-1.7.3-host-any.patch
 Patch0005:     CVE-2019-18934.patch
 BuildRequires: make flex swig pkgconfig systemd python-unversioned-command
 BuildRequires: libevent-devel expat-devel openssl-devel python3-devel
 BuildRequires: unbound-libs
 %{?systemd_requires}
 Requires:      %{name}-libs = %{version}-%{release}
@ -75,10 +72,9 @@ Package help includes includes man pages for unbound.
 %setup -qcn %{name}-%{version}
 pushd %{name}-%{version}
-%patch0001 -p1 -b .python3
+
-%patch0002 -p1 -b .python3
+%patch0001 -p1
-%patch0003 -p1 -b .anchor-fallback
+
 %patch0004 -p1 -b .host-any
 cp -pr doc pythonmod libunbound ../
 popd
@ -121,7 +117,7 @@ install -p -m 0644 %{SOURCE11} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/unbound
 install -p -m 0644 %{SOURCE12} $RPM_BUILD_ROOT%{_unitdir}/unbound-anchor.timer
 install -p -m 0644 %{SOURCE13} $RPM_BUILD_ROOT%{_unitdir}/unbound-anchor.service
-
+cp -a %{_libdir}/libunbound.so.2* %{buildroot}%{_libdir}
 %delete_la
@ -233,6 +229,12 @@ popd
 %{_mandir}/man*
 %changelog
 * Tue Jul 28 2020 gaihuiying <gaihuiying1@huawei.com> - 1.10.1-1
 - Type:requirement
 - ID:NA
 - SUG:NA
 - DESC:update unbound version to 1.10.1
 * Wed Feb 19 2020 hexiujun <hexiujun1@huawei.com> - 1.7.3-14
 - Type:enhancement
 - ID:NA