[getdns-api] First release candidate for getdns-1.4.0
Willem Toorop
willem at nlnetlabs.nl
Wed Feb 14 14:52:52 UTC 2018
Dear all,
We have a candidate for the upcoming 1.4.0 security and stability
release of getdns.
Security Fixes
==============
The release contains two security fixes.
1. When TLS upstreams were authenticated with SHA256 SPKI pins, certain
verification errors - like self-signed certificates - were tolerated
when the SPKI pin matched. This is wrong because checking for the
error status indicating self-signed certificates does not mean that
no other errors occurred. Only one error status is returned by the
underlying OpenSSL verification function and that error status masks
potential other errors.
This release will check SPKI pins with the native OpenSSL DANE
functions, for OpenSSL version 1.1.0 and higher, or with the DANE
functions from the included Viktor Dukhovni's danessl library for
OpenSSL version 1.0.0 and higher.
For OpenSSL versions before 1.0.0 and for LibreSSL, self-signed
certificates are no longer tolerated.
2. The recent CVE-2017-15105, exposed a flaw with a few resolvers, that
made it possible to downgrade secure connections. One of the causes
of the issue, was that wildcard expansions of resource records used
in DNSSEC proof were allowed. Although getdns was not vulnerable to
the specific issue addressed in CVE-2017-15105, it did not
explicitly disallow wildcard expansions of resource records used in
DNSSEC proof. This release has that fixed.
Stability Fixes
===============
Detailed reports from our Stubby users have revealed a few more bugs
causing crashes in the getdns library in certain conditions.
'Additional API' - new functions
================================
Besides the available ciphers, now the supported curves can be
configured too with the getdns_context_set_tls_curves_list() function or
per upstream with getdns_context_set_upstream_recursive_servers() .
Tools
=====
This release includes a new tool getdns_server_mon based on Stéphane
Borzmeyer's monitor DNS-over-TLS tool. This tool is used to generate the
table showing public DNS-over-TLS servers capabilities, see:
https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/
NOTE
====
Although this release is binary compatible up to getdns version 1.1.0,
the .so version is still bumped at request for the fedora package.
Stubby
======
This release candidate includes a candidate for a 0.2.2 release of Stubby.
- It includes an updated and fixed stubby.yml configuration file.
- Has additional logging of basic configuration on startup.
- Has a manpage included
Please review this release candidate carefully, if all is well, the
actual release will follow Wednesday the 21st of February.
link : https://getdnsapi.net/dist/getdns-1.4.0-rc1.tar.gz
pgp : https://getdnsapi.net/dist/getdns-1.4.0-rc1.tar.gz.asc
sha256: b60963f966111e24efdc96e048d1e3b7492d5cfd590abc73cff227ecc3549f52
ChangeLog
=========
* 2018-02-??: Version 1.4.0
* .so revision bump to please fedora packaging system.
Thanks Paul Wouters
* Specify the supported curves with
getdns_context_set_tls_curves_list()
An upstream specific list of supported curves may also be given
with the tls_curves_list setting in the upstream dict with
getdns_context_set_upstream_recursive_servers()
* New tool getdns_server_mon for checking upstream recursive
resolver's capabilities.
* Improved handling of opportunistic back-off. If other transports
are working, don’t forcibly promote failed upstreams just wait for
the re-try timer.
* Hostname authentication with libressl
Thanks Norbert Copones
* Security bugfix in response to CVE-2017-15105. Although getdns was
not vulnerable for this specific issue, as a precaution code has
been adapted so that signatures of DNSKEYs, DSs, NSECs and NSEC3s
can not be wildcard expansions when used with DNSSEC proofs. Only
direct queries for those types are allowed to be wildcard
expansions.
* Bugfix PR#379: Miscelleneous double free or corruption, and
corrupted memory double linked list detected issue, with serving
functionality.
Thanks maddie and Bruno Pagani
* Security Bugfix PR#293: Check sha256 pinset's
with OpenSSL native DANE functions for OpenSSL >= 1.1.0
with Viktor Dukhovni's danessl library for OpenSSL >= 1.0.0
don't allow for authentication exceptions (like self-signed
certificates) otherwise. Thanks Viktor Dukhovni
* libidn2 support. Thanks Paul Wouters
Stubby ChangeLog
================
* 2018-02-??: Version 0.2.2
* Fixes and updates to the stubby.yml.config file. Add separate entries
for servers that listen on port 443.
* Additional logging of basic config on startup
* -V option to show version
* Added a man page
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.getdnsapi.net/pipermail/spec/attachments/20180214/6c9e2939/attachment.bin>
More information about the spec
mailing list