[getdns-api] First release candidate for getdns-1.4.0

Willem Toorop willem at nlnetlabs.nl
Wed Feb 14 14:52:52 UTC 2018

Dear all,

We have a candidate for the upcoming 1.4.0 security and stability
release of getdns.

Security Fixes
The release contains two security fixes.

 1. When TLS upstreams were authenticated with SHA256 SPKI pins, certain
    verification errors - like self-signed certificates - were tolerated
    when the SPKI pin matched. This is wrong because checking for the
    error status indicating self-signed certificates does not mean that
    no other errors occurred. Only one error status is returned by the
    underlying OpenSSL verification function and that error status masks
    potential other errors.

    This release will check SPKI pins with the native OpenSSL DANE
    functions, for OpenSSL version 1.1.0 and higher, or with the DANE
    functions from the included Viktor Dukhovni's danessl library for
    OpenSSL version 1.0.0 and higher.

    For OpenSSL versions before 1.0.0 and for LibreSSL, self-signed
    certificates are no longer tolerated.

 2. The recent CVE-2017-15105, exposed a flaw with a few resolvers, that
    made it possible to downgrade secure connections. One of the causes
    of the issue, was that wildcard expansions of resource records used
    in DNSSEC proof were allowed. Although getdns was not vulnerable to
    the specific issue addressed in CVE-2017-15105, it did not
    explicitly disallow wildcard expansions of resource records used in
    DNSSEC proof. This release has that fixed.

Stability Fixes
Detailed reports from our Stubby users have revealed a few more bugs
causing crashes in the getdns library in certain conditions.

'Additional API' - new functions
Besides the available ciphers, now the supported curves can be
configured too with the getdns_context_set_tls_curves_list() function or
per upstream with getdns_context_set_upstream_recursive_servers() .

This release includes a new tool getdns_server_mon based on Stéphane
Borzmeyer's monitor DNS-over-TLS tool. This tool is used to generate the
table showing public DNS-over-TLS servers capabilities, see:


Although this release is binary compatible up to getdns version 1.1.0,
the .so version is still bumped at request for the fedora package.

This release candidate includes a candidate for a 0.2.2 release of Stubby.

  - It includes an updated and fixed stubby.yml configuration file.
  - Has additional logging of basic configuration on startup.
  - Has a manpage included

Please review this release candidate carefully, if all is well, the
actual release will follow Wednesday the 21st of February.

link  : https://getdnsapi.net/dist/getdns-1.4.0-rc1.tar.gz
pgp   : https://getdnsapi.net/dist/getdns-1.4.0-rc1.tar.gz.asc
sha256: b60963f966111e24efdc96e048d1e3b7492d5cfd590abc73cff227ecc3549f52

* 2018-02-??: Version 1.4.0
  * .so revision bump to please fedora packaging system.
    Thanks Paul Wouters
  * Specify the supported curves with
    An upstream specific list of supported curves may also be given
    with the tls_curves_list setting in the upstream dict with
  * New tool getdns_server_mon for checking upstream recursive
    resolver's capabilities.
  * Improved handling of opportunistic back-off.  If other transports
    are working, don’t forcibly promote failed upstreams just wait for
    the re-try timer.
  * Hostname authentication with libressl
    Thanks Norbert Copones
  * Security bugfix in response to CVE-2017-15105.  Although getdns was
    not vulnerable for this specific issue, as a precaution code has
    been adapted so that signatures of DNSKEYs, DSs, NSECs and NSEC3s
    can not be wildcard expansions when used with DNSSEC proofs.  Only
    direct queries for those types are allowed to be wildcard
  * Bugfix PR#379: Miscelleneous double free or corruption, and
    corrupted memory double linked list detected issue, with serving
    Thanks maddie and Bruno Pagani
  * Security Bugfix PR#293: Check sha256 pinset's
    with OpenSSL native DANE functions for OpenSSL >= 1.1.0
    with Viktor Dukhovni's danessl library for OpenSSL >= 1.0.0
    don't allow for authentication exceptions (like self-signed
    certificates) otherwise.  Thanks Viktor Dukhovni
  * libidn2 support.  Thanks Paul Wouters

Stubby ChangeLog
* 2018-02-??: Version 0.2.2
 * Fixes and updates to the stubby.yml.config file. Add separate entries
   for servers that listen on port 443.
 * Additional logging of basic config on startup
 * -V option to show version
 * Added a man page

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.getdnsapi.net/pipermail/users/attachments/20180214/6c9e2939/attachment.bin>

More information about the Users mailing list