We have a first release candidate for the upcoming 1.4.0 security and stability release of getdns.
Security Fixes: The release contains two security fixes.
When TLS upstreams were authenticated with SHA256 SPKI pins, certain verification errors - like self-signed certificates - were tolerated when the SPKI pin matched. This is wrong because checking for the error status indicating self-signed certificates does not mean that no other errors occurred. Only one error status is returned by the underlying OpenSSL verification function and that error status masks potential other errors.
This release will check SPKI pins with the native OpenSSL DANE functions, for OpenSSL version 1.1.0 and higher, or with the DANE functions from the included Viktor Dukhovni's danessl library for OpenSSL version 1.0.0 and higher.
For OpenSSL versions before 1.0.0 and for LibreSSL, self-signed certificates are no longer tolerated.
The recent CVE-2017-15105, exposed a flaw with a few resolvers, that made it possible to downgrade secure connections. One of the causes of the issue, was that wildcard expansions of resource records used in DNSSEC proof were allowed. Although getdns was not vulnerable to the specific issue addressed in CVE-2017-15105, it did not explicitly disallow wildcard expansions of resource records used in DNSSEC proof. This release has that fixed.
Stability Fixes: Detailed reports from our Stubby users have revealed a few more bugs causing crashes in the getdns library in certain conditions.
'Additional API' - new functions: Besides the available ciphers, now the supported curves can be configured too with the
getdns_context_set_tls_curves_list() function or the per upstream in with the
Tools: This release includes a new tool
getdns_server_mon based on Stéphane Borzmeyer's monitor DNS-over-TLS tool.
This tool is used to generate the table showing public DNS-over-TLS servers capabilities
NOTE: Although this release is binary compatible up to getdns version 1.1.0, the .so version is still bumped at request for the fedora package.
Stubby: This release candidate includes a candidate for a 0.2.2 release of Stubby.
Please review this release candidate carefully, if all is well, the actual release will follow Wednesday the 21st of February.
Picture of Boo Valentine courtesy of DaPuglet (CC BY-SA 2.0)
* 2018-02-??: Version 1.4.0 * .so revision bump to please fedora packaging system. Thanks Paul Wouters * Specify the supported curves with getdns_context_set_tls_curves_list() An upstream specific list of supported curves may also be given with the tls_curves_list setting in the upstream dict with getdns_context_set_upstream_recursive_servers() * New tool getdns_server_mon for checking upstream recursive resolver's capabilities. * Improved handling of opportunistic back-off. If other transports are working, don’t forcibly promote failed upstreams just wait for the re-try timer. * Hostname authentication with libressl Thanks Norbert Copones * Security bugfix in response to CVE-2017-15105. Although getdns was not vulnerable for this specific issue, as a precaution code has been adapted so that signatures of DNSKEYs, DSs, NSECs and NSEC3s can not be wildcard expansions when used with DNSSEC proofs. Only direct queries for those types are allowed to be wildcard expansions. * Bugfix PR#379: Miscelleneous double free or corruption, and corrupted memory double linked list detected issue, whith serving functionality. Thanks maddie and Bruno Pagani * Security Bugfix PR#293: Check sha256 pinset's with OpenSSL native DANE functions for OpenSSL >= 1.1.0 with Viktor Dukhovni's danessl library for OpenSSL >= 1.0.0 don't allow for authentication exceptions (like self-signed certificates) otherwise. Thanks Viktor Dukhovni * libidn2 support. Thanks Paul Wouters
* 2018-02-??: Version 0.2.2 * Fixes and updates to the stubby.yml.config file. Add separate entries for servers that listen on port 443. * Additional logging of basic config on startup * -V option to show version * Added a man page