From 40030e1c6f090969f46fe5ed9afbfa4857450a17 Mon Sep 17 00:00:00 2001
From: Julien Olivain <ju.o@free.fr>
Date: Thu, 15 Aug 2024 16:31:48 +0200
Subject: [PATCH] package/unbound: security bump to version 1.21.0

Fixes the following security issue:

- CVE-2024-43167: A NULL pointer dereference flaw was found in the
  ub_ctx_set_fwd function in Unbound.  This issue could allow an attacker
  who can invoke specific sequences of API calls to cause a segmentation
  fault

See announcement:
https://nlnetlabs.nl/news/2024/Aug/15/unbound-1.21.0-released/

See also change log:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-21-0

This commit also updates the _SITE url from [1] to [2], to follow the
HTTP redirect, and the url published on the download page [3].

Finally, this commit adds a comment in the hash file that the PGP
signature was checked.

[1] https://www.unbound.net/downloads
[2] https://nlnetlabs.nl/downloads/unbound
[3] https://nlnetlabs.nl/projects/unbound/download

Signed-off-by: Julien Olivain <ju.o@free.fr>
[Peter: Mark as security bump, add CVE info]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ed34c4c77b8b2a830c7a9ffb1d75c7bf1e35a7c4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/unbound/unbound.hash | 7 +++++--
 package/unbound/unbound.mk   | 4 ++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/package/unbound/unbound.hash b/package/unbound/unbound.hash
index 96ee80b0ec..ba876299c2 100644
--- a/package/unbound/unbound.hash
+++ b/package/unbound/unbound.hash
@@ -1,5 +1,8 @@
-# From https://nlnetlabs.nl/downloads/unbound/unbound-1.20.0.tar.gz.sha256
-sha256  56b4ceed33639522000fd96775576ddf8782bb3617610715d7f1e777c5ec1dbf  unbound-1.20.0.tar.gz
+# From https://nlnetlabs.nl/downloads/unbound/unbound-1.21.0.tar.gz.sha256
+# After checking pgp signature from:
+# https://nlnetlabs.nl/downloads/unbound/unbound-1.21.0.tar.gz.asc
+# with key: EDFAA3F2CA4E6EB05681AF8E9F6F1C2D7E045F8D
+sha256  e7dca7d6b0f81bdfa6fa64ebf1053b5a999a5ae9278a87ef182425067ea14521  unbound-1.21.0.tar.gz
 
 # Locally calculated
 sha256  8eb9a16cbfb8703090bbfa3a2028fd46bb351509a2f90dc1001e51fbe6fd45db  LICENSE
diff --git a/package/unbound/unbound.mk b/package/unbound/unbound.mk
index 6ce6f9a1ba..8677cb4d4e 100644
--- a/package/unbound/unbound.mk
+++ b/package/unbound/unbound.mk
@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-UNBOUND_VERSION = 1.20.0
-UNBOUND_SITE = https://www.unbound.net/downloads
+UNBOUND_VERSION = 1.21.0
+UNBOUND_SITE = https://nlnetlabs.nl/downloads/unbound
 UNBOUND_INSTALL_STAGING = YES
 UNBOUND_DEPENDENCIES = host-pkgconf expat libevent openssl
 UNBOUND_LICENSE = BSD-3-Clause