Univention Bugzilla – Bug 55932
unbound: Multiple issues (5.0)
Last modified: 2023-04-05 15:23:55 CEST
New Debian unbound 1.9.0-2+deb10u3 fixes: This update addresses the following issues: * symbolic link traversal when writing PID file (CVE-2020-28935) * NRDelegation attack leads to uncontrolled resource consumption (Non-Responsive Delegation Attack) (CVE-2022-3204) * novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names (CVE-2022-30698) * novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names (CVE-2022-30699)
--- mirror/ftp/pool/main/u/unbound/unbound_1.9.0-2+deb10u2.dsc +++ apt/ucs_5.0-0-errata5.0-3/source/unbound_1.9.0-2+deb10u3.dsc @@ -1,3 +1,45 @@ +1.9.0-2+deb10u3 [Wed, 29 Mar 2023 10:11:30 +0200] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Fix CVE-2022-3204: + A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation + Attack) has been discovered in various DNS resolving software. The + NRDelegation Attack works by having a malicious delegation with a + considerable number of non responsive nameservers. The attack starts by + querying a resolver for a record that relies on those unresponsive + nameservers. The attack can cause a resolver to spend a lot of + time/resources resolving records under a malicious delegation point where a + considerable number of unresponsive NS records reside. It can trigger high + CPU usage in some resolver implementations that continually look in the + cache for resolved NS records in that delegation. This can lead to degraded + performance and eventually denial of service in orchestrated attacks. + Unbound does not suffer from high CPU usage, but resources are still needed + for resolving the malicious delegation. Unbound will keep trying to resolve + the record until hard limits are reached. Based on the nature of the attack + and the replies, different limits could be reached. From now on Unbound + introduces fixes for better performance when under load, by cutting + opportunistic queries for nameserver discovery and DNSKEY prefetching and + limiting the number of times a delegation point can issue a cache lookup + for missing records. + * Fix CVE-2022-30698 and CVE-2022-30699: + NLnet Labs Unbound is vulnerable to a novel type of the "ghost domain + names" attack. The vulnerability works by targeting an Unbound instance. + Unbound is queried for a rogue domain name when the cached delegation + information is about to expire. The rogue nameserver delays the response so + that the cached delegation information is expired. Upon receiving the + delayed answer containing the delegation information, Unbound overwrites + the now expired entries. This action can be repeated when the delegation + information is about to expire making the rogue delegation information + ever-updating. From now on Unbound stores the start time for a query and + uses that to decide if the cached delegation information can be + overwritten. + * Fix CVE-2020-28935: + Unbound contains a local vulnerability that would allow for a local symlink + attack. When writing the PID file Unbound creates the file if it is not + there, or opens an existing file for writing. In case the file was already + present, it would follow symlinks if the file happened to be a symlink + instead of a regular file. + 1.9.0-2+deb10u2 [Mon, 25 May 2020 16:23:43 -0400] Robert Edmonds <edmonds@debian.org>: * Apply NLnet Labs patch for CVE-2020-12662, CVE-2020-12663 <http://piuparts.knut.univention.de/5.0-3/#6844758470389006092>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-3] 28fbb1b1bc Bug #55932: unbound 1.9.0-2+deb10u3 doc/errata/staging/unbound.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) [5.0-3] fd6d1c7ca0 Bug #55932: unbound 1.9.0-2+deb10u3 doc/errata/staging/unbound.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x634>