New Debian unbound 1.9.0-2+deb10u5 fixes: This update addresses the following issues: 1.9.0-2+deb10u5 (Thu, 14 Nov 2024 20:07:09 +0100) * Non-maintainer upload by the Debian LTS Team. * Fix CVE-2024-43168: A heap-buffer-overflow flaw was found in the cfg_mark_ports function within Unbound's config_file.c, which can lead to memory corruption. This issue could allow an attacker with local access to provide specially crafted input, potentially causing the application to crash or allowing arbitrary code execution. This could result in a denial of service or unauthorized actions on the system. * Fix CVE-2024-43167: A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in Unbound. This issue could allow an attacker who can invoke specific sequences of API calls to cause a segmentation fault. When certain API functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are called in a particular order, the program attempts to read from a NULL pointer, leading to a crash. This issue can result in a denial of service by causing the application to terminate unexpectedly. * Fix CVE-2024-8508: When handling replies with very large RRsets that unbound needs to perform name compression for, it can spend a considerable time applying name compression to downstream replies, potentially leading to degraded performance and eventually denial of service in well orchestrated attacks. * d/patches/update-root-hints.patch: Update addresses for b.root-servers.net.
--- mirror/ftp/pool/main/u/unbound/unbound_1.9.0-2+deb10u4.dsc +++ apt/ucs_5.0-0-errata5.0-9/source/unbound_1.9.0-2+deb10u5.dsc @@ -1,3 +1,28 @@ +1.9.0-2+deb10u5 [Thu, 14 Nov 2024 20:07:09 +0100] Daniel Leidert <dleidert@debian.org>: + + * Non-maintainer upload by the Debian LTS Team. + * Fix CVE-2024-43168: + A heap-buffer-overflow flaw was found in the cfg_mark_ports function within + Unbound's config_file.c, which can lead to memory corruption. This issue + could allow an attacker with local access to provide specially crafted + input, potentially causing the application to crash or allowing arbitrary + code execution. This could result in a denial of service or unauthorized + actions on the system. + * Fix CVE-2024-43167: + A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in + Unbound. This issue could allow an attacker who can invoke specific + sequences of API calls to cause a segmentation fault. When certain API + functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are called in a + particular order, the program attempts to read from a NULL pointer, + leading to a crash. This issue can result in a denial of service by causing + the application to terminate unexpectedly. + * Fix CVE-2024-8508: + When handling replies with very large RRsets that unbound needs to perform + name compression for, it can spend a considerable time applying name + compression to downstream replies, potentially leading to degraded + performance and eventually denial of service in well orchestrated attacks. + * d/patches/update-root-hints.patch: Update addresses for b.root-servers.net. + 1.9.0-2+deb10u4 [Wed, 21 Feb 2024 12:00:23 +0100] Markus Koschany <apo@debian.org>: * Non-maintainer upload by the LTS team. <http://piuparts.knut.univention.de/5.0-9/#5252536688227614721>
OK: bug OK: yaml OK: announce_errata OK: patch ~OK: piuparts -> Freexian dbgsym packages [5.0-9] a23c2b3084 Bug #57751: unbound 1.9.0-2+deb10u5 doc/errata/staging/unbound.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x1177>