Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0548 unbound1.9 security update 15 February 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: unbound1.9 Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-28935 CVE-2020-12663 CVE-2020-12662 Reference: ESB-2020.3460 ESB-2020.3209 ESB-2020.2593 ESB-2020.2336 Original Bulletin: https://www.debian.org/lts/security/2021/dla-2556 - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2556-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany February 12, 2021 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : unbound1.9 Version : 1.9.0-2+deb10u2~deb9u1 CVE ID : CVE-2020-12662 CVE-2020-12663 CVE-2020-28935 Debian Bug : 977165 Several security vulnerabilities have been corrected in unbound, a validating, recursive, caching DNS resolver. Support for the unbound DNS server has been resumed, the sources can be found in the unbound1.9 source package. CVE-2020-12662 Unbound has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records. CVE-2020-12663 Unbound has an infinite loop via malformed DNS answers received from upstream servers. CVE-2020-28935 Unbound contains a local vulnerability that would allow for a local symlink attack. When writing the PID file Unbound creates the file if it is not there, or opens an existing file for writing. In case the file was already present, it would follow symlinks if the file happened to be a symlink instead of a regular file. For Debian 9 stretch, these problems have been fixed in version 1.9.0-2+deb10u2~deb9u1. We recommend that you upgrade your unbound1.9 packages. For the detailed security status of unbound1.9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/unbound1.9 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmAmrtBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTM3g//QqaBxBKn8EbU+S5GC5pNYmQYMbchMxEo53k2iWQX/DfI1M6LWIcSZ83w EKRxfBqFMCUQyqE5qlH2aGTAkP9bDiulHmPBkZMXIy1AsCsuf2AYlh2rWmMcCNrh nJwAmlbkDwcc4ztV5beVt406hDXQgtfQHy5TxsdB29AF7iu0FMGXBNpP6q+Xgg1i vtL8Uhp9dYOI6GxOwwqHwShxQ+7XY7SI2kcOadSlXzD8RijiRoXLtKalmCU3j52H eFVKhfDrDq8AVhbaUvKrqIU+FlbjUqNSIXHao2Vs33i0ICIhg3awJF9pgxQAAO25 Scs/pcPvs4bKRg6BWWEP/KGLAKEq1imtJI7jka5RdNRfB8wltIQ/RDrW2vEsts81 cp24DFbJykIqxX5R2EIOgiL08u3+zdlq+PeM104U4phefuP1sqit7/ZJzZ+FGnq6 Y3mTew582hwW8kkIiIHJmNkysQDV7jYfdt+DAdte5E+o3E/wG+F/72XhBletXtvX rxR4XkN3jF04TMYJpioeXObLf8fYcs61QbbFtEg8YzxwdEC9/90cMpoVMWO+PFCY Bfx7kdE171arrIZ/tUEwXU3UDDuIxgCJ+EJQrtNdShqryJmskjzsRGf4+ikA3H3I zoFWxHqssS0s19OGKjJ50p71gg2Nj4FqwLCJFEXd+DEy37i9zwY= =ExCq - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYCnGeeNLKJtyKPYoAQht4hAAjQPItn3KtOSmjSI6phNaJkfbBEH4Z++o kqBKA8GGvlwV9wAsEeNC1r0DsNkBD0YIg8ufnfktOl11cYKv12fAJc8ujereFSTW jmU5NajnYm6PSx3URX/NY5iof3gJ+xdogKPxw4QnDW9fB1hB+7BSGVnmwAIickxX aoR8OMCmf2zWuYw27Yp5GUvR73o5HP8bdN0RGzl0vKox5yCFCA1pphFMYpXb+iDK ZU3/QG1EPL2n4b1AQ/OKLbqr436lvSh9CIkU6WZEglAPCebtud6swiM8hmV8xO26 3b8DSyIAV10H5TUpPecSRMHjDAKBZeg/5NwZ3davHMv+VCGAGK8LrAuVzYMqQ7vp koBMW0YEOSgY07z5pKCcYvaDSH7hqjF1w57rlzrw0Ltu4Ava6b1Ofl5jKV6PUpiS U9R+I7BKKuyFuQGMGXn7X+CCxG7YEQWwDuf9OuaF4Ez3CF7Ex5mYrGMuDIRwr9OY FrUCeqxW73hz9OP6gLJ57rloVbILLvb9nBvkSEx/kc3AgW64FHhN6xaIKH0QcndI H+WTP/w+a7z73b8AzXefvpWN/PjnF7Y+wvBlIvy4bmSIWWDrtzj5UI3B2DxO2rJi OY07IQgdntdikZynwOMvFb9ll5QnGhlYR9cePqs2gqkA65kRONXjrMmxcPvSZzlO dgdTDCE8/Ec= =TK/U -----END PGP SIGNATURE-----