Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0548
unbound1.9 security update
15 February 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: unbound1.9
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-28935 CVE-2020-12663 CVE-2020-12662
Reference: ESB-2020.3460
ESB-2020.3209
ESB-2020.2593
ESB-2020.2336
Original Bulletin:
https://www.debian.org/lts/security/2021/dla-2556
- --------------------------BEGIN INCLUDED TEXT--------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2556-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
February 12, 2021 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : unbound1.9
Version : 1.9.0-2+deb10u2~deb9u1
CVE ID : CVE-2020-12662 CVE-2020-12663 CVE-2020-28935
Debian Bug : 977165
Several security vulnerabilities have been corrected in unbound, a
validating, recursive, caching DNS resolver. Support for the unbound DNS server
has been resumed, the sources can be found in the unbound1.9 source package.
CVE-2020-12662
Unbound has Insufficient Control of Network Message
Volume, aka an "NXNSAttack" issue. This is triggered by random
subdomains in the NSDNAME in NS records.
CVE-2020-12663
Unbound has an infinite loop via malformed DNS answers received from
upstream servers.
CVE-2020-28935
Unbound contains a local vulnerability that would allow for a local symlink
attack. When writing the PID file Unbound creates the file if it is not
there, or opens an existing file for writing. In case the file was already
present, it would follow symlinks if the file happened to be a symlink
instead of a regular file.
For Debian 9 stretch, these problems have been fixed in version
1.9.0-2+deb10u2~deb9u1.
We recommend that you upgrade your unbound1.9 packages.
For the detailed security status of unbound1.9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/unbound1.9
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmAmrtBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTM3g//QqaBxBKn8EbU+S5GC5pNYmQYMbchMxEo53k2iWQX/DfI1M6LWIcSZ83w
EKRxfBqFMCUQyqE5qlH2aGTAkP9bDiulHmPBkZMXIy1AsCsuf2AYlh2rWmMcCNrh
nJwAmlbkDwcc4ztV5beVt406hDXQgtfQHy5TxsdB29AF7iu0FMGXBNpP6q+Xgg1i
vtL8Uhp9dYOI6GxOwwqHwShxQ+7XY7SI2kcOadSlXzD8RijiRoXLtKalmCU3j52H
eFVKhfDrDq8AVhbaUvKrqIU+FlbjUqNSIXHao2Vs33i0ICIhg3awJF9pgxQAAO25
Scs/pcPvs4bKRg6BWWEP/KGLAKEq1imtJI7jka5RdNRfB8wltIQ/RDrW2vEsts81
cp24DFbJykIqxX5R2EIOgiL08u3+zdlq+PeM104U4phefuP1sqit7/ZJzZ+FGnq6
Y3mTew582hwW8kkIiIHJmNkysQDV7jYfdt+DAdte5E+o3E/wG+F/72XhBletXtvX
rxR4XkN3jF04TMYJpioeXObLf8fYcs61QbbFtEg8YzxwdEC9/90cMpoVMWO+PFCY
Bfx7kdE171arrIZ/tUEwXU3UDDuIxgCJ+EJQrtNdShqryJmskjzsRGf4+ikA3H3I
zoFWxHqssS0s19OGKjJ50p71gg2Nj4FqwLCJFEXd+DEy37i9zwY=
=ExCq
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYCnGeeNLKJtyKPYoAQht4hAAjQPItn3KtOSmjSI6phNaJkfbBEH4Z++o
kqBKA8GGvlwV9wAsEeNC1r0DsNkBD0YIg8ufnfktOl11cYKv12fAJc8ujereFSTW
jmU5NajnYm6PSx3URX/NY5iof3gJ+xdogKPxw4QnDW9fB1hB+7BSGVnmwAIickxX
aoR8OMCmf2zWuYw27Yp5GUvR73o5HP8bdN0RGzl0vKox5yCFCA1pphFMYpXb+iDK
ZU3/QG1EPL2n4b1AQ/OKLbqr436lvSh9CIkU6WZEglAPCebtud6swiM8hmV8xO26
3b8DSyIAV10H5TUpPecSRMHjDAKBZeg/5NwZ3davHMv+VCGAGK8LrAuVzYMqQ7vp
koBMW0YEOSgY07z5pKCcYvaDSH7hqjF1w57rlzrw0Ltu4Ava6b1Ofl5jKV6PUpiS
U9R+I7BKKuyFuQGMGXn7X+CCxG7YEQWwDuf9OuaF4Ez3CF7Ex5mYrGMuDIRwr9OY
FrUCeqxW73hz9OP6gLJ57rloVbILLvb9nBvkSEx/kc3AgW64FHhN6xaIKH0QcndI
H+WTP/w+a7z73b8AzXefvpWN/PjnF7Y+wvBlIvy4bmSIWWDrtzj5UI3B2DxO2rJi
OY07IQgdntdikZynwOMvFb9ll5QnGhlYR9cePqs2gqkA65kRONXjrMmxcPvSZzlO
dgdTDCE8/Ec=
=TK/U
-----END PGP SIGNATURE-----