Opened 8 months ago

Closed 8 months ago

Last modified 8 months ago

#14338 closed enhancement (fixed)

unbound-1.13.0 (with a security fix)

Reported by: Bruce Dubbs Owned by: Pierre Labastie
Priority: high Milestone: 10.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New minor version.

Change History (7)

comment:1 by Bruce Dubbs, 8 months ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

Taking these before Doug can.

comment:2 by Pierre Labastie, 8 months ago

Owner: changed from Bruce Dubbs to Pierre Labastie
Status: assignednew

comment:3 by Pierre Labastie, 8 months ago

Status: newassigned

comment:4 by Pierre Labastie, 8 months ago

Features

    Pass the comm_reply information to the inplace_cb_reply* functions during the mesh state and update the documentation on that.
    Fix #330: [Feature request] Add unencrypted DNS over HTTPS support. This adds the option http-notls-downstream: yesno to change that, and the dohclient test code has the -n option.
    Merge PR #228 : infra-keep-probing option to probe hosts that are down. Add infra-keep-probing: yes option. Hosts that are down are probed more frequently. With the option turned on, it probes about every 120 seconds, eventually after exponential backoff, and that keeps that way. If traffic keeps up for the domain. It probes with one at a time, eg. one query is allowed to probe, other queries within that 120 second interval are turned away.
    Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with edns-client-string option.
    Merge PR #283 : Stream reuse. This implements upstream stream reuse for performing several queries over the same TCP or TLS channel.
    Fix to connect() to UDP destinations, default turned on, this lowers vulnerability to ICMP side channels. Option to toggle udp-connect, default is enabled.

Bug Fixes

    Fix #319: potential memory leak on config failure, in rpz config.
    Fix dnstap socket and the chroot not applied properly to the dnstap socket path.
    Fix warning in libnss compile, nss_buf2dsa is not used without DSA.
    Fix #323: unbound testsuite fails on mock build in systemd-nspawn if systemd support is build.
    Fix for python reply callback to see mesh state reply_list member, it only removes it briefly for the commpoint call so that it does not drop it and attempt to modify the reply list during reply.
    Fix that if there are on reply callbacks, those are called per reply and a new message created if that was modified by the call.
    Free up auth zone parse region after use for lookup of host
    Merge PR #326 from netblue30: DoH: implement content-length header field.
    DoH content length, simplify code, remove declaration after statement and fix cast warning.
    Fix that if there are reply callbacks for the given rcode, those are called per reply and a new message created if that was modified by the call.
    Fix that the out of order TCP processing does not limit the number of outstanding queries over a connection.
    Fix python documentation warning on functions.rst inplace_cb_reply.
    Log ip address when http session recv fails, eg. due to tls fail.
    Fix to set the tcp handler event toggle flag back to default when the handler structure is reused.
    Clean the fix for out of order TCP processing limits on number of queries. It was tested to work.
    Fix that http settings have colon in set_option, for http-endpoint, http-max-streams, http-query-buffer-size, http-response-buffer-size, and http-nodelay.
    Fix memory leak of https port string when reading config.
    local-zone regional allocations outside of chunk
    Merge PR #324 from James Renken: Add modern X.509v3 extensions to unbound-control TLS certificates.
    Fix for PR #324 to attach the x509v3 extensions to the client certificate.
    Fix #327: net/if.h check fails on some darwin versions; contribution by Joshua Root.
    Fix #320: potential memory corruption due to size miscomputation upton custom region alloc init.
    Fix #333: Unbound Segmentation Fault w/ log_info Functions From Python Mod.
    Fix that minimal-responses does not remove addresses from a priming query response.
    In man page note that tls-cert-bundle is read before permission drop and chroot.
    Fix #341: fixing a possible memory leak.
    Fix memory leak after fix for possible memory leak failure.
    Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX' undeclared.
    Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere with chown of pidfile.
    Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
    Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error: failed to list interfaces: getifaddrs: Address family not supported by protocol.
    Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket address families.
    iana portlist updated.
    Fix crash when TLS connection is closed prematurely, when reuse tree comparison is not properly identical to insertion.
    Fix padding of struct regional for 32bit systems.
    with udp-connect ignore connection refused with UDP timeouts.
    Fix udp-connect on FreeBSD, do send calls on connected UDP socket.
    Better fix for reuse tree comparison for is-tls sockets. Where the tree key identity is preserved after cleanup of the TLS state.
    Fix memory leak for edns client tag opcode config element.
    Attempt fix for libevent state in tcp reuse cases after a packet is written.
    Fix readagain and writeagain callback functions for comm point cleanup.
    Fix to omit UDP receive errors from log, if verbosity low. These happen because of udp-connect.
    For #352: contrib/metrics.awk for Prometheus style metrics output.
    Fix that after failed read, the readagain cannot activate.
    Clear readagain upon decommission of pending tcp structure.
    Fix compile warning for type cast in http2_submit_dns_response.
    Fix when use free buffer to initialize rbtree for stream reuse.
    Fix compile warnings for windows.
    Fix compile warnings in rpz initialization.
    Fix contrib/metrics.awk for FreeBSD awk compatibility.
    Fix assertion failure on double callback when iterator loses interest in query at head of line that then has the tcp stream not kept for reuse.
    Fix stream reuse and tcp fast open.

Note that CVE-2020-28935 is reserved, so I do not know about it.

comment:5 by Pierre Labastie, 8 months ago

Resolution: fixed
Status: assignedclosed

Fixed at r23954

comment:6 by Douglas R. Reno, 8 months ago

See https://nlnetlabs.nl/projects/unbound/security-advisories/ :-)

Local symlink attack
Date:	2020-12-01
CVE:	CVE-2020-28935
Credit:	Mason Loring Bliss
Affects:	Unbound up to and including version 1.12.0
Not affected:	Other versions
Severity:	Low
Impact:	Denial of Service
Solution:	Download patched version of Unbound, or apply the patch manually

Unbound when writing and later chown'ing the PID file would not check if an existing file was a symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound is running on. It requires an attacker having access to the limited permission user Unbound runs as and point through the symlink to a critical file on the system.

Unbound 1.13.0 contains a patch. If you cannot upgrade you can also apply the patch manually on versions 1.6.6 up until 1.12.0. To do this, apply the patch on the Unbound source directory with patch -p1 < patch_cve-2020-28935_unbound.diff and then run make install to install Unbound.

comment:7 by Pierre Labastie, 8 months ago

Priority: normalhigh
Summary: unbound-1.13.0unbound-1.13.0 (with a security fix)

Here is the security advisory (thanks to Douglas for giving me the link)

Local symlink attack
Date:	2020-12-01
CVE:	CVE-2020-28935
Credit:	Mason Loring Bliss
Affects:	Unbound up to and including version 1.12.0
Not affected:	Other versions
Severity:	Low
Impact:	Denial of Service
Solution:	Download patched version of Unbound, or apply the patch manually

Unbound when writing and later chown'ing the PID file would not check if an existing file was a symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound is running on. It requires an attacker having access to the limited permission user Unbound runs as and point through the symlink to a critical file on the system.

Unbound 1.13.0 contains a patch. If you cannot upgrade you can also apply the patch manually on versions 1.6.6 up until 1.12.0. To do this, apply the patch on the Unbound source directory with patch -p1 < patch_cve-2020-28935_unbound.diff and then run make install to install Unbound.
Note: See TracTickets for help on using tickets.