Opened 7 weeks ago
Closed 6 weeks ago
#19429 closed enhancement (fixed)
unbound-1.19.3
| Reported by: | Bruce Dubbs | Owned by: | Rahul Chandra |
|---|---|---|---|
| Priority: | normal | Milestone: | 12.2 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description (last modified by )
New point version.
Now 1.19.3
Change History (7)
comment:1 by , 7 weeks ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 6 weeks ago
| Description: | modified (diff) |
|---|---|
| Summary: | unbound-1.19.2 → unbound-1.19.3 |
comment:3 by , 6 weeks ago
comment:4 by , 6 weeks ago
Unbound 1.19.3
This release has a number of bug fixes. The CNAME synthesized for a DNAME record uses the original TTL, of the DNAME record, and that means it can be cached for the TTL, instead of 0.
There is a fix that when a message was stored in cache, but one of the RRsets was not updated due to cache policy, it now restricts the message TTL if the cache version of the RRset has a shorter TTL. It avoids a bug where the message is not expired, but its contents is expired.
For dnstap, it logs type DoH and DoT correctly, if that is used for the message.
The b.root-servers.net address is updated in the default root hints.
When performing retries for failed sends, a retry at a smaller UDP size is now not performed when that attempt is not actually smaller, and at defaults, since the flag day changes, it is the same size. This makes it skip the step, it is useless because there is no reduction in size.
Clients with a valid DNS Cookie will bypass the ratelimit, if one is set. The value from ip-ratelimit-cookie is used for these queries.
Furthermore there is a fix to make correct EDE Prohibited answers for access control denials, and a fix for EDNS client subnet scope zero answers.
Features:
Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672.
Bug Fixes:
Fix unit test parse of origin syntax. Use 127.0.0.1 explicitly in tests to avoid delays and errors on newer systems. Fix #964: config.h.in~ backup file in release tar balls. Merge #968: Replace the obsolescent fgrep with grep -F in tests. Merge #971: fix 'WARNING: Message has 41 extra bytes at end'. Fix #969: [FR] distinguish Do53, DoT and DoH in the logs. Fix dnstap that assertion failed on logging other than UDP and TCP traffic. It lists it as TCP traffic. Fix to sync the tests script file common.sh. iana portlist update. Updated IPv4 and IPv6 address for b.root-servers.net in root hints. Update test script file common.sh. Fix tests to use new common.sh functions, wait_logfile and kill_from_pidfile. Fix #974: doc: default number of outgoing ports without libevent. Merge #975: Fixed some syntax errors in rpl files. Fix root_zonemd unit test, it checks that the root ZONEMD verifies, now that the root has a valid ZONEMD. Update example.conf with cookie options. Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors for non-HTTP/2 DoH clients. Merge #985: Add DoH and DoT to dnstap message. Fix #983: Sha1 runtime insecure change was incomplete. Remove unneeded newlines and improve indentation in remote control code. Merge #987: skip edns frag retry if advertised udp payload size is not smaller. Fix unit test for #987 change in udp1xxx retry packet send. Merge #988: Fix #981: dump_cache truncates large records. Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows. Fix to link with libssp for libcrypto and getaddrinfo check for only header. Also update crosscompile to remove ssp for 32bit. Merge #993: Update b.root-servers.net also in example config file. Update workflow for ports to use newer openssl on windows compile. Fix warning for windres on resource files due to redefinition. Fix for #997: Print details for SSL certificate failure. Update error printout for duplicate trust anchors to include the trust anchor name (relates to #920). Update message TTL when using cached RRSETs. It could result in non-expired messages with expired RRSETs (non-usable messages by Unbound). Merge #999: Search for protobuf-c with pkg-config. Fix #1006: Can't find protobuf-c package since #999. Fix documentation for access-control in the unbound.conf man page. Merge #1010: Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage. It also fixes the code to match the documentation about clients with a valid cookie that bypass the ratelimit regardless of the allow_cookie acl. Document the suspend argument for process_ds_response(). Move github workflows to use checkoutv4. Fix edns subnet replies for scope zero answers to not get stored in the global cache, and in cachedb, when the upstream replies without an EDNS record. Fix for #1022: Fix ede prohibited in access control refused answers. Fix unbound-control-setup.cmd to use 3072 bits so that certificates are long enough for newer OpenSSL versions. Fix TTL of synthesized CNAME when a DNAME is used from cache. Fix unbound-control-setup.cmd to have CA v3 basicConstraints, like unbound-control-setup.sh has.
comment:7 by , 6 weeks ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed @ 8383896259217ec9aec177790ee0f8593f9ae3f0 - icewm-3.4.6 5c9d134ecb8749654b3b7f1bd920370bcf290903 - unbound-1.19.3 (Security Update) 3131ae79880f47d215271dd96eb947a6c960960e - bluez-5.73 a10119c7efa5c8285671ce05f521f4d482ed2570 - gnupg-2.4.5
Unbound 1.19.2
This security release fixes CVE-2024-1931.
NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop.
Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records.
The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration.
From version 1.19.2 on, the code is fixed to avoid looping indefinitely.
We would like to thank Fredrik Pettai and Patrik Lundin from SUNET for notifying us about the issue and working with us to identify the vulnerability.
Bug Fixes: