Debian Bug report logs -
#1016493
unbound: CVE-2022-30698 CVE-2022-30699
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, unbound packagers <unbound@packages.debian.org>
:
Bug#1016493
; Package src:unbound
.
(Mon, 01 Aug 2022 19:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, unbound packagers <unbound@packages.debian.org>
.
(Mon, 01 Aug 2022 19:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: unbound
Version: 1.16.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for unbound.
CVE-2022-30698[0]:
| NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable
| to a novel type of the "ghost domain names" attack. The vulnerability
| works by targeting an Unbound instance. Unbound is queried for a
| subdomain of a rogue domain name. The rogue nameserver returns
| delegation information for the subdomain that updates Unbound's
| delegation cache. This action can be repeated before expiry of the
| delegation information by querying Unbound for a second level
| subdomain which the rogue nameserver provides new delegation
| information. Since Unbound is a child-centric resolver, the ever-
| updating child delegation information can keep a rogue domain name
| resolvable long after revocation. From version 1.16.2 on, Unbound
| checks the validity of parent delegation records before using cached
| delegation information.
CVE-2022-30699[1]:
| NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable
| to a novel type of the "ghost domain names" attack. The vulnerability
| works by targeting an Unbound instance. Unbound is queried for a rogue
| domain name when the cached delegation information is about to expire.
| The rogue nameserver delays the response so that the cached delegation
| information is expired. Upon receiving the delayed answer containing
| the delegation information, Unbound overwrites the now expired
| entries. This action can be repeated when the delegation information
| is about to expire making the rogue delegation information ever-
| updating. From version 1.16.2 on, Unbound stores the start time for a
| query and uses that to decide if the cached delegation information can
| be overwritten.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-30698
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30698
[1] https://security-tracker.debian.org/tracker/CVE-2022-30699
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30699
[2] https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt
[3] https://github.com/NLnetLabs/unbound/commit/f6753a0f1018133df552347a199e0362fc1dac68
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Aug 2 13:17:51 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.