Debian Bug report logs -
#1063845
unbound: Package 1.19.1 to fix CVE-2023-50387 and CVE-2023-50868
Reported by: Diederik de Haas <didi.debian@cknow.org>
Date: Tue, 13 Feb 2024 14:48:02 UTC
Severity: grave
Tags: security, upstream
Found in versions unbound/1.18.0-2, unbound/1.17.1-2+deb12u1, unbound/1.17.1-2, unbound/1.13.1-1+deb11u1, unbound/1.13.1-1
Fixed in versions 1.19.1-1, unbound/1.17.1-2+deb12u2
Done: Salvatore Bonaccorso <carnil@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, unbound packagers <unbound@packages.debian.org>:
Bug#1063845; Package src:unbound.
(Tue, 13 Feb 2024 14:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Diederik de Haas <didi.debian@cknow.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, unbound packagers <unbound@packages.debian.org>.
(Tue, 13 Feb 2024 14:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: unbound
Version: 1.18.0-2
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Today 2 remote exploitable High Severity CVE's were published and
unbound has released version 1.19.1 to fix those.
Relevant links:
https://fosstodon.org/@nlnetlabs/111924266007688683
https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
https://kb.isc.org/docs/cve-2023-50387
https://kb.isc.org/docs/cve-2023-50868
I think a Release Critical Severity is more appropriate, but none of
the (by reportbug) presented options were applicable. It seems reportbug
then changed it to 'normal', which I manually changed to 'important'.
Fixing this bug would also fix bug #1051817, #1051818 and #1056631.
Link: https://bugs.debian.org/1051817
Link: https://bugs.debian.org/1051818
Link: https://bugs.debian.org/1056631
- -- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (101, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.6.13-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQT1sUPBYsyGmi4usy/XblvOeH7bbgUCZcuATAAKCRDXblvOeH7b
buedAP0QEqqGjjN4ZP8nu+WdKqrUWupLtsaN6FqEyNOd5OSp3QD/Wfh/sE5azFqf
99HKnBGhNVhrnxlNYIPlEjIns5pVDQs=
=thcd
-----END PGP SIGNATURE-----
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 13 Feb 2024 15:51:02 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 13 Feb 2024 16:00:02 GMT) (full text, mbox, link).
Marked as found in versions unbound/1.17.1-2+deb12u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 13 Feb 2024 18:06:07 GMT) (full text, mbox, link).
Marked as found in versions unbound/1.17.1-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 13 Feb 2024 18:06:08 GMT) (full text, mbox, link).
Marked as found in versions unbound/1.13.1-1+deb11u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 13 Feb 2024 18:06:08 GMT) (full text, mbox, link).
Marked as found in versions unbound/1.13.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 13 Feb 2024 18:06:09 GMT) (full text, mbox, link).
Reply sent
to Michael Tokarev <mjt@tls.msk.ru>:
You have taken responsibility.
(Tue, 13 Feb 2024 21:18:03 GMT) (full text, mbox, link).
Notification sent
to Diederik de Haas <didi.debian@cknow.org>:
Bug acknowledged by developer.
(Tue, 13 Feb 2024 21:18:03 GMT) (full text, mbox, link).
Message #22 received at 1063845-done@bugs.debian.org (full text, mbox, reply):
Version: 1.19.1-1
On Tue, 13 Feb 2024 15:44:35 +0100 Diederik de Haas <didi.debian@cknow.org> wrote:
> Source: unbound
> Version: 1.18.0-2
> Severity: important
> Tags: security
> X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
>
> Today 2 remote exploitable High Severity CVE's were published and
> unbound has released version 1.19.1 to fix those.
I uploaded 1.19.1 earlier today but I haven't seen this bug report.
Closing it now.
/mjt
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Wed, 14 Feb 2024 10:36:05 GMT) (full text, mbox, link).
Notification sent
to Diederik de Haas <didi.debian@cknow.org>:
Bug acknowledged by developer.
(Wed, 14 Feb 2024 10:36:05 GMT) (full text, mbox, link).
Message #27 received at 1063845-close@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: unbound
Source-Version: 1.17.1-2+deb12u2
Done: Salvatore Bonaccorso <carnil@debian.org>
We believe that the bug you reported is fixed in the latest version of
unbound, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1063845@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated unbound package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 13 Feb 2024 21:00:13 +0100
Source: unbound
Architecture: source
Version: 1.17.1-2+deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: unbound packagers <unbound@packages.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1063845
Changes:
unbound (1.17.1-2+deb12u2) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Address DNSSEC protocol vulnerabilities (Closes: #1063845)
- Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to
exhaust CPU resources and stall DNS resolvers.
- Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
Checksums-Sha1:
40d697c2b923e9735801f2a49971fee120419579 3355 unbound_1.17.1-2+deb12u2.dsc
90da3bb8883931e30384057722dd9d1df4286f46 6244773 unbound_1.17.1.orig.tar.gz
6b754d1c792a1f6d01d6706a75777b87d434b134 833 unbound_1.17.1.orig.tar.gz.asc
8cb0fcbabeb7ed8af8a13a75f795a80074bf634a 46420 unbound_1.17.1-2+deb12u2.debian.tar.xz
Checksums-Sha256:
a7120468620010e676d854e957076badd459f3efb1e814abc2db770a20a8ae74 3355 unbound_1.17.1-2+deb12u2.dsc
ee4085cecce12584e600f3d814a28fa822dfaacec1f94c84bfd67f8a5571a5f4 6244773 unbound_1.17.1.orig.tar.gz
b66a35d11545a1334b8aec1848c8c7ee0e01ef4a2950f2260a7c26b6fd61bfbf 833 unbound_1.17.1.orig.tar.gz.asc
b875917bdff790318101725a2de00192452f28c0bc0471d6cf7d063f7b9c3288 46420 unbound_1.17.1-2+deb12u2.debian.tar.xz
Files:
b85dd2bb575c6ac35a982617c6825081 3355 net optional unbound_1.17.1-2+deb12u2.dsc
bb96df2dc579c11ada537dbc52781abc 6244773 net optional unbound_1.17.1.orig.tar.gz
8a6399230741197bdd17cc7e7686fe31 833 net optional unbound_1.17.1.orig.tar.gz.asc
431830533557532a7547047a8a1faa68 46420 net optional unbound_1.17.1-2+deb12u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmXLzDVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E3WMP/0aO+ZqI3L4ZKeugQ0UJV3sGlHTwmu2o
sMOe47Tune2jWSYMmJ+vSkivfCaqF7a7WJm8R7oLXpc2VJUg5pFcdJbWcX4oKbH/
RZO56Bvuf5Dm4ieqa42QuMyh0pX83yxFhC2Q8Y2Txz8/UB1rcx96pmW9rXv0aOqW
OlTsY6b4k6yjpswu955n5SYOVgKsdnmpTViHI+kjIYcHJGNKp3nlTQfTScDHWKQq
eaNZQ+k20dz8WdlzzVNvWimaiyFKo2VIVbN2fsIOsPQwfnNRLVrew3M8znp0EukJ
mD2SfndzzPViaQoHciD3GpfVsQJabEQvKN4cuyLoEAtE7G7w8YoztMHgQRSqDeXd
3E1/9CYxehZGs3bNwaAaBL2+q5Dkglh8E3rs16GsFYdwZeGIoeTVQ+baZhhfHhYq
i/TyvXbgt4ACSf8uIXzn4SWhD6U8KHQDMctfN3PxiV8yslp4Akd9VO7fQjgQvU4b
ZwCWMLJRZf1eXRophYwdjiFF7/XSYx806kY0o8gSReJvldMk5up/JjbmBsZciPVx
oGUbtxGmGa8Ow8KMmloeiYA9R/iBhq6YGdhPCk2wl8eTTypPezCt26jiYMspurFV
h5uWhOuhT2FATVFDmMl/EsJ8zn2BAnVxwQN2bEtzg+1sSB0qEndfXOCK5Piwlhpi
E8NB2/vUqMlF
=zpO/
-----END PGP SIGNATURE-----
[Message part 2 (application/pgp-signature, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Feb 14 14:45:59 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon