unbound-1.16.2-2.el8

エラータID: AXSA:2022-4339:01

Release date: 
Thursday, December 8, 2022 - 06:16
Subject: 
unbound-1.16.2-2.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.

The following packages have been upgraded to a later upstream version: unbound (1.16.2). (BZ#2027735)

Security Fix(es):

* unbound: the novel ghost domain where malicious users to trigger continued resolvability of malicious domain names (CVE-2022-30698)
* unbound: novel ghost domain attack where malicious users to trigger continued resolvability of malicious domain names (CVE-2022-30699)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 8.7 Release Notes linked from the References section.

CVE-2022-30698
NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation. From version 1.16.2 on, Unbound checks the validity of parent delegation records before using cached delegation information.
CVE-2022-30699
NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten.

Solution: 

Update packages.

CVEs: 
CVE-2022-30698
NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation. From version 1.16.2 on, Unbound checks the validity of parent delegation records before using cached delegation information.
CVE-2022-30699
NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten.
Additional Info: 

N/A

Download: 

SRPMS
  1. unbound-1.16.2-2.el8.src.rpm
    MD5: a461bec341920c843ce40a9b95fbf479
    SHA-256: d16632414e6d5b4ac373f9f2053c88642ce45f842a03fe2372580b2defece091
    Size: 5.99 MB

Asianux Server 8 for x86_64
  1. python3-unbound-1.16.2-2.el8.x86_64.rpm
    MD5: 14bb5686802d66de2f1521e034da18c9
    SHA-256: bcebdb6c22073d7b01be25d3fa142737bef12e446cd594e70cc711948062c905
    Size: 127.95 kB
  2. unbound-1.16.2-2.el8.x86_64.rpm
    MD5: e152e568f764d64bdb569b1ef9f0952a
    SHA-256: 2bc7fa057e5f931d546dfac2e7d397d476534ae5b432eae255a3b0c8acb00382
    Size: 0.99 MB
  3. unbound-devel-1.16.2-2.el8.x86_64.rpm
    MD5: a86e27541b48a43903ff996872c59f93
    SHA-256: 35b8ed2563fbf2fa8ba47f1c45ec761d1a193a0f22973b6528592a41d11984dc
    Size: 59.85 kB
  4. unbound-libs-1.16.2-2.el8.x86_64.rpm
    MD5: f11512b1cc4b2c687f001e10cfc74208
    SHA-256: 9cb169fd70f32c88c73a01ea87a5fb6246a543d7257c9b15a254a64acd6e7568
    Size: 572.55 kB
  5. unbound-devel-1.16.2-2.el8.i686.rpm
    MD5: d588d93908b68dc80b42b8e7a05f0097
    SHA-256: 90412f156f6656e3f1653d1d4799528dd45e0adf55e6fb699d614b356b7b48a6
    Size: 59.87 kB
  6. unbound-libs-1.16.2-2.el8.i686.rpm
    MD5: 94e3e26f21106d9d994841820044563a
    SHA-256: 51206240a3dc5ba54219e02a39a437dd29de3007c521b99ea1797d855c99b510
    Size: 612.29 kB