unbound-1.16.2-5.el8_9.2

エラータID: AXSA:2024-7555:01

Release date: 
Thursday, February 29, 2024 - 10:39
Subject: 
unbound-1.16.2-5.el8_9.2
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.

Security Fix(es):

* bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)
* bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-50387
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
CVE-2023-50868
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

Solution: 

Update packages.

CVEs: 
CVE-2023-50387
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
CVE-2023-50868
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
Additional Info: 

N/A

Download: 

SRPMS
  1. unbound-1.16.2-5.el8_9.2.src.rpm
    MD5: 2fde186a7050d9f39f767dfd68b79973
    SHA-256: 1e018f109de3842be4c0c4aed819297cd47ef571dbb25d2c545b10c5ecd0dbd1
    Size: 6.01 MB

Asianux Server 8 for x86_64
  1. python3-unbound-1.16.2-5.el8_9.2.x86_64.rpm
    MD5: 9f6944836f660e21e240eaba6851100e
    SHA-256: 49981b6219329bfd0b9e9786be00724d641c989e778238f6c180b87514a4d1f8
    Size: 128.79 kB
  2. unbound-1.16.2-5.el8_9.2.x86_64.rpm
    MD5: 52f4c8525f36fa16764d62cdb4bdfb5d
    SHA-256: 2e745cc71e1fad980a0239fc321a6a4b4d9f11c73e0d5a52c0a2b1c5a3e3fea3
    Size: 1.00 MB
  3. unbound-devel-1.16.2-5.el8_9.2.i686.rpm
    MD5: bb80679cae28749011c29acca50381c6
    SHA-256: 1b3212826e70139f02fa21a26f7a24d953dc0ad4e53e922a0d67153013939626
    Size: 56.20 kB
  4. unbound-devel-1.16.2-5.el8_9.2.x86_64.rpm
    MD5: e0462313635330725d40da0533470d69
    SHA-256: 0d95b5a0b38bc814a0d85e486be76af922eb8e45a64fa9240506fa0d03b8671e
    Size: 56.17 kB
  5. unbound-libs-1.16.2-5.el8_9.2.i686.rpm
    MD5: 809d2026fbf623ba8ffc1ca29c4fbaf0
    SHA-256: 26990c9d18f8c870629a79a33a944a6b5797efe5cb79e387aa4b0665e63c31f2
    Size: 615.82 kB
  6. unbound-libs-1.16.2-5.el8_9.2.x86_64.rpm
    MD5: d89ed48b1eb3bf1cba1265d837d92019
    SHA-256: c5f8606e6df5865cce3a690dd81839be7b7bc51a7b5be08472f1ec6fc229f4a4
    Size: 575.62 kB