unbound-1.16.2-3.el9_3.1

エラータID: AXSA:2024-7557:02

Release date: 
Thursday, February 29, 2024 - 10:45
Subject: 
unbound-1.16.2-3.el9_3.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.

Security Fix(es):

* bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387)
* bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-50387
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
CVE-2023-50868
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

Solution: 

Update packages.

CVEs: 
CVE-2023-50387
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
CVE-2023-50868
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
Additional Info: 

N/A

Download: 

SRPMS
  1. unbound-1.16.2-3.el9_3.1.src.rpm
    MD5: b1207c9c4ffc68eab2a81328c55e811f
    SHA-256: 73832c03e1de2e0841f62d10ba518ba2f1634a121be90288dd6428a9ba85e205
    Size: 6.00 MB

Asianux Server 9 for x86_64
  1. python3-unbound-1.16.2-3.el9_3.1.x86_64.rpm
    MD5: c31d392bf25ab21999643f8e576ba675
    SHA-256: 0cb91ded8c9a997b4ba56e4f7ab995a50ac449652a0a0e02ddb9c2e23f8522fa
    Size: 104.97 kB
  2. unbound-1.16.2-3.el9_3.1.x86_64.rpm
    MD5: 39a900f79fd3ff547904e83653a92770
    SHA-256: d30e1512794dec530345d337cf035e2ebaa44975ee419df7ec2efb0a761caa88
    Size: 966.47 kB
  3. unbound-devel-1.16.2-3.el9_3.1.i686.rpm
    MD5: 9494cfc644d1043f4adcab131f334b54
    SHA-256: 11483db6cadbf81e8a24c3588a376a39de8cb5692b110d4df0a0a3eeeca47faa
    Size: 38.09 kB
  4. unbound-devel-1.16.2-3.el9_3.1.x86_64.rpm
    MD5: 4315efc7fd44a2ac8f87ba90f8975103
    SHA-256: c6b8225fb9e58a4b219d940aa67956eb127257445092868d08dbca41851563ad
    Size: 38.10 kB
  5. unbound-libs-1.16.2-3.el9_3.1.i686.rpm
    MD5: 79c0f778719352102ca0ef042e597870
    SHA-256: 71023b4abd289f6c79fac6c4f3054d2b9884c6a806bb68b89391abfc05ab53ab
    Size: 573.32 kB
  6. unbound-libs-1.16.2-3.el9_3.1.x86_64.rpm
    MD5: 3463fcf0bee7594c4b188c7021129fa0
    SHA-256: 915d44ab795ddf30369bbad49923d64ac73add1d13baaefe3db51b99f5539713
    Size: 547.51 kB