unbound-1.6.6-5.0.1.el7.AXS7

Unbound is a validating, recursive, and caching DNS(SEC) resolver.

The C implementation of Unbound is developed and maintained by NLnet Labs. It is
based on ideas and algorithms taken from a java prototype developed by Verisign
labs, Nominet, Kirei and ep.net.

Unbound is designed as a set of modular components, so that also DNSSEC (secure
DNS) validation and stub-resolvers (that do not run as a server, but are linked
into an application) are easily possible.

Security Fix(es):

* CVE-2023-50387: enhanced DNS resolver performance and stability by optimizing
the handling of DNSSEC responses, reducing the potential for resource exhaustion

CVE(s):
CVE-2023-50387
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.