unbound-1.16.2-8.el9_5.1

エラータID: AXSA:2024-9491:08

Release date: 
Wednesday, December 25, 2024 - 11:13
Subject: 
unbound-1.16.2-8.el9_5.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The unbound packages provide a validating, recursive, and caching DNS or DNSSEC
resolver.

Security Fix(es):

unbound: Unbounded name compression could lead to Denial of Service
(CVE-2024-8508)

CVE(s):
CVE-2024-8508
NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. Unbound version 1.21.1 introduces a hard limit on the number of name compression calculations it is willing to do per packet. Packets that need more compression will result in semi-compressed packets or truncated packets, even on TCP for huge messages, to avoid locking the CPU for long. This change should not affect normal DNS traffic.

Solution: 

Update packages.

CVEs: 
CVE-2024-8508
NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. Unbound version 1.21.1 introduces a hard limit on the number of name compression calculations it is willing to do per packet. Packets that need more compression will result in semi-compressed packets or truncated packets, even on TCP for huge messages, to avoid locking the CPU for long. This change should not affect normal DNS traffic.
Additional Info: 

N/A

Download: 

SRPMS
  1. unbound-1.16.2-8.el9_5.1.src.rpm
    MD5: 33143ff9cddaf30ac729a62095049da4
    SHA-256: 077a6b52bc9e887d3678afa83c707c870aed19b4c213b767ed76e9d36d9d2634
    Size: 6.00 MB

Asianux Server 9 for x86_64
  1. python3-unbound-1.16.2-8.el9_5.1.x86_64.rpm
    MD5: 6909db0525559f92a72c19822476f739
    SHA-256: 3475d8237c74d902dcd972692c0e42c77e94e9bdc28504d6070ef73e38178639
    Size: 104.32 kB
  2. unbound-1.16.2-8.el9_5.1.x86_64.rpm
    MD5: 545cfb166592da43ca0884bc5cd67c84
    SHA-256: 62e14a617c4e54c2411d78f08ecfd39a8fe10c6868a801a9097bdfee52855247
    Size: 966.77 kB
  3. unbound-devel-1.16.2-8.el9_5.1.i686.rpm
    MD5: 7440502863b9243322cd4f0a292086b6
    SHA-256: 2ba41933feec13a896c62d93ddcc9b9e7c732dcea3fe7fb7e50115088c886746
    Size: 37.29 kB
  4. unbound-devel-1.16.2-8.el9_5.1.x86_64.rpm
    MD5: be0ea0284b032c6cdfcabf5b359cc112
    SHA-256: 3c1de33c81506a62d565682888b2d1c2c06c60fd2fa73db5ff7722d11128c2ac
    Size: 37.31 kB
  5. unbound-libs-1.16.2-8.el9_5.1.i686.rpm
    MD5: ff373b34f2f34ee92f7aabbe1141ac82
    SHA-256: 5da83c55bde2e33bfc2ba0f3bc0b9f04815db84726cd193db521505d93e3925c
    Size: 572.91 kB
  6. unbound-libs-1.16.2-8.el9_5.1.x86_64.rpm
    MD5: 0158ca300dd14a1e4aed5b88ce34a2c7
    SHA-256: 011e6fe0505b9d0be5ac903799fb9fa4a7d9875b7052971dd4acf33551ee96a6
    Size: 546.89 kB