unbound-1.16.2-5.8.el8_10

エラータID: AXSA:2025-9618:01

Release date: 
Monday, February 3, 2025 - 10:59
Subject: 
unbound-1.16.2-5.8.el8_10
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.

Security Fix(es):

* unbound: unrestricted reconfiguration enabled to anyone that may lead to local privilege escalation (CVE-2024-1488)
* unbound: Unbounded name compression could lead to Denial of Service (CVE-2024-8508)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-1488
A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged attacker to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether.
CVE-2024-8508
NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. Unbound version 1.21.1 introduces a hard limit on the number of name compression calculations it is willing to do per packet. Packets that need more compression will result in semi-compressed packets or truncated packets, even on TCP for huge messages, to avoid locking the CPU for long. This change should not affect normal DNS traffic.

Solution: 

Update packages.

CVEs: 
CVE-2024-1488
A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged attacker to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether.
CVE-2024-8508
NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. Unbound version 1.21.1 introduces a hard limit on the number of name compression calculations it is willing to do per packet. Packets that need more compression will result in semi-compressed packets or truncated packets, even on TCP for huge messages, to avoid locking the CPU for long. This change should not affect normal DNS traffic.
Additional Info: 

N/A

Download: 

SRPMS
  1. unbound-1.16.2-5.8.el8_10.src.rpm
    MD5: 9d1bf99f8fcf7d35290c7dc90ba65638
    SHA-256: 8defbda5890e2774337850ef50054d6160fa4584d97a3ad355c7e43f0bc35afe
    Size: 6.01 MB

Asianux Server 8 for x86_64
  1. python3-unbound-1.16.2-5.8.el8_10.x86_64.rpm
    MD5: a755c5f451fb1d617c954b7ddcd9f1c8
    SHA-256: 2fcfe2460e3b22f2fa1219be5b627ab2c01902415090c21d1f2c77bbb247174f
    Size: 129.15 kB
  2. unbound-1.16.2-5.8.el8_10.x86_64.rpm
    MD5: b448f5621418fd63d840270e1dc61a3e
    SHA-256: f9673cd85430bc1ba3f03e31d22bae04b6422a4c19f4ca179f18043c61041e5d
    Size: 1.00 MB
  3. unbound-devel-1.16.2-5.8.el8_10.i686.rpm
    MD5: 891e94e40f31c99eb116939ed0da436c
    SHA-256: 0618a3258815545d3ca7435674da2ac8c09bf0f4b082a75108327e38be2abedf
    Size: 56.55 kB
  4. unbound-devel-1.16.2-5.8.el8_10.x86_64.rpm
    MD5: 38bb1f7245d1fa3ab6f2904207979789
    SHA-256: 7a13650009a818e9f006d493f9bbe503220a69424fcf55f662b291edab1550e8
    Size: 56.53 kB
  5. unbound-libs-1.16.2-5.8.el8_10.i686.rpm
    MD5: 5bfca4328ed611bbb33ac05c18a870e7
    SHA-256: 319172eec1e3b658b8e80adf995bb145a00c8f4d325da3d53ad5a8eb2bc89adf
    Size: 616.11 kB
  6. unbound-libs-1.16.2-5.8.el8_10.x86_64.rpm
    MD5: 18baa6e6ba1b97fefa317238b7929000
    SHA-256: 61f91309f1ed80d2c37f186ace2c61d6b156bb82ee3d35e39c3863ab515b8723
    Size: 576.05 kB