unbound-1.16.2-5.8.el8_10
エラータID: AXSA:2025-9618:01
リリース日:
2025/02/03 Monday - 10:59
題名:
unbound-1.16.2-5.8.el8_10
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Unbound には、デフォルトの権限設定の不備により unbound
グループ以外の利用者が unbound サービスの一部の設定値を
変更できてしまう問題があるため、ローカルの攻撃者により、
localhost:8953 への接続を介して、情報の漏洩 (ローカル
リゾルバーによって転送されたクエリの漏洩) を可能とする
脆弱性が存在します。(CVE-2024-1488)
- Unbound には、非常に大きなリソースレコードセット
(RRset) を含み、名前の圧縮処理が必要となる応答メッセージ
を処理する際に、意図しない CPU リソースを消費してしまう
問題があるため、リモートの攻撃者により、細工された
リクエストの送信を介して、サービス拒否攻撃 (CPU リソース
の枯渇) を可能とする脆弱性が存在します。(CVE-2024-8508)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-1488
A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged attacker to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether.
A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged attacker to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether.
CVE-2024-8508
NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. Unbound version 1.21.1 introduces a hard limit on the number of name compression calculations it is willing to do per packet. Packets that need more compression will result in semi-compressed packets or truncated packets, even on TCP for huge messages, to avoid locking the CPU for long. This change should not affect normal DNS traffic.
NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. Unbound version 1.21.1 introduces a hard limit on the number of name compression calculations it is willing to do per packet. Packets that need more compression will result in semi-compressed packets or truncated packets, even on TCP for huge messages, to avoid locking the CPU for long. This change should not affect normal DNS traffic.
追加情報:
N/A
ダウンロード:
SRPMS
- unbound-1.16.2-5.8.el8_10.src.rpm
MD5: 9d1bf99f8fcf7d35290c7dc90ba65638
SHA-256: 8defbda5890e2774337850ef50054d6160fa4584d97a3ad355c7e43f0bc35afe
Size: 6.01 MB
Asianux Server 8 for x86_64
- python3-unbound-1.16.2-5.8.el8_10.x86_64.rpm
MD5: a755c5f451fb1d617c954b7ddcd9f1c8
SHA-256: 2fcfe2460e3b22f2fa1219be5b627ab2c01902415090c21d1f2c77bbb247174f
Size: 129.15 kB - unbound-1.16.2-5.8.el8_10.x86_64.rpm
MD5: b448f5621418fd63d840270e1dc61a3e
SHA-256: f9673cd85430bc1ba3f03e31d22bae04b6422a4c19f4ca179f18043c61041e5d
Size: 1.00 MB - unbound-devel-1.16.2-5.8.el8_10.i686.rpm
MD5: 891e94e40f31c99eb116939ed0da436c
SHA-256: 0618a3258815545d3ca7435674da2ac8c09bf0f4b082a75108327e38be2abedf
Size: 56.55 kB - unbound-devel-1.16.2-5.8.el8_10.x86_64.rpm
MD5: 38bb1f7245d1fa3ab6f2904207979789
SHA-256: 7a13650009a818e9f006d493f9bbe503220a69424fcf55f662b291edab1550e8
Size: 56.53 kB - unbound-libs-1.16.2-5.8.el8_10.i686.rpm
MD5: 5bfca4328ed611bbb33ac05c18a870e7
SHA-256: 319172eec1e3b658b8e80adf995bb145a00c8f4d325da3d53ad5a8eb2bc89adf
Size: 616.11 kB - unbound-libs-1.16.2-5.8.el8_10.x86_64.rpm
MD5: 18baa6e6ba1b97fefa317238b7929000
SHA-256: 61f91309f1ed80d2c37f186ace2c61d6b156bb82ee3d35e39c3863ab515b8723
Size: 576.05 kB
English