unbound-1.16.2-5.11.el8_10
エラータID: AXSA:2026-768:04
リリース日:
2026/06/09 Tuesday - 20:20
題名:
unbound-1.16.2-5.11.el8_10
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Unbound には、ヒープベースのバッファオーバーフローの問題が
あるため、リモートの攻撃者により、巧妙に細工された DNS 応答
パケットを介して、サービス拒否攻撃 (DoS) を可能とする脆弱性が
存在します。(CVE-2026-42944)
- Unbound には、不正なポインタへアクセスしてしまう問題があるため、
リモートの攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在
します。(CVE-2026-42959)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2026-42944
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.
CVE-2026-42959
NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets.
NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets.
追加情報:
N/A
ダウンロード:
SRPMS
- unbound-1.16.2-5.11.el8_10.src.rpm
MD5: cfec02cbb3a55dfda961d8b3464b23e0
SHA-256: 6d7ab55f91fb561d4a372b3efa501769e9f0fe79218a64f22918ae53bd003e05
Size: 6.02 MB
Asianux Server 8 for x86_64
- python3-unbound-1.16.2-5.11.el8_10.x86_64.rpm
MD5: 37334345e6730b8bc0e73727f6718896
SHA-256: 81dcacc376da38c7374590db7cb9bf1b31e3b216d1231a34141ef029b8eca330
Size: 129.53 kB - unbound-1.16.2-5.11.el8_10.x86_64.rpm
MD5: 6c25053350294cf4d566a91e4d6f62df
SHA-256: 84124e688eaf97f6cd94595764e87639f6ffc8cf4f0834bd6ed117e0ca6490af
Size: 1.00 MB - unbound-devel-1.16.2-5.11.el8_10.i686.rpm
MD5: 8bd84ba8833608fe2d7939db656ccae3
SHA-256: b9d9803c463ca0909dbcd9ecb45af8df357f852967f9281f85febe2c10084a8e
Size: 56.93 kB - unbound-devel-1.16.2-5.11.el8_10.x86_64.rpm
MD5: b59144b0d949e97051dc41e2887129a3
SHA-256: c4964f0691d73076ffc1c24e426283b0b60003510b322d836dfc5b939cff20ce
Size: 56.91 kB - unbound-libs-1.16.2-5.11.el8_10.i686.rpm
MD5: 1a98b469a728c720755c73aa56efd1f5
SHA-256: de549d12ec1463383e6c5c7624c84235202469adabda2354ba07bca7183690d4
Size: 618.10 kB - unbound-libs-1.16.2-5.11.el8_10.x86_64.rpm
MD5: 31f2ddd252ff4729ef827ef309de201b
SHA-256: 5976cb2f8be7db1929d53e723512bb5221557d2002586e5f071fb8ae9f786bd8
Size: 577.55 kB
English