93 lines
4.3 KiB
Plaintext
93 lines
4.3 KiB
Plaintext
<patchinfo incident="213">
|
|
<!-- generated from request(s) 349214 -->
|
|
<issue tracker="bnc" id="1231284">VUL-0: CVE-2024-8508: unbound: handling of upstream responses with very large RRsets and where name compression is needed for downstream replies leads to degraded performance and, eventually, denial of service</issue>
|
|
<issue tracker="cve" id="2024-8508"/>
|
|
<packager>jcronenberg</packager>
|
|
<rating>moderate</rating>
|
|
<category>security</category>
|
|
<summary>Security update for unbound</summary>
|
|
<description>This update for unbound fixes the following issues:
|
|
|
|
- Update to 1.22.0:
|
|
Features:
|
|
* Add iter-scrub-ns, iter-scrub-cname and max-global-quota
|
|
configuration options.
|
|
* Merge patch to fix for glue that is outside of zone, with
|
|
`harden-unverified-glue`, from Karthik Umashankar (Microsoft).
|
|
Enabling this option protects the Unbound resolver against bad
|
|
glue, that is unverified out of zone glue, by resolving them.
|
|
It uses the records as last resort if there is no other working
|
|
glue.
|
|
* Add redis-command-timeout: 20 and redis-connect-timeout: 200,
|
|
that can set the timeout separately for commands and the
|
|
connection set up to the redis server. If they are not
|
|
specified, the redis-timeout value is used.
|
|
* Log timestamps in ISO8601 format with timezone. This adds the
|
|
option `log-time-iso: yes` that logs in ISO8601 format.
|
|
* DNS over QUIC. This adds `quic-port: 853` and `quic-size: 8m`
|
|
that enable dnsoverquic, and the counters `num.query.quic` and
|
|
`mem.quic` in the statistics output. The feature needs to be
|
|
enabled by compiling with libngtcp2, with
|
|
`--with-libngtcp2=path` and libngtcp2 needs openssl+quic, pass
|
|
that with `--with-ssl=path` to compile unbound as well.
|
|
|
|
Bug Fixes:
|
|
* unbound-control-setup hangs while testing for openssl presence
|
|
starting from version 1.21.0.
|
|
* Fix error: "memory exhausted" when defining more than 9994
|
|
local-zones.
|
|
* Fix documentation for cache_fill_missing function.
|
|
* Fix Loads of logs: "validation failure: key for validation
|
|
<domain>. is marked as invalid because of a previous" for
|
|
non-DNSSEC signed zone.
|
|
* Fix that when rpz is applied the message does not get picked up
|
|
by the validator. That stops validation failures for the
|
|
message.
|
|
* Fix that stub-zone and forward-zone clauses do not exhaust
|
|
memory for long content.
|
|
* Fix to print port number in logs for auth zone transfer
|
|
activities.
|
|
* b.root renumbering.
|
|
* Add new IANA trust anchor.
|
|
* Fix config file read for dnstap-sample-rate.
|
|
* Fix alloc-size and calloc-transposed-args compiler warnings.
|
|
* Fix to limit NSEC and NSEC3 TTL when aggressive nsec is enabled
|
|
(RFC9077).
|
|
* Fix dns64 with prefetch that the prefetch is stored in cache.
|
|
* Attempt to further fix doh_downstream_buffer_size.tdir
|
|
flakiness.
|
|
* More clear text for prefetch and minimal-responses in the
|
|
unbound.conf man page.
|
|
* Fix cache update when serve expired is used. Expired records
|
|
are favored over resolution and validation failures when
|
|
serve-expired is used.
|
|
* Fix negative cache NSEC3 parameter compares for zero length
|
|
NSEC3 salt.
|
|
* Fix unbound-control-setup hangs sometimes depending on the
|
|
openssl version.
|
|
* Fix Cannot override tcp-upstream and tls-upstream with
|
|
forward-tcp-upstream and forward-tls-upstream.
|
|
* Fix to limit NSEC TTL for messages from cachedb. Fix to limit
|
|
the prefetch ttl for messages after a CNAME with short TTL.
|
|
* Fix to disable detection of quic configured ports when quic is
|
|
not compiled in.
|
|
* Fix harden-unverified-glue for AAAA cache_fill_missing lookups.
|
|
* Fix contrib/aaaa-filter-iterator for change in call
|
|
signature for cache_fill_missing.
|
|
* Fix to display warning if quic-port is set but dnsoverquic is
|
|
not enabled when compiled.
|
|
* Fix dnsoverquic to extend the number of streams when one is
|
|
closed.
|
|
* Fix for dnstap with dnscrypt and dnstap without dnsoverquic.
|
|
* Fix for dnsoverquic and dnstap to use the correct dnstap
|
|
environment.
|
|
|
|
- Update to 1.21.1:
|
|
Security Fixes:
|
|
* CVE-2024-8508: unbounded name compression could lead to
|
|
denial of service. (bsc#1231284)
|
|
</description>
|
|
<package>unbound</package>
|
|
<package>unbound:libunbound-devel-mini</package>
|
|
<seperate_build_arch/>
|
|
</patchinfo> |