Bug 26646

Summary: unbound new security issues CVE-2020-1266[23]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, mageia, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: unbound-1.10.0-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-05-19 19:52:40 CEST 
Upstream has issued an advisory today (May 19):
https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt

The issues are fixed upstream in 1.10.1.

Mageia 7 is also affected.
David Walser 2020-05-19 19:52:53 CEST

Status comment: (none) => Fixed upstream in 1.10.1
Whiteboard: (none) => MGA7TOO

Nicolas Lécureuil 2020-05-19 22:06:28 CEST

CC: (none) => mageia
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 1 Nicolas Lécureuil 2020-05-19 22:09:03 CEST 
1.10.1 pushed into cauldron.
Comment 2 Nicolas Lécureuil 2020-05-19 22:28:02 CEST 
Advisory:
========================
Updated unbound packages fix security vulnerability:

- CVE-2020-12662 Unbound can be tricked into amplifying an incoming
  query into a large number of queries directed to a target.
- CVE-2020-12663 Malformed answers from upstream name servers can be
  used to make Unbound unresponsive.
References:
https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt

Updated packages in core/updates_testing:
========================
unbound-1.10.1-1.mga7
libunbound8-1.10.1-1.mga7
libunbound-devel-1.10.1-1.mga7
python2-unbound-1.10.1-1.mga7
python3-unbound-1.10.1-1.mga7
unbound-debuginfo-1.10.1-1.mga7
libunbound8-debuginfo-1.10.1-1.mga7
python2-unbound-debuginfo-1.10.1-1.mga7
python3-unbound-debuginfo-1.10.1-1.mga7

from:
unbound-1.10.1-1.mga7

Assignee: eatdirt => qa-bugs

David Walser 2020-05-19 23:50:19 CEST

Status comment: Fixed upstream in 1.10.1 => (none)

Comment 3 Herman Viaene 2020-05-20 13:51:27 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues omitting the devel and debug packages.
Ref bug 25974 Comment 1 for testing.
# systemctl  start unbound

# systemctl -l status unbound
● unbound.service - Unbound DNS Resolver
   Loaded: loaded (/usr/lib/systemd/system/unbound.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-05-20 13:48:16 CEST; 18s ago
 Main PID: 8189 (unbound)
    Tasks: 1 (limit: 4915)
   Memory: 5.6M
   CGroup: /system.slice/unbound.service
           └─8189 /usr/sbin/unbound -c /etc/unbound/unbound.conf

May 20 13:48:16 mach5.hviaene.thuis systemd[1]: Started Unbound DNS Resolver.
May 20 13:48:16 mach5.hviaene.thuis unbound[8189]: [8189:0] notice: init module 0: validator
May 20 13:48:16 mach5.hviaene.thuis unbound[8189]: [8189:0] notice: init module 1: iterator
May 20 13:48:16 mach5.hviaene.thuis unbound[8189]: [8189:0] info: start of service (unbound 1.10.1).

OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2020-05-20 14:05:13 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-05-24 17:56:06 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2020-05-24 20:06:41 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0224.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED