| Summary: | unbound new security issue CVE-2022-3204 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, chb0, davidwhodgins, eatdirt, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | unbound-1.16.2-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-09-21 17:36:10 CEST
David Walser
2022-09-21 17:36:43 CEST
Severity:
normal =>
major Hi. @eatdirt, are you on it or do you want me to help? Fedora has issued an advisory for this today (September 27): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3G2HS6CYPSIGAKO6QLEZPG3RD6AMPB7B/ Hi. As it a security fix, I took on me to push it. Hope it is ok with you Chris. ADVISORY NOTICE PROPOSAL ======================== Updated unbound packages fix security vulnerabilities Description Update to version 1.16.3 fixes CVE-2022-3204 Non-Responsive Delegation Attack. It was reported by Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr and Shani Stajnrod from Reichman University. This fixes for better performance when under load, by cutting promiscuous queries for nameserver discovery and limiting the number of times a delegation point can look in the cache for missing records. References https://bugs.mageia.org/show_bug.cgi?id=30876 https://github.com/NLnetLabs/unbound/releases/tag/release-1.16.3 SRPMS 8/core unbound-1.16.3-1.mga8.src.rpm PROVIDED PACKAGES: lib64unbound8-1.16.3-1.mga8 lib64unbound-devel-1.16.3-1.mga8 unbound-1.16.3-1.mga8 python3-unbound-1.16.3-1.mga8 PACKAGES FOR QA TESTING ======================= x86_64: lib64unbound8-1.16.3-1.mga8.x86_64.rpm lib64unbound-devel-1.16.3-1.mga8.x86_64.rpm unbound-1.16.3-1.mga8.x86_64.rpm python3-unbound-1.16.3-1.mga8.x86_64.rpm i586: lib64unbound8-1.16.3-1.mga8.i586.rpm lib64unbound-devel-1.16.3-1.mga8.i586.rpm unbound-1.16.3-1.mga8.i586.rpm python3-unbound-1.16.3-1.mga8.i586.rpm Ready for QA Assignee:
eatdirt =>
qa-bugs
christian barranco
2022-09-27 16:01:15 CEST
Version:
8 =>
Cauldron
Thomas Backlund
2022-09-27 16:08:20 CEST
Whiteboard:
MGA8TOO =>
(none) Test done on Plasma x86_64 desktop PC
Update with QArepo = OK
Reboot
Unbound service still active:
$ systemctl status unbound
● unbound.service - Unbound DNS Resolver
Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-09-27 16:11:52 CEST; 39s ago
Main PID: 1237 (unbound)
Tasks: 4 (limit: 38383)
Memory: 21.4M
CPU: 32ms
CGroup: /system.slice/unbound.service
└─1237 /usr/sbin/unbound -c /etc/unbound/unbound.conf
sept. 27 16:11:52 cbct-desk systemd[1]: Started Unbound DNS Resolver.
sept. 27 16:11:52 cbct-desk unbound[1237]: [1237:0] notice: init module 0: validator
sept. 27 16:11:52 cbct-desk unbound[1237]: [1237:0] notice: init module 1: iterator
sept. 27 16:11:52 cbct-desk unbound[1237]: [1237:0] info: start of service (unbound 1.16.3).
sept. 27 16:11:56 cbct-desk unbound[1237]: [1237:0] info: generate keytag query _ta-4f66. NULL IN
Query of mageia.org shows my localhost resolver is used:
$ dig mageia.org
; <<>> DiG 9.11.37Mageia-1.mga8 <<>> mageia.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40707
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mageia.org. IN A
;; ANSWER SECTION:
mageia.org. 1800 IN A 163.172.148.228
;; Query time: 128 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: mar. sept. 27 16:13:03 CEST 2022
;; MSG SIZE rcvd: 55
2nd query shows a query time of 0 msec, meaning the previous query result was cached:
$ dig mageia.org
; <<>> DiG 9.11.37Mageia-1.mga8 <<>> mageia.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4052
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mageia.org. IN A
;; ANSWER SECTION:
mageia.org. 1794 IN A 163.172.148.228
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: mar. sept. 27 16:13:09 CEST 2022
;; MSG SIZE rcvd: 55
OK for me
Thanks Christian. Make sure you clear the status comment when assigning to QA. Status comment:
Fixed upstream in 1.16.3 =>
(none) (In reply to David Walser from comment #6) > Thanks Christian. Make sure you clear the status comment when assigning to > QA. Ok. I learned something today. Thanks! Hi I think it is enough for x86 test. I don't think i586 would add a lot more. What else is required to push the update? Whiteboard:
(none) =>
MGA8-64-OK It really should have a test by someone other than the packager, at least for a clean install, just to be extra sure no missing dependencies have crept in. I have done this in a VirtualBox guest, and have started the service and checked the status. No obvious errors. Now the update has to be validated, which I'm doing here, and someone with the proper credentials will need to upload the advisory to SVN, before it can be pushed. Validating. Advisory in Comment 5. Keywords:
(none) =>
validated_update
Dave Hodgins
2022-10-08 19:39:19 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0361.html Resolution:
(none) =>
FIXED |