Bug 32841

Summary: update unbound to 1.19.1 to fix CVE-2023-50387 and CVE-2023-50868
Product: Mageia Reporter: christian barranco <chb0>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, jim, marja11, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nlnetlabs.nl/projects/unbound/security-advisories/ https://github.com/NLnetLabs/unbound/releases/tag/release-1.19.1
Whiteboard: MGA9-64-OK
Source RPM: unbound-1.17.1-2.mga9.src.rpm CVE: CVE-2023-50387,CVE-2023-50868
Status comment:

Description christian barranco 2024-02-13 21:12:12 CET 
Unbound 1.19.1 fixes CVE:
https://github.com/NLnetLabs/unbound/releases/tag/release-1.19.1
christian barranco 2024-02-13 21:12:31 CET

CVE: (none) => CVE-2023-50387,CVE-2023-50868

David Walser 2024-02-13 23:07:29 CET

Summary: update unbound to 1.19.1 to fix CVE => update unbound to 1.19.1 to fix CVE-2023-50387 and CVE-2023-50868

Comment 1 james Whitby 2024-02-14 01:52:15 CET 
Is there a fix for this in bind 9?

CC: (none) => jim

Comment 2 David GEIGER 2024-02-14 05:58:33 CET 
Assigning to its registered maintainer!

Whiteboard: (none) => MGA9TOO
CC: (none) => geiger.david68210
Assignee: bugsquad => eatdirt
Version: 9 => Cauldron

Comment 3 Chris Denice 2024-02-14 22:33:30 CET 
Thanks for the head-up!
Comment 4 Chris Denice 2024-02-14 22:41:24 CET 
Package unbound updated to version 1.9.1 to fix security issues CVE-2023-50387 and CVE-2023-50868.

https://nlnetlabs.nl/projects/unbound/security-advisories/

The packages required for this update advisory are:

RPMS:
lib(64)unbound8-1.19.1-1.mga9
lib(64)unbound-devel-1.19.1-1.mga9
python3-unbound-1.19.1-1.mga9
unbound-1.19.1-1.mga9

SRPMS:
unbound-1.19.1-1.mga9.src.rpm

Assignee: eatdirt => qa-bugs

Comment 5 Marja Van Waes 2024-02-15 20:52:22 CET 
 unbound-1.19.1-1.mga10 landed in cauldron

URL: (none) => https://nlnetlabs.nl/projects/unbound/security-advisories/ https://github.com/NLnetLabs/unbound/releases/tag/release-1.19.1
CC: (none) => marja11
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

Marja Van Waes 2024-02-15 21:01:31 CET

Keywords: (none) => advisory

Comment 6 Thomas Andrews 2024-02-16 20:00:38 CET 
I'm no expert in this area, but I played around a little, using bug 30876 comment 5 as a guide:

Tested on a MGA9-64 Plasma system. No installation issues. Rebooted...

[root@localhost ~]# systemctl status unbound
● unbound.service - Unbound DNS Resolver
     Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; preset: disabled)
     Active: active (running) since Fri 2024-02-16 13:22:18 EST; 2min 29s ago
   Main PID: 15331 (unbound)
      Tasks: 1 (limit: 57718)
     Memory: 8.1M
        CPU: 62ms
     CGroup: /system.slice/unbound.service
             └─15331 /usr/sbin/unbound -c /etc/unbound/unbound.conf

Feb 16 13:22:18 localhost.localdomain systemd[1]: Started unbound.service.
Feb 16 13:22:18 localhost.localdomain unbound[15331]: [15331:0] notice: init module 0: validator
Feb 16 13:22:18 localhost.localdomain unbound[15331]: [15331:0] notice: init module 1: iterator
Feb 16 13:22:18 localhost.localdomain unbound[15331]: [15331:0] info: start of service (unbound 1.19.1).

Using my router:

$ dig mageia.org

; <<>> DiG 9.18.15 <<>> mageia.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1591
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mageia.org.                    IN      A

;; ANSWER SECTION:
mageia.org.             164     IN      A       163.172.148.228

;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Fri Feb 16 13:25:55 EST 2024
;; MSG SIZE  rcvd: 55

Activating a VPN:

$ dig mageia.org

; <<>> DiG 9.18.15 <<>> mageia.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6011
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 3d1281116fd5c1980100000065cfa950419da7ef1ac13a63 (good)
;; QUESTION SECTION:
;mageia.org.                    IN      A

;; ANSWER SECTION:
mageia.org.             1800    IN      A       163.172.148.228

;; Query time: 161 msec
;; SERVER: 162.252.172.57#53(162.252.172.57) (UDP)
;; WHEN: Fri Feb 16 13:28:32 EST 2024
;; MSG SIZE  rcvd: 83

Note that the IP for the server changed from my router to the VPN's IP.

I don't see any errors there, so I'm giving this an OK, and validating. If this test isn't valid, someone please rescue me from myself.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Mageia Robot 2024-02-17 01:56:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0039.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED