Bug 33252

Summary: unbound new security issue CVE-2024-33655
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, eatdirt, geiger.david68210, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: unbound CVE: CVE-2024-33655
Status comment: Fixed upstream in 1.20.0 and patch available from upstream and Ubuntu

Description Nicolas Salguero 2024-05-29 15:49:46 CEST 
Ubuntu has issued an advisory on May 28:
https://ubuntu.com/security/notices/USN-6791-1

Mageia 9 is also affected.
Nicolas Salguero 2024-05-29 15:50:32 CEST

CVE: (none) => CVE-2024-33655
Source RPM: (none) => unbound-1.19.3-1.mga10.src.rpm
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 1.20.0 and patch available from upstream and Ubuntu

Comment 1 David GEIGER 2024-05-30 16:31:22 CEST 
Assigning to the registered maintainer!

Assignee: bugsquad => eatdirt
CC: (none) => geiger.david68210

Comment 2 Chris Denice 2024-05-31 14:28:38 CEST 
Thanks, I'll fix that.
Comment 3 Chris Denice 2024-05-31 21:34:48 CEST 
Unbound package version 1.20.0 landing in update testing.

-------------

Along with various minor bug fixing, this update addresses the security vulnerability CVE-2024-33655 which would have allowed unbound to be used as a DNSBomb.

Updated packages in core/updates_testing

lib64unbound8-1.20.0-1.mga9
python3-unbound-1.20.0-1.mga9
lib(64)unbound-devel-1.20.0-1.mga9
unbound-1.20.0-1.mga9

CC: (none) => eatdirt
Assignee: eatdirt => qa-bugs

katnatek 2024-06-01 03:51:21 CEST

Keywords: (none) => advisory
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Source RPM: unbound-1.19.3-1.mga10.src.rpm => unbound

Comment 4 katnatek 2024-06-01 04:50:26 CEST 
LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing python3-unbound-1.20.0-1.mga9.x86_64.rpm lib64unbound8-1.20.0-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64unbound8         ##################################################################################################
      2/2: python3-unbound       ##################################################################################################
      1/2: removing python3-unbound-1.19.1-1.mga9.x86_64
                                 ##################################################################################################
      2/2: removing lib64unbound8-1.19.1-1.mga9.x86_64
                                 ##################################################################################################

LC_ALL=C urpmi unbound 


installing unbound-1.20.0-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: unbound               ##################################################################################################
----------------------------------------------------------------------
More information on package unbound-1.20.0-1.mga9.x86_64
In case you install the dnscrypt-proxy package,
uncomment the indicated forward-zone block in /etc/unbound/unbound.conf
and set "do-not-query-localhost: no"

----------------------------------------------------------------------

Reference bug#32841 comment#6
systemctl start unbound
systemctl status unbound
● unbound.service - Unbound DNS Resolver
     Loaded: loaded (/usr/lib/systemd/system/unbound.service; disabled; preset: disabled)
     Active: active (running) since Fri 2024-05-31 20:46:14 CST; 2s ago
   Main PID: 555332 (unbound)
      Tasks: 1 (limit: 6904)
     Memory: 6.8M
        CPU: 58ms
     CGroup: /system.slice/unbound.service
             └─555332 /usr/sbin/unbound -c /etc/unbound/unbound.conf

may 31 20:46:14 phoenix systemd[1]: Started unbound.service.
may 31 20:46:14 phoenix unbound[555332]: [555332:0] notice: init module 0: validator
may 31 20:46:14 phoenix unbound[555332]: [555332:0] notice: init module 1: iterator
may 31 20:46:14 phoenix unbound[555332]: [555332:0] info: start of service (unbound 1.20.0).

dig mageia.org

; <<>> DiG 9.18.15 <<>> mageia.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22784
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mageia.org.                    IN      A

;; ANSWER SECTION:
mageia.org.             1800    IN      A       163.172.148.228

;; Query time: 288 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Fri May 31 20:47:55 CST 2024
;; MSG SIZE  rcvd: 55

I not have VPN so this all the test I can do

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2024-06-01 13:56:54 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2024-06-02 05:30:13 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0203.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED