Bug 22423 - unbound new security issue CVE-2017-15105
Summary: unbound new security issue CVE-2017-15105
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-01-19 15:46 CET by David Walser
Modified: 2018-01-22 22:03 CET (History)
3 users (show)

See Also:
Source RPM: unbound-1.6.7-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-01-19 15:46:28 CET
Upstream has issued an advisory today (January 19):
https://unbound.net/downloads/CVE-2017-15105.txt

The issue is fixed upstream in 1.6.8, and patch is linked from the advisory.

Mageia 6 is also affected.
David Walser 2018-01-19 15:46:38 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Chris Denice 2018-01-19 21:36:12 CET
Hi David,
Thanks for spotting this! Updated package to 1.6.8 on Cauldron, as well as on mga6. We were at version 1.6.2 and many other fixes have been applied since.

To test, install unbound and check that you can run the service. As root:
systemctl start unbound
systemctl status unbound

Should report a running unbound service.

I have tested it myself on real mga6, x86_64 in real environment (coupled to dnscrypt), the new version works fine.

Cheers,
Chris.




Advisory:
========================

Updated unbound packages to fix security vulnerability (CVE-2017-15105) in the processing of wildcard synthesized NSEC records. While synthesis of NSEC records is allowed by RFC4592, these synthesized owner names should not be used in the NSEC processing. This was, however, happenning in Unbound 1.6.7 and earlier versions.

References
==================
https://unbound.net/downloads/CVE-2017-15105.txt

Updated packages in core/updates_testing:
========================
lib64unbound2-1.6.8-1.mga6
unbound-1.6.8-1.mga6

from SRPMS:
unbound-1.6.8-1.mga6.src

Assignee: eatdirt => qa-bugs

Thomas Backlund 2018-01-19 22:44:09 CET

CC: (none) => tmb
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 2 Len Lawrence 2018-01-20 09:36:11 CET
Mageia 6 :: x86_64

Installed the two packages, checked that the service could be started then updated and ran the test again.  If that is all that is requires then this is good for 64 bits.

CC: (none) => tarazed25

Len Lawrence 2018-01-20 09:36:35 CET

Whiteboard: (none) => MGA6-64-OK

Lewis Smith 2018-01-22 09:34:24 CET

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2018-01-22 22:03:16 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0091.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.