Bug 25639 - unbound new security issue CVE-2019-16866
Summary: unbound new security issue CVE-2019-16866
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-10-31 04:46 CET by David Walser
Modified: 2019-11-08 00:38 CET (History)
5 users (show)

See Also:
Source RPM: unbound-1.9.1-3.mga8.src.rpm
CVE:
Status comment: Fixed upstream in 1.9.4

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-10-31 04:46:13 CET 
Debian has issued an advisory on October 16:
https://www.debian.org/security/2019/dsa-4544

The issue is fixed upstream in 1.9.4.

Mageia 7 is also affected.
David Walser 2019-10-31 04:46:39 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 1.9.4

Comment 1 David Walser 2019-10-31 04:54:19 CET 
Ubuntu has issued an advisory for this on October 8:
https://usn.ubuntu.com/4149-1/
Comment 2 Lewis Smith 2019-10-31 09:40:12 CET 
Assigning to ChrisD as the 'unbound' registered maintainer.

Assignee: bugsquad => eatdirt

Comment 3 Chris Denice 2019-11-05 13:48:59 CET 
I have uploaded version 1.9.4 for mga 7 in updates_testing (cauldron also updated).

You can test if the unbound service runs fine with (as root):
systemctl start unbound
systemctl status unbound

should return a green "active (running)".


Suggested advisory:
========================

Updated unbound package to version 1.9.4 to fix security vulnerabilities.
Versions before 1.9.4 allow accesses to uninitialized memory, which would permit 
remote attackers to trigger a crash (CVE-2019-16866).


References:
https://www.debian.org/security/2019/dsa-4544
https://security-tracker.debian.org/tracker/CVE-2019-16866
========================

Updated packages in core/updates_testing:
========================
lib(64)unbound8-1.9.4-1.mga7
lib(64)unbound-devel-1.9.4-1.mga7
unbound-1.9.4-1.mga7
python2-unbound-1.9.4-1.mga7
python3-unbound-1.9.4-1.mga7

Source RPMs: 
unbound-1.9.4-1.mga7.src.rpm

CC: (none) => eatdirt
Assignee: eatdirt => qa-bugs

Comment 4 Herman Viaene 2019-11-06 10:26:23 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref bug22423 Comment 2 for testing.
# systemctl  start unbound
# systemctl -l status unbound
● unbound.service - Unbound DNS Resolver
   Loaded: loaded (/usr/lib/systemd/system/unbound.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2019-11-06 10:22:53 CET; 3s ago
 Main PID: 26930 (unbound)
   Memory: 5.6M
   CGroup: /system.slice/unbound.service
           └─26930 /usr/sbin/unbound -c /etc/unbound/unbound.conf

nov 06 10:22:53 mach5.hviaene.thuis systemd[1]: Started Unbound DNS Resolver.
nov 06 10:22:53 mach5.hviaene.thuis unbound[26930]: [26930:0] notice: init module 0: validator
nov 06 10:22:53 mach5.hviaene.thuis unbound[26930]: [26930:0] notice: init module 1: iterator
nov 06 10:22:53 mach5.hviaene.thuis unbound[26930]: [26930:0] info: start of service (unbound 1.9.4).

OK then.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
CC: (none) => herman.viaene

Thomas Backlund 2019-11-06 22:51:02 CET

Version: Cauldron => 7
Whiteboard: MGA7TOO MGA7-64-OK => MGA7-64-OK
CC: (none) => tmb

Comment 5 Thomas Andrews 2019-11-07 16:20:03 CET 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-11-07 22:20:32 CET

Keywords: (none) => advisory

Comment 6 Mageia Robot 2019-11-08 00:38:37 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0317.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.