Bug 25713 - unbound new security issues CVE-2019-18934 and CVE-2019-2503[137]
Summary: unbound new security issues CVE-2019-18934 and CVE-2019-2503[137]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-11-20 15:13 CET by David Walser
Modified: 2022-01-25 23:31 CET (History)
4 users (show)

See Also:
Source RPM: unbound-1.9.4-1.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 1.9.5


Attachments

Description David Walser 2019-11-20 15:13:45 CET
An advisory has been issued on November 19:
https://nlnetlabs.nl/downloads/unbound/CVE-2019-18934.txt

The issue is fixed upstream in 1.9.5.

Mageia 7 is also affected.
David Walser 2019-11-20 15:14:02 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 1.9.5

Comment 1 Chris Denice 2019-11-20 16:40:59 CET
This security issue does not concern us, we do not compile the package with the options allowing the breach. Only users recompiling their Mageia package by tweaking the options could be concerned. Since this is a minimal work anyway, I have uploaded the fixed version 1.9.5 for mga 7 in updates_testing (cauldron also updated).

You can test if the unbound service runs fine with (as root):
systemctl start unbound
systemctl status unbound

should return a green "active (running)".


Suggested advisory:
========================

Updated unbound package to version 1.9.5 to fix a potential security vulnerability. In case users recompiled the Mageia package with `--enable-ipsecmod`, and ipsecmod is enabled and used in the configuration, shell
code execution would end up being possible after receiving a specially crafted answer.


References:
https://nlnetlabs.nl/downloads/unbound/CVE-2019-18934.txt
========================

Updated packages in core/updates_testing:
========================
lib(64)unbound8-1.9.5-1.mga7
lib(64)unbound-devel-1.9.5-1.mga7
unbound-1.9.5-1.mga7
python2-unbound-1.9.5-1.mga7
python3-unbound-1.9.5-1.mga7

Source RPMs: 
unbound-1.9.5-1.mga7.src.rpm

Assignee: eatdirt => qa-bugs

Thomas Backlund 2019-11-20 23:30:49 CET

Whiteboard: MGA7TOO => (none)
CC: (none) => tmb
Version: Cauldron => 7

Comment 2 Len Lawrence 2019-11-21 00:41:47 CET
Mageia 7, x86_64

All packages updated cleanly.
# systemctl start unbound
# systemctl status unbound
● unbound.service - Unbound DNS Resolver
   Loaded: loaded (/usr/lib/systemd/system/unbound.service; disabled; vendor pr>
   Active: active (running) since Wed 2019-11-20 23:38:28 GMT; 14s ago
 Main PID: 4521 (unbound)
   Memory: 5.7M
   CGroup: /system.slice/unbound.service
           └─4521 /usr/sbin/unbound -c /etc/unbound/unbound.conf

Nov 20 23:38:28 difda systemd[1]: Started Unbound DNS Resolver.
[...]

If that is all that is required then this is good to go.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 3 Thomas Andrews 2019-11-22 16:19:03 CET
Guess so, Len. Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2019-11-30 12:26:41 CET

Keywords: (none) => advisory

Comment 4 Mageia Robot 2019-11-30 14:07:49 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0344.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 5 David Walser 2021-05-28 21:23:11 CEST
CVE-2019-25031 and CVE-2019-25037 were also fixed by this update:
https://ubuntu.com/security/notices/USN-4938-1

Summary: unbound new security issue CVE-2019-18934 => unbound new security issues CVE-2019-18934 and CVE-2019-2503[17]

Comment 6 David Walser 2022-01-25 23:31:07 CET
CVE-2019-25033 was also fixed in this update:
https://lists.suse.com/pipermail/sle-security-updates/2022-January/010064.html
https://bugzilla.suse.com/show_bug.cgi?id=1185384

Summary: unbound new security issues CVE-2019-18934 and CVE-2019-2503[17] => unbound new security issues CVE-2019-18934 and CVE-2019-2503[137]


Note You need to log in before you can comment on or make changes to this bug.