An advisory has been issued on November 19: https://nlnetlabs.nl/downloads/unbound/CVE-2019-18934.txt The issue is fixed upstream in 1.9.5. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 1.9.5
This security issue does not concern us, we do not compile the package with the options allowing the breach. Only users recompiling their Mageia package by tweaking the options could be concerned. Since this is a minimal work anyway, I have uploaded the fixed version 1.9.5 for mga 7 in updates_testing (cauldron also updated). You can test if the unbound service runs fine with (as root): systemctl start unbound systemctl status unbound should return a green "active (running)". Suggested advisory: ======================== Updated unbound package to version 1.9.5 to fix a potential security vulnerability. In case users recompiled the Mageia package with `--enable-ipsecmod`, and ipsecmod is enabled and used in the configuration, shell code execution would end up being possible after receiving a specially crafted answer. References: https://nlnetlabs.nl/downloads/unbound/CVE-2019-18934.txt ======================== Updated packages in core/updates_testing: ======================== lib(64)unbound8-1.9.5-1.mga7 lib(64)unbound-devel-1.9.5-1.mga7 unbound-1.9.5-1.mga7 python2-unbound-1.9.5-1.mga7 python3-unbound-1.9.5-1.mga7 Source RPMs: unbound-1.9.5-1.mga7.src.rpm
Assignee: eatdirt => qa-bugs
Whiteboard: MGA7TOO => (none)CC: (none) => tmbVersion: Cauldron => 7
Mageia 7, x86_64 All packages updated cleanly. # systemctl start unbound # systemctl status unbound ● unbound.service - Unbound DNS Resolver Loaded: loaded (/usr/lib/systemd/system/unbound.service; disabled; vendor pr> Active: active (running) since Wed 2019-11-20 23:38:28 GMT; 14s ago Main PID: 4521 (unbound) Memory: 5.7M CGroup: /system.slice/unbound.service └─4521 /usr/sbin/unbound -c /etc/unbound/unbound.conf Nov 20 23:38:28 difda systemd[1]: Started Unbound DNS Resolver. [...] If that is all that is required then this is good to go.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Guess so, Len. Validating. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0344.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
CVE-2019-25031 and CVE-2019-25037 were also fixed by this update: https://ubuntu.com/security/notices/USN-4938-1
Summary: unbound new security issue CVE-2019-18934 => unbound new security issues CVE-2019-18934 and CVE-2019-2503[17]
CVE-2019-25033 was also fixed in this update: https://lists.suse.com/pipermail/sle-security-updates/2022-January/010064.html https://bugzilla.suse.com/show_bug.cgi?id=1185384
Summary: unbound new security issues CVE-2019-18934 and CVE-2019-2503[17] => unbound new security issues CVE-2019-18934 and CVE-2019-2503[137]