Bug 28447 - unbound new security issue CVE-2020-28935
Summary: unbound new security issue CVE-2020-28935
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-02-26 17:18 CET by David Walser
Modified: 2021-03-29 22:32 CEST (History)
7 users (show)

See Also:
Source RPM: unbound-1.10.1-1.mga7.src.rpm
CVE: CVE-2020-28935
Status comment:


Attachments

Description David Walser 2021-02-26 17:18:21 CET
Debian-LTS has issued an advisory on February 12:
https://www.debian.org/lts/security/2021/dla-2556

The issue is fixed upstream in 1.13.0:
https://www.nlnetlabs.nl/downloads/nsd/CVE-2020-28935.txt
David Walser 2021-02-26 17:18:37 CET

Status comment: (none) => Patch available from upstream and Debian

Comment 1 Nicolas Lécureuil 2021-03-09 22:20:54 CET
fixed in mga7:

src:
    - unbound-1.10.1-1.1.mga7

CC: (none) => mageia
Assignee: eatdirt => qa-bugs
Status comment: Patch available from upstream and Debian => (none)

Comment 2 David Walser 2021-03-10 00:37:21 CET
Advisory:
========================

Updated unbound packages fix security vulnerability:

Unbound contains a local vulnerability that would allow for a local symlink
attack. When writing the PID file Unbound creates the file if it is not there,
or opens an existing file for writing. In case the file was already present, it
would follow symlinks if the file happened to be a symlink instead of a regular
file (CVE-2020-28935).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28935
https://www.debian.org/lts/security/2021/dla-2556
========================

Updated packages in core/updates_testing:
========================
unbound-1.10.1-1.1.mga7
libunbound8-1.10.1-1.1.mga7
libunbound-devel-1.10.1-1.1.mga7
python2-unbound-1.10.1-1.1.mga7
python3-unbound-1.10.1-1.1.mga7

from unbound-1.10.1-1.1.mga7.src.rpm
Comment 3 Chris Denice 2021-03-10 13:54:15 CET
Thank you David for the update, and sorry, I've been quite busy lately and now read my all bugfix requests :-/

CC: (none) => eatdirt

Comment 4 Herman Viaene 2021-03-23 11:19:27 CET
MGA7-64 MATE on PeaqC1011
No installation issues
Ref bug 26646 Comment 3
# systemctl  start unbound

# systemctl -l status unbound
● unbound.service - Unbound DNS Resolver
   Loaded: loaded (/usr/lib/systemd/system/unbound.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2021-03-23 11:15:47 CET; 14s ago
 Main PID: 31354 (unbound)
    Tasks: 1 (limit: 2285)
   Memory: 7.4M
   CGroup: /system.slice/unbound.service
           └─31354 /usr/sbin/unbound -c /etc/unbound/unbound.conf

Mar 23 11:15:47 mach7.hviaene.thuis systemd[1]: Started Unbound DNS Resolver.
Mar 23 11:15:47 mach7.hviaene.thuis unbound[31354]: [31354:0] notice: init module 0: validator
Mar 23 11:15:47 mach7.hviaene.thuis unbound[31354]: [31354:0] notice: init module 1: iterator
Mar 23 11:15:47 mach7.hviaene.thuis unbound[31354]: [31354:0] info: start of service (unbound 1.10.1).
 OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2021-03-23 19:05:24 CET
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-03-25 14:57:06 CET

CVE: (none) => CVE-2020-28935
CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-03-27 15:28:36 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0154.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 7 rexy 2021-03-28 17:02:22 CEST
Hi,
Is it possible to preserve the systemd unit file when updating this RPM (also in Mga8)?
In your .spec : %config(noreplace) for /lib/systemd/system/unbound.service

CC: (none) => richard

Comment 8 Chris Denice 2021-03-28 18:04:51 CEST
I am not really in favour of this but I do not know our policy about systemd configuration files.

However, if there is a bug in it, you should open an independent bug report and I'll be happy to fix it of course!
Comment 9 Aurelien Oudelet 2021-03-28 19:28:14 CEST
(In reply to rexy from comment #7)
> Hi,
> Is it possible to preserve the systemd unit file when updating this RPM
> (also in Mga8)?
> In your .spec : %config(noreplace) for /lib/systemd/system/unbound.service

All that is in /lib/systemd/system should always have best default values, generally according to upstream documentation.

But /etc/systemd/system/unbound.service MUST contain YOuR personalization, your own settings and always takes leadership over the unit in /lib/systemd/system.

So no, we CAN'T have in our .spec : %config(noreplace) for /lib/systemd/system/unbound.service

It is how systemd runs. Defaults best settings and if any, newer, in /lib/systemd/system ; and YOUR modifications in /etc/systemd/system.
Comment 10 David Walser 2021-03-29 02:15:04 CEST
You can also put a .conf file in /etc/systemd/system/unbound.service.d/ to override parts of the service file, rather than the whole thing.
Comment 11 rexy 2021-03-29 22:32:12 CEST
Ok thank's a lot for these clear explanations about systemd custom files.

Note You need to log in before you can comment on or make changes to this bug.