Bug 30876 - unbound new security issue CVE-2022-3204
Summary: unbound new security issue CVE-2022-3204
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-09-21 17:36 CEST by David Walser
Modified: 2022-10-08 22:23 CEST (History)
5 users (show)

See Also:
Source RPM: unbound-1.16.2-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-09-21 17:36:10 CEST
Upstream has issued an advisory today (September 21):
https://nlnetlabs.nl/downloads/unbound/CVE-2022-3204.txt

The issue is fixed upstream in 1.16.3:
https://github.com/NLnetLabs/unbound/releases/tag/release-1.16.3

Mageia 8 is also affected.
David Walser 2022-09-21 17:36:43 CEST

Severity: normal => major
Status comment: (none) => Fixed upstream in 1.16.3
Assignee: bugsquad => eatdirt
Whiteboard: (none) => MGA8TOO
CC: (none) => chb0

Comment 1 christian barranco 2022-09-25 14:29:57 CEST
Hi. @eatdirt, are you on it or do you want me to help?
Comment 2 David Walser 2022-09-27 14:21:37 CEST
Fedora has issued an advisory for this today (September 27):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3G2HS6CYPSIGAKO6QLEZPG3RD6AMPB7B/
Comment 3 christian barranco 2022-09-27 15:45:35 CEST
Hi. As it a security fix, I took on me to push it. Hope it is ok with you Chris.

ADVISORY NOTICE PROPOSAL
========================
Updated unbound packages fix security vulnerabilities


Description
Update to version 1.16.3 fixes CVE-2022-3204 Non-Responsive Delegation Attack.
It was reported by Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr and Shani Stajnrod from Reichman University.

This fixes for better performance when under load, by cutting promiscuous queries for nameserver discovery and limiting the number of times a delegation point can look in the cache for missing records.

References
https://bugs.mageia.org/show_bug.cgi?id=30876
https://github.com/NLnetLabs/unbound/releases/tag/release-1.16.3


SRPMS
8/core
unbound-1.16.3-1.mga8.src.rpm


PROVIDED PACKAGES:

lib64unbound8-1.16.3-1.mga8
lib64unbound-devel-1.16.3-1.mga8
unbound-1.16.3-1.mga8
python3-unbound-1.16.3-1.mga8


    
PACKAGES FOR QA TESTING
=======================
x86_64:

lib64unbound8-1.16.3-1.mga8.x86_64.rpm
lib64unbound-devel-1.16.3-1.mga8.x86_64.rpm
unbound-1.16.3-1.mga8.x86_64.rpm
python3-unbound-1.16.3-1.mga8.x86_64.rpm


i586:

lib64unbound8-1.16.3-1.mga8.i586.rpm
lib64unbound-devel-1.16.3-1.mga8.i586.rpm
unbound-1.16.3-1.mga8.i586.rpm
python3-unbound-1.16.3-1.mga8.i586.rpm
Comment 4 christian barranco 2022-09-27 16:00:16 CEST
Ready for QA

Assignee: eatdirt => qa-bugs
Version: Cauldron => 8
CC: (none) => sysadmin-bugs

christian barranco 2022-09-27 16:01:15 CEST

Version: 8 => Cauldron

Thomas Backlund 2022-09-27 16:08:20 CEST

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 5 christian barranco 2022-09-27 16:16:08 CEST
Test done on Plasma x86_64 desktop PC
Update with QArepo = OK

Reboot

Unbound service still active:

$ systemctl status unbound
● unbound.service - Unbound DNS Resolver
     Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; vendor preset: disabled)
     Active: active (running) since Tue 2022-09-27 16:11:52 CEST; 39s ago
   Main PID: 1237 (unbound)
      Tasks: 4 (limit: 38383)
     Memory: 21.4M
        CPU: 32ms
     CGroup: /system.slice/unbound.service
             └─1237 /usr/sbin/unbound -c /etc/unbound/unbound.conf

sept. 27 16:11:52 cbct-desk systemd[1]: Started Unbound DNS Resolver.
sept. 27 16:11:52 cbct-desk unbound[1237]: [1237:0] notice: init module 0: validator
sept. 27 16:11:52 cbct-desk unbound[1237]: [1237:0] notice: init module 1: iterator
sept. 27 16:11:52 cbct-desk unbound[1237]: [1237:0] info: start of service (unbound 1.16.3).
sept. 27 16:11:56 cbct-desk unbound[1237]: [1237:0] info: generate keytag query _ta-4f66. NULL IN



Query of mageia.org shows my localhost resolver is used:

$ dig mageia.org

; <<>> DiG 9.11.37Mageia-1.mga8 <<>> mageia.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40707
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mageia.org.                    IN      A

;; ANSWER SECTION:
mageia.org.             1800    IN      A       163.172.148.228

;; Query time: 128 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: mar. sept. 27 16:13:03 CEST 2022
;; MSG SIZE  rcvd: 55



2nd query shows a query time of 0 msec, meaning the previous query result was cached:

$ dig mageia.org

; <<>> DiG 9.11.37Mageia-1.mga8 <<>> mageia.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4052
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mageia.org.                    IN      A

;; ANSWER SECTION:
mageia.org.             1794    IN      A       163.172.148.228

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: mar. sept. 27 16:13:09 CEST 2022
;; MSG SIZE  rcvd: 55


OK for me
Comment 6 David Walser 2022-09-27 16:44:20 CEST
Thanks Christian.  Make sure you clear the status comment when assigning to QA.

Status comment: Fixed upstream in 1.16.3 => (none)

Comment 7 christian barranco 2022-09-27 17:05:05 CEST
(In reply to David Walser from comment #6)
> Thanks Christian.  Make sure you clear the status comment when assigning to
> QA.

Ok. I learned something today. Thanks!
Comment 8 Chris Denice 2022-10-04 15:46:23 CEST
Thank you!

CC: (none) => eatdirt

Comment 9 christian barranco 2022-10-07 20:50:39 CEST
Hi
I think it is enough for x86 test. I don't think i586 would add a lot more.
What else is required to push the update?

Whiteboard: (none) => MGA8-64-OK

Comment 10 Thomas Andrews 2022-10-08 02:40:00 CEST
It really should have a test by someone other than the packager, at least for a clean install, just to be extra sure no missing dependencies have crept in. I have done this in a VirtualBox guest, and have started the service and checked the status. No obvious errors.

Now the update has to be validated, which I'm doing here, and someone with the proper credentials will need to upload the advisory to SVN, before it can be pushed.

Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm

Dave Hodgins 2022-10-08 19:39:19 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 11 Mageia Robot 2022-10-08 22:23:49 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0361.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.