Upstream has issued an advisory today (September 21): https://nlnetlabs.nl/downloads/unbound/CVE-2022-3204.txt The issue is fixed upstream in 1.16.3: https://github.com/NLnetLabs/unbound/releases/tag/release-1.16.3 Mageia 8 is also affected.
Severity: normal => majorStatus comment: (none) => Fixed upstream in 1.16.3Assignee: bugsquad => eatdirtWhiteboard: (none) => MGA8TOOCC: (none) => chb0
Hi. @eatdirt, are you on it or do you want me to help?
Fedora has issued an advisory for this today (September 27): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3G2HS6CYPSIGAKO6QLEZPG3RD6AMPB7B/
Hi. As it a security fix, I took on me to push it. Hope it is ok with you Chris. ADVISORY NOTICE PROPOSAL ======================== Updated unbound packages fix security vulnerabilities Description Update to version 1.16.3 fixes CVE-2022-3204 Non-Responsive Delegation Attack. It was reported by Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr and Shani Stajnrod from Reichman University. This fixes for better performance when under load, by cutting promiscuous queries for nameserver discovery and limiting the number of times a delegation point can look in the cache for missing records. References https://bugs.mageia.org/show_bug.cgi?id=30876 https://github.com/NLnetLabs/unbound/releases/tag/release-1.16.3 SRPMS 8/core unbound-1.16.3-1.mga8.src.rpm PROVIDED PACKAGES: lib64unbound8-1.16.3-1.mga8 lib64unbound-devel-1.16.3-1.mga8 unbound-1.16.3-1.mga8 python3-unbound-1.16.3-1.mga8 PACKAGES FOR QA TESTING ======================= x86_64: lib64unbound8-1.16.3-1.mga8.x86_64.rpm lib64unbound-devel-1.16.3-1.mga8.x86_64.rpm unbound-1.16.3-1.mga8.x86_64.rpm python3-unbound-1.16.3-1.mga8.x86_64.rpm i586: lib64unbound8-1.16.3-1.mga8.i586.rpm lib64unbound-devel-1.16.3-1.mga8.i586.rpm unbound-1.16.3-1.mga8.i586.rpm python3-unbound-1.16.3-1.mga8.i586.rpm
Ready for QA
Assignee: eatdirt => qa-bugsVersion: Cauldron => 8CC: (none) => sysadmin-bugs
Version: 8 => Cauldron
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
Test done on Plasma x86_64 desktop PC Update with QArepo = OK Reboot Unbound service still active: $ systemctl status unbound ● unbound.service - Unbound DNS Resolver Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2022-09-27 16:11:52 CEST; 39s ago Main PID: 1237 (unbound) Tasks: 4 (limit: 38383) Memory: 21.4M CPU: 32ms CGroup: /system.slice/unbound.service └─1237 /usr/sbin/unbound -c /etc/unbound/unbound.conf sept. 27 16:11:52 cbct-desk systemd[1]: Started Unbound DNS Resolver. sept. 27 16:11:52 cbct-desk unbound[1237]: [1237:0] notice: init module 0: validator sept. 27 16:11:52 cbct-desk unbound[1237]: [1237:0] notice: init module 1: iterator sept. 27 16:11:52 cbct-desk unbound[1237]: [1237:0] info: start of service (unbound 1.16.3). sept. 27 16:11:56 cbct-desk unbound[1237]: [1237:0] info: generate keytag query _ta-4f66. NULL IN Query of mageia.org shows my localhost resolver is used: $ dig mageia.org ; <<>> DiG 9.11.37Mageia-1.mga8 <<>> mageia.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40707 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 163.172.148.228 ;; Query time: 128 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: mar. sept. 27 16:13:03 CEST 2022 ;; MSG SIZE rcvd: 55 2nd query shows a query time of 0 msec, meaning the previous query result was cached: $ dig mageia.org ; <<>> DiG 9.11.37Mageia-1.mga8 <<>> mageia.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4052 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1794 IN A 163.172.148.228 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: mar. sept. 27 16:13:09 CEST 2022 ;; MSG SIZE rcvd: 55 OK for me
Thanks Christian. Make sure you clear the status comment when assigning to QA.
Status comment: Fixed upstream in 1.16.3 => (none)
(In reply to David Walser from comment #6) > Thanks Christian. Make sure you clear the status comment when assigning to > QA. Ok. I learned something today. Thanks!
Thank you!
CC: (none) => eatdirt
Hi I think it is enough for x86 test. I don't think i586 would add a lot more. What else is required to push the update?
Whiteboard: (none) => MGA8-64-OK
It really should have a test by someone other than the packager, at least for a clean install, just to be extra sure no missing dependencies have crept in. I have done this in a VirtualBox guest, and have started the service and checked the status. No obvious errors. Now the update has to be validated, which I'm doing here, and someone with the proper credentials will need to upload the advisory to SVN, before it can be pushed. Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0361.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED