33621 – unbound new security issue CVE-2024-8508

Bug 33621 - unbound new security issue CVE-2024-8508

Summary: unbound new security issue CVE-2024-8508

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-10-08 13:38 CEST by Nicolas Salguero
Modified:	2024-10-16 03:32 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	unbound-1.21.0-1.mga9.src.rpm
CVE:	CVE-2024-8508
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-10-08 13:38:34 CEST

Fedora has issued an advisory on October 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO57I5NCA3PFL6KYWTAZCKJJNLFTWXAD/

Nicolas Salguero 2024-10-08 13:39:14 CEST

CVE: (none) => CVE-2024-8508
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 1.21.1
Source RPM: (none) => unbound-1.21.0-1.mga10.src.rpm, unbound-1.21.0-1.mga9.src.rpm

Comment 1 Lewis Smith 2024-10-12 22:02:11 CEST

Note "Fixed upstream in 1.21.1".

Assigning globally, but CC'ing ChrisD who has often dealt with this pkg, committing version 1.21.0.

CC: (none) => eatdirt
Assignee: bugsquad => pkg-bugs

Comment 2 Chris Denice 2024-10-14 10:44:30 CEST

Thank you (I am the maintainer, so I'll update it).

mgarepo maintdb get unbound

cheers,
chris.

Comment 3 Chris Denice 2024-10-15 15:07:55 CEST

Unbound package version 1.21.1 landing in update testing.

-------------


this update addresses the security vulnerability CVE-2024-8508 which could lead to denial of service.

Updated packages in core/updates_testing

lib64unbound8-1.21.1-1.mga9
python3-unbound-1.21.1-1.mga9
lib(64)unbound-devel-1.21.1-1.mga9
unbound-1.21.1-1.mga9

Assignee: pkg-bugs => qa-bugs

katnatek 2024-10-15 20:20:44 CEST

Status comment: Fixed upstream in 1.21.1 => (none)
Source RPM: unbound-1.21.0-1.mga10.src.rpm, unbound-1.21.0-1.mga9.src.rpm => unbound-1.21.0-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Keywords: (none) => advisory
Version: Cauldron => 9

Comment 4 katnatek 2024-10-15 20:45:37 CEST

RH x86_64

LC_ALL=C urpmi --auto --auto-update 
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Nonfree 32bit Updates (distrib37)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing lib64unbound8-1.21.1-1.mga9.x86_64.rpm python3-unbound-1.21.1-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64unbound8         ##################################################################################################
      2/2: python3-unbound       ##################################################################################################
      1/2: removing python3-unbound-1.21.0-1.mga9.x86_64
                                 ##################################################################################################
      2/2: removing lib64unbound8-1.21.0-1.mga9.x86_64
                                 ##################################################################################################
writing /var/lib/rpm/installed-through-deps.list

LC_ALL=C urpmi unbound

installing unbound-1.21.1-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: unbound               ##################################################################################################
----------------------------------------------------------------------
More information on package unbound-1.21.1-1.mga9.x86_64
In case you install the dnscrypt-proxy package,
uncomment the indicated forward-zone block in /etc/unbound/unbound.conf
and set "do-not-query-localhost: no"

----------------------------------------------------------------------

Reference bug#32841 comment#6

systemctl start unbound
systemctl status unbound
● unbound.service - Unbound DNS Resolver
     Loaded: loaded (/usr/lib/systemd/system/unbound.service; disabled; preset: disabled)
     Active: active (running) since Tue 2024-10-15 12:43:02 CST; 20s ago
   Main PID: 73440 (unbound)
      Tasks: 1 (limit: 6880)
     Memory: 6.8M
        CPU: 57ms
     CGroup: /system.slice/unbound.service
             └─73440 /usr/sbin/unbound -c /etc/unbound/unbound.conf

oct 15 12:43:02 jgrey.phoenix systemd[1]: Started unbound.service.
oct 15 12:43:02 jgrey.phoenix unbound[73440]: [73440:0] notice: init module 0: validator
oct 15 12:43:02 jgrey.phoenix unbound[73440]: [73440:0] notice: init module 1: iterator
oct 15 12:43:02 jgrey.phoenix unbound[73440]: [73440:0] info: start of service (unbound 1.21.1).

dig mageia.org

; <<>> DiG 9.18.15 <<>> mageia.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61659
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mageia.org.                    IN      A

;; ANSWER SECTION:
mageia.org.             1800    IN      A       163.172.148.228

;; Query time: 320 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Oct 15 12:43:51 CST 2024
;; MSG SIZE  rcvd: 55

Consistent with reference and previou round bug#33621 comment#3
Again can't test VPN part in reference

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 5 Thomas Andrews 2024-10-16 02:36:07 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2024-10-16 03:32:45 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0333.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.