Summary: | <net-dns/unbound-1.9.5: IPSEC shell injection (CVE-2019-18934) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | mschiff, whissi |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.x41-dsec.de/security/research/job/news/2019/11/19/unbound/ | ||
Whiteboard: | C2 [noglsa] | ||
Package list: |
net-dns/unbound-1.9.5
|
Runtime testing required: | --- |
Description
Hanno Böck
2019-11-19 09:33:58 UTC
(In reply to Hanno Böck from comment #0) > The gentoo ebuild enables the ipsec module, so we're affected this issue. > Genereally I am wondering why this is enabled by default, it looks like a > rather obscure feature. We set --enable-ipsecmod but we don't enable it in configuration. To quote from mentioned news article: > This issue can _only_ be triggered when _all_ of the below conditions are met: > > - unbound was compiled with --enable-ipsecmod support, and > - ipsecmod is enabled and used in the configuration (either in the configuration file or using unbound-control), and > - a domain is part of the ipsecmod-whitelist (if ipsecmod-whitelist is used), and > - unbound receives an A/AAAA query for a domain that has an A/AAAA record(s) and an IPSECKEY record(s) available. ppc64 stable ppc stable amd64 stable x86 stable arm stable GLSA Vote: No! Repository is clean, all done. |