Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 702828

Summary: <net-dns/unbound-1.9.6: multiple vulnerabilities
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mschiff, whissi
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.nlnetlabs.nl/news/2019/Dec/12/unbound-1.9.6-released/
Whiteboard: B3 [noglsa]
Package list:
net-dns/unbound-1.9.6
 Runtime testing required: ---

Description Hanno Böck gentoo-dev 2019-12-14 11:43:38 UTC 
The company X41 has performed a security audit of unbound, initiated by OSTIF:
https://www.x41-dsec.de/security/research/job/news/2019/12/11/unbound/

The most severe findings were already fixed in unbound 1.9.4 and 1.9.5, but various less severe issues have only been fixed in 1.9.6, see:
https://www.nlnetlabs.nl/news/2019/Dec/12/unbound-1.9.6-released/
https://www.nlnetlabs.nl/projects/unbound/download/#unbound-1-9-6
Particularly it lists various out of bounds read/write errors.

Please bump to 1.9.6.
Comment 1 Larry the Git Cow gentoo-dev 2019-12-14 21:19:09 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b10ded20311823cf28570b97d85738da97149175

commit b10ded20311823cf28570b97d85738da97149175
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-12-14 21:15:11 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-12-14 21:19:01 +0000

    net-dns/unbound: bump to v1.9.6
    
    Bug: https://bugs.gentoo.org/702828
    Package-Manager: Portage-2.3.81, Repoman-2.3.20
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-dns/unbound/Manifest             |   1 +
 net-dns/unbound/unbound-1.9.6.ebuild | 183 +++++++++++++++++++++++++++++++++++
 2 files changed, 184 insertions(+)
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2019-12-14 22:11:52 UTC 
x86 stable
Comment 3 Agostino Sarubbo gentoo-dev 2019-12-15 13:44:44 UTC 
amd64 stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-12-24 15:07:12 UTC 
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-12-30 15:34:18 UTC 
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-12-30 15:54:08 UTC 
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-15 04:27:37 UTC 
(In reply to Agostino Sarubbo from comment #6)
> ppc stable.
> 
> Maintainer(s), please cleanup.
> Security, please vote.

Vulnerable versions dropped in:
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=345161cf1b211703ee86bed59e662fc79e475f09
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 04:58:09 UTC 
GLSA Vote: No!

Repository is clean, all done!