Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 696298 (CVE-2019-16866) - <net-dns/unbound-1.9.4: crash via a crafted NOTIFY query (CVE-2019-16866)
Summary: <net-dns/unbound-1.9.4: crash via a crafted NOTIFY query (CVE-2019-16866)
Status: RESOLVED FIXED
Alias: CVE-2019-16866
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://nlnetlabs.nl/downloads/unboun...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-05 00:41 UTC by GLSAMaker/CVETool Bot
Modified: 2019-10-26 17:34 UTC (History)
2 users (show)

See Also:
Package list:
net-dns/unbound-1.9.4
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-10-05 00:41:21 UTC 
CVE-2019-16866 (https://nvd.nist.gov/vuln/detail/CVE-2019-16866):
  Unbound before 1.9.4 accesses uninitialized memory, which allows remote
  attackers to trigger a crash via a crafted NOTIFY query. The source IP
  address of the query must match an access-control rule.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-06 21:32:41 UTC 
x86 stable
Comment 2 Agostino Sarubbo gentoo-dev 2019-10-07 08:44:27 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2019-10-07 09:49:09 UTC 
ppc stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-10-07 10:39:13 UTC 
ppc64 stable
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-10-20 09:01:50 UTC 
arm stable
Comment 6 Larry the Git Cow gentoo-dev 2019-10-26 17:33:47 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=602ec466b60ab904eefc121ee87ef66ea6dc990e

commit 602ec466b60ab904eefc121ee87ef66ea6dc990e
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-26 17:33:39 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-26 17:33:39 +0000

    net-dns/unbound: security cleanup (#696298)
    
    Bug: https://bugs.gentoo.org/696298
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-dns/unbound/Manifest                |   4 -
 net-dns/unbound/unbound-1.9.0.ebuild    | 181 -------------------------------
 net-dns/unbound/unbound-1.9.1-r1.ebuild | 182 --------------------------------
 net-dns/unbound/unbound-1.9.1.ebuild    | 181 -------------------------------
 net-dns/unbound/unbound-1.9.2.ebuild    | 182 --------------------------------
 net-dns/unbound/unbound-1.9.3.ebuild    | 182 --------------------------------
 6 files changed, 912 deletions(-)
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 17:34:33 UTC 
GLSA Vote: NO!

Repository is clean, all done!