Unbound 1.20.0 has ben released with a CVE fix plus some bugfixes. Reproducible: Always
Created attachment 892605 [details] ebuild unbound-1.20.0.ebuild test I renamed unbound-1.19.3.ebuild to unbound-1.20.0.ebuild. It merges properly, and unbound itself runs ok. Attached is the 'ebuild unbound-1.20.0.ebuild test' log.
From 1.20.0 release notes [0] """ This release has a fix for the DNSBomb issue CVE-2024-33655. This has a low severity for Unbound, since it makes Unbound complicit in targeting others, but does not affect Unbound so much. To mitigate the issue new configuration options are introduced. The options discard-timeout: 1900, wait-limit: 1000 and wait-limit-cookie: 10000 are enabled by default. They limit the number of outstanding queries that a querier can have. This limits the reply pulse, and make Unbound less favorable for the issue. With the config wait-limit-netblock and wait-limit-cookie-netblock the parameters can be fine tuned for specific destinations. More information on the attack and Unbound's mitigations are presented further down. Other fixes in this release are that Unbound no longer follows symlinks when truncating the pidfile. Unbound also does not chown the pidfile, this is for safety reasons. [...] """ [0] https://github.com/NLnetLabs/unbound/releases/tag/release-1.20.0
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ae0a71faadb2aa4ae9db4676df4a6d33b4134bff commit ae0a71faadb2aa4ae9db4676df4a6d33b4134bff Author: Marc Schiffbauer <mschiff@gentoo.org> AuthorDate: 2024-05-10 20:57:00 +0000 Commit: Marc Schiffbauer <mschiff@gentoo.org> CommitDate: 2024-05-10 20:57:00 +0000 net-dns/unbound: add 1.20.0 Bug: https://bugs.gentoo.org/931625 Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org> net-dns/unbound/Manifest | 2 + net-dns/unbound/unbound-1.20.0.ebuild | 218 ++++++++++++++++++++++++++++++++++ 2 files changed, 220 insertions(+)
