From secunia security advisory at $URL:
1) A memory allocation error when processing certain RRs (Resource Records) can be exploited to cause a crash by sending signed duplicate redirecting RRs.
2) An error when processing certain responses for NSEC3-signed zones can be exploited to e.g. cause an assertion error or crash by sending specially crafted responses.
The vulnerabilities are reported in versions prior to 1.4.14.
Update to version 1.4.13p2 and 1.4.14 or apply patches.
I submitted unbound-1.4.13_p2.ebuild to matsuu@. already in cvs, please mark stable =net-dns/unbound-1.4.13_p2.
Great, thank you.
Arches, please test and mark stable:
Target keywords : "amd64 x86"
validator/val_nsec3.c in Unbound before 1.4.13p2 does not properly perform
proof processing for NSEC3-signed zones, which allows remote DNS servers to
cause a denial of service (daemon crash) via a malformed response that lacks
expected NSEC3 records, a different vulnerability than CVE-2011-4528.
Unbound before 1.4.13p2 attempts to free unallocated memory during
processing of duplicate CNAME records in a signed zone, which allows remote
DNS servers to cause a denial of service (daemon crash) via a crafted
Thanks, folks. GLSA Vote:yes.
Vote: Yes. GLSA request added.
This issue was resolved and addressed in
GLSA 201311-18 at http://security.gentoo.org/glsa/glsa-201311-18.xml
by GLSA coordinator Sergey Popov (pinkbyte).