See https://www.x41-dsec.de/security/research/job/news/2019/11/19/unbound/ The gentoo ebuild enables the ipsec module, so we're affected this issue. Genereally I am wondering why this is enabled by default, it looks like a rather obscure feature. Fixes in 1.9.5: https://www.nlnetlabs.nl/news/2019/Nov/19/unbound-1.9.5-released/
(In reply to Hanno Böck from comment #0) > The gentoo ebuild enables the ipsec module, so we're affected this issue. > Genereally I am wondering why this is enabled by default, it looks like a > rather obscure feature. We set --enable-ipsecmod but we don't enable it in configuration. To quote from mentioned news article: > This issue can _only_ be triggered when _all_ of the below conditions are met: > > - unbound was compiled with --enable-ipsecmod support, and > - ipsecmod is enabled and used in the configuration (either in the configuration file or using unbound-control), and > - a domain is part of the ipsecmod-whitelist (if ipsecmod-whitelist is used), and > - unbound receives an A/AAAA query for a domain that has an A/AAAA record(s) and an IPSECKEY record(s) available.
ppc64 stable
ppc stable
amd64 stable
x86 stable
arm stable
GLSA Vote: No! Repository is clean, all done.