Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 866881 (CVE-2022-30698, CVE-2022-30699) - <net-dns/unbound-1.16.2: multiple vulnerabilities
Summary: <net-dns/unbound-1.16.2: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-30698, CVE-2022-30699
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
Depends on: CVE-2022-3204 877027
Blocks:
  Show dependency tree
 
Reported: 2022-08-27 01:29 UTC by John Helmert III
Modified: 2022-12-19 02:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-27 01:29:46 UTC 
CVE-2022-30698 (https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt):

NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation. From version 1.16.2 on, Unbound checks the validity of parent delegation records before using cached delegation information.

CVE-2022-30699 (https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt):

NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten.

Please bump to unbound-1.16.2.
Comment 1 Larry the Git Cow gentoo-dev 2022-08-28 15:10:11 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c6bbd5b17f6b2c08088c2f50c16b048cdc9ec166

commit c6bbd5b17f6b2c08088c2f50c16b048cdc9ec166
Author:     Marc Schiffbauer <mschiff@gentoo.org>
AuthorDate: 2022-08-28 15:09:30 +0000
Commit:     Marc Schiffbauer <mschiff@gentoo.org>
CommitDate: 2022-08-28 15:10:03 +0000

    net-dns/unbound: add 1.16.2
    
    Bug: https://bugs.gentoo.org/866881
    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

 net-dns/unbound/Manifest              |   2 +
 net-dns/unbound/unbound-1.16.2.ebuild | 213 ++++++++++++++++++++++++++++++++++
 2 files changed, 215 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-28 15:12:33 UTC 
Thanks! Please stabilize when ready
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 20:50:36 UTC 
Please cleanup, thanks!
Comment 4 Larry the Git Cow gentoo-dev 2022-11-22 18:41:09 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be530e587fe23ead7b643f547a3d5e3be5623c32

commit be530e587fe23ead7b643f547a3d5e3be5623c32
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-11-22 18:38:32 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-22 18:40:57 +0000

    net-dns/unbound: drop 1.13.1-r3, 1.13.2-r1, 1.15.0, 1.16.0
    
    Bug: https://bugs.gentoo.org/872209
    Bug: https://bugs.gentoo.org/866881
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-dns/unbound/Manifest                 |   6 -
 net-dns/unbound/unbound-1.13.1-r3.ebuild | 208 ------------------------------
 net-dns/unbound/unbound-1.13.2-r1.ebuild | 210 ------------------------------
 net-dns/unbound/unbound-1.15.0.ebuild    | 213 -------------------------------
 net-dns/unbound/unbound-1.16.0.ebuild    | 213 -------------------------------
 5 files changed, 850 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 18:42:33 UTC 
GLSA request filed
Comment 6 Larry the Git Cow gentoo-dev 2022-12-19 02:05:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=a8c88ef24b83e97ad8e1c9188236da95c32f0fe7

commit a8c88ef24b83e97ad8e1c9188236da95c32f0fe7
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-12-19 02:00:45 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-12-19 02:04:28 +0000

    [ GLSA 202212-02 ] Unbound: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/866881
    Bug: https://bugs.gentoo.org/872209
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202212-02.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-19 02:31:27 UTC 
GLSA released, all done.