#14338: unbound-1.13.0
-------------------------+------------------------------
Reporter: bdubbs | Owner: pierre.labastie
Type: enhancement | Status: closed
Priority: normal | Milestone: 10.1
Component: BOOK | Version: SVN
Severity: normal | Resolution: fixed
Keywords: |
-------------------------+------------------------------
Comment (by renodr):
See [https://nlnetlabs.nl/projects/unbound/security-advisories/] :-)
{{{
Local symlink attack
Date: 2020-12-01
CVE: CVE-2020-28935
Credit: Mason Loring Bliss
Affects: Unbound up to and including version 1.12.0
Not affected: Other versions
Severity: Low
Impact: Denial of Service
Solution: Download patched version of Unbound, or apply the patch
manually
Unbound when writing and later chown'ing the PID file would not check if
an existing file was a symlink. This is a local vulnerability that could
create a Denial of Service of the system Unbound is running on. It
requires an attacker having access to the limited permission user Unbound
runs as and point through the symlink to a critical file on the system.
Unbound 1.13.0 contains a patch. If you cannot upgrade you can also apply
the patch manually on versions 1.6.6 up until 1.12.0. To do this, apply
the patch on the Unbound source directory with patch -p1 <
patch_cve-2020-28935_unbound.diff and then run make install to install
Unbound.
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/14338#comment:6>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
