#14338: unbound-1.13.0 (with a security fix)
-------------------------+------------------------------
Reporter: bdubbs | Owner: pierre.labastie
Type: enhancement | Status: closed
Priority: high | Milestone: 10.1
Component: BOOK | Version: SVN
Severity: normal | Resolution: fixed
Keywords: |
-------------------------+------------------------------
Changes (by pierre.labastie):
* priority: normal => high
Comment:
Here is the security advisory (thanks to Douglas for giving me the link)
{{{
Local symlink attack
Date: 2020-12-01
CVE: CVE-2020-28935
Credit: Mason Loring Bliss
Affects: Unbound up to and including version 1.12.0
Not affected: Other versions
Severity: Low
Impact: Denial of Service
Solution: Download patched version of Unbound, or apply the patch
manually
Unbound when writing and later chown'ing the PID file would not check if
an existing file was a symlink. This is a local vulnerability that could
create a Denial of Service of the system Unbound is running on. It
requires an attacker having access to the limited permission user Unbound
runs as and point through the symlink to a critical file on the system.
Unbound 1.13.0 contains a patch. If you cannot upgrade you can also apply
the patch manually on versions 1.6.6 up until 1.12.0. To do this, apply
the patch on the Unbound source directory with patch -p1 <
patch_cve-2020-28935_unbound.diff and then run make install to install
Unbound.
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/14338#comment:7>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
