Source: unbound Version: 1.16.0-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for unbound. CVE-2022-30698[0]: | NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable | to a novel type of the "ghost domain names" attack. The vulnerability | works by targeting an Unbound instance. Unbound is queried for a | subdomain of a rogue domain name. The rogue nameserver returns | delegation information for the subdomain that updates Unbound's | delegation cache. This action can be repeated before expiry of the | delegation information by querying Unbound for a second level | subdomain which the rogue nameserver provides new delegation | information. Since Unbound is a child-centric resolver, the ever- | updating child delegation information can keep a rogue domain name | resolvable long after revocation. From version 1.16.2 on, Unbound | checks the validity of parent delegation records before using cached | delegation information. CVE-2022-30699[1]: | NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable | to a novel type of the "ghost domain names" attack. The vulnerability | works by targeting an Unbound instance. Unbound is queried for a rogue | domain name when the cached delegation information is about to expire. | The rogue nameserver delays the response so that the cached delegation | information is expired. Upon receiving the delayed answer containing | the delegation information, Unbound overwrites the now expired | entries. This action can be repeated when the delegation information | is about to expire making the rogue delegation information ever- | updating. From version 1.16.2 on, Unbound stores the start time for a | query and uses that to decide if the cached delegation information can | be overwritten. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-30698 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30698 [1] https://security-tracker.debian.org/tracker/CVE-2022-30699 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30699 [2] https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt [3] https://github.com/NLnetLabs/unbound/commit/f6753a0f1018133df552347a199e0362fc1dac68 Please adjust the affected versions in the BTS as needed. Regards, Salvatore