Source: unbound Version: 1.20.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for unbound. CVE-2024-8508[0]: | NLnet Labs Unbound up to and including version 1.21.0 contains a | vulnerability when handling replies with very large RRsets that it | needs to perform name compression for. Malicious upstreams responses | with very large RRsets can cause Unbound to spend a considerable | time applying name compression to downstream replies. This can lead | to degraded performance and eventually denial of service in well | orchestrated attacks. The vulnerability can be exploited by a | malicious actor querying Unbound for the specially crafted contents | of a malicious zone with very large RRsets. Before Unbound replies | to the query it will try to apply name compression which was an | unbounded operation that could lock the CPU until the whole packet | was complete. Unbound version 1.21.1 introduces a hard limit on the | number of name compression calculations it is willing to do per | packet. Packets that need more compression will result in semi- | compressed packets or truncated packets, even on TCP for huge | messages, to avoid locking the CPU for long. This change should not | affect normal DNS traffic. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-8508 https://www.cve.org/CVERecord?id=CVE-2024-8508 [1] https://nlnetlabs.nl/downloads/unbound/patch_CVE-2024-8508.diff [2] https://nlnetlabs.nl/downloads/unbound/CVE-2024-8508.txt Please adjust the affected versions in the BTS as needed. Regards, Salvatore