[ALSA-2024:1751] Important: unbound security update
Type:
security
Severity:
important
Release date:
2024-04-12
Description:
The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix(es): * A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. The default combination of the "control-use-cert: no" option with either explicit or implicit use of an IP address in the "control-interface" option could allow improper access. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged local process to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether. To mitigate the vulnerability, a new file "/etc/unbound/conf.d/remote-control.conf" has been added and included in the main unbound configuration file, "unbound.conf". The file contains two directives that should limit access to unbound.conf: control-interface: "/run/unbound/control" control-use-cert: "yes" For details about these directives, run "man unbound.conf". Updating to the version of unbound provided by this advisory should, in most cases, address the vulnerability. To verify that your configuration is not vulnerable, use the "unbound-control status | grep control" command. If the output contains "control(ssl)" or "control(namedpipe)", your configuration is not vulnerable. If the command output returns only "control", the configuration is vulnerable because it does not enforce access only to the unbound group members. To fix your configuration, add the line "include: /etc/unbound/conf.d/remote-control.conf" to the end of the file "/etc/unbound/unbound.conf". If you use a custom "/etc/unbound/conf.d/remote-control.conf" file, add the new directives to this file. (CVE-2024-1488) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Updated packages listed below:
Architecture Package Checksum
aarch64 unbound-libs-1.16.2-5.el8_9.6.aarch64.rpm 04b4c55f920a955f80270c6fa6a71c71df9af60120902d3ef4edc58f31bf790e
aarch64 unbound-1.16.2-5.el8_9.6.aarch64.rpm 139a013174bbd91fafddc83252e229a005ff09d4544591509ea05a48bd3de922
aarch64 unbound-devel-1.16.2-5.el8_9.6.aarch64.rpm 53a3a503ec56acf9c7ef3eb783045d8789ce57605a0c873fb6131415eabfd7d2
aarch64 python3-unbound-1.16.2-5.el8_9.6.aarch64.rpm ca04ec62c9215b3bef7c5f5717236d9d50d720b8db6612cd5b72295314bb1c6d
i686 unbound-devel-1.16.2-5.el8_9.6.i686.rpm 0569a11748ca8b280ff746035bfb21f08f1c3975082c2aa1ff4430f85811b7f9
i686 unbound-libs-1.16.2-5.el8_9.6.i686.rpm 1087cd0b463dd6e324228d4208b918f7db7a582948e9416175b042b3ecca6ff3
ppc64le unbound-1.16.2-5.el8_9.6.ppc64le.rpm 0e9a7002cffcb40461309c811acbc9edcf1a11f653aefbdee616488fa886c8f3
ppc64le unbound-devel-1.16.2-5.el8_9.6.ppc64le.rpm 479c633dde8ac8cf4171bf51d5aabdfd93e5f234acc0cfda523a1b40f43d2743
ppc64le python3-unbound-1.16.2-5.el8_9.6.ppc64le.rpm 6e0134d948329e656e59174df3d5acb12568873709c96275ba5b574467883bde
ppc64le unbound-libs-1.16.2-5.el8_9.6.ppc64le.rpm a8f8a4d2ef3b61c8389dedc8d64f4f3c444da2cd3c790fd9391ad88e2e7514aa
s390x python3-unbound-1.16.2-5.el8_9.6.s390x.rpm 28936df7805712a27b7aafd77f13d80566a7a68b6d44227b7e3224e4982bf992
s390x unbound-libs-1.16.2-5.el8_9.6.s390x.rpm 2d8dc9f4b435e551b8e28b7ecb3af377e2b3e7fdd64c35cd71d8d1af09bf05e4
s390x unbound-devel-1.16.2-5.el8_9.6.s390x.rpm 36d503730a01d8fb3e14baff1738448370b41fbd7bc320c89ca9fbc39fea2eef
s390x unbound-1.16.2-5.el8_9.6.s390x.rpm 59a6995e9d3bf33fb03e2711f4a767d37302ccf74929b0462cbefa0b6f0b9f26
x86_64 unbound-devel-1.16.2-5.el8_9.6.x86_64.rpm 1b08049290ea4121e49d9e13c7ce815c64010124abf5d38409e76f795117d238
x86_64 python3-unbound-1.16.2-5.el8_9.6.x86_64.rpm 3e790f0a93dec96eed22249d190329112b46b7507b5eda86a88c99141d7ba9cf
x86_64 unbound-1.16.2-5.el8_9.6.x86_64.rpm 90611075b71a3d1b6c7772e4e6c16425d795e8a6e2050def2a31ad45f9866bfa
x86_64 unbound-libs-1.16.2-5.el8_9.6.x86_64.rpm ed404bd2c073c104efc4fbf256dbbbde2ef4265fc2506837076dc03a6f61c935
Notes:
This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.