ALSA-2024:1750

[ALSA-2024:1750] Important: unbound security update

Type:

security

Severity:

important

Release date:

2024-04-12

Description:

The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.

Security Fix(es):

* A vulnerability was found in Unbound due to incorrect default permissions,
allowing any process outside the unbound group to modify the unbound runtime
configuration. The default combination of the "control-use-cert: no" option with
either explicit or implicit use of an IP address in the "control-interface"
option could allow improper access. If a process can connect over localhost to
port 8953, it can alter the configuration of unbound.service. This flaw allows
an unprivileged local process to manipulate a running instance, potentially
altering forwarders, allowing them to track all queries forwarded by the local
resolver, and, in some cases, disrupting resolving altogether.

To mitigate the vulnerability, a new file
"/etc/unbound/conf.d/remote-control.conf" has been added and included in the
main unbound configuration file, "unbound.conf". The file contains two
directives that should limit access to unbound.conf:

    control-interface: "/run/unbound/control"
    control-use-cert: "yes"

For details about these directives, run "man unbound.conf".

Updating to the version of unbound provided by this advisory should, in most
cases, address the vulnerability. To verify that your configuration is not
vulnerable, use the "unbound-control status | grep control" command. If the
output contains "control(ssl)" or "control(namedpipe)", your configuration is
not vulnerable. If the command output returns only "control", the configuration
is vulnerable because it does not enforce access only to the unbound group
members. To fix your configuration, add the line "include:
/etc/unbound/conf.d/remote-control.conf" to the end of the file
"/etc/unbound/unbound.conf". If you use a custom
"/etc/unbound/conf.d/remote-control.conf" file, add the new directives to this
file. (CVE-2024-1488)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

References:

Updated packages listed below:

Architecture	Package	Checksum
aarch64	unbound-devel-1.16.2-3.el9_3.5.aarch64.rpm	ae6fde936ce92199744d8bbdeda76101437f6f21cafbb91857fcc46bb85102ce
aarch64	python3-unbound-1.16.2-3.el9_3.5.aarch64.rpm	be2a3ef36739ee63c507546e1be0a50ecd04bfedeb06fdeb3e054b5fb9380d5d
aarch64	unbound-1.16.2-3.el9_3.5.aarch64.rpm	c5d7274c33fc5d854e5ec7b6127e7ecfa30481c602e50cbb6ef27366659bcf03
aarch64	unbound-libs-1.16.2-3.el9_3.5.aarch64.rpm	f04a96661148d18d7e13d5597130bb3733f22c47203880be12e10ce966a082d2
i686	unbound-devel-1.16.2-3.el9_3.5.i686.rpm	50e1dd3667141f1b4ce9f2041bdc42ea10e5355e9374d48e925d7d9d1debcff2
i686	unbound-libs-1.16.2-3.el9_3.5.i686.rpm	ecec382c085a8b0de4fb52bed6f17bf48ed9732bf5f7ad21f8cd2b74c4ded321
ppc64le	unbound-devel-1.16.2-3.el9_3.5.ppc64le.rpm	2f4685ca145dd4b78fbc4e5bea45ab874911805be0f1f7dedd525d26b4bbc109
ppc64le	unbound-1.16.2-3.el9_3.5.ppc64le.rpm	4d6b6a801c7a72115d95c0a624626ae7a2a2a291528ac469135117f680518774
ppc64le	python3-unbound-1.16.2-3.el9_3.5.ppc64le.rpm	756b051b3182b973fcc4facdf537b4aa6bc753deb769ebe284325fafad51a1f2
ppc64le	unbound-libs-1.16.2-3.el9_3.5.ppc64le.rpm	c33900f67ba3b9d5c8526d15b01092607ab2f0660a0735b0a91537c909e77803
s390x	python3-unbound-1.16.2-3.el9_3.5.s390x.rpm	173e4fcce80f1fa5f8e7314ddfdc206c9c63d67935bfc270a8265f4746996fe6
s390x	unbound-libs-1.16.2-3.el9_3.5.s390x.rpm	a72858780e6d0ab8479f12258a2fac85349a91a5f79470a22468a2905ba315a3
s390x	unbound-1.16.2-3.el9_3.5.s390x.rpm	e92b74bf37c4b6a7cbb17985f2ba233e6aa85a5a7fd5cc354ecfdce132c4316e
s390x	unbound-devel-1.16.2-3.el9_3.5.s390x.rpm	ed68fd1fb61a83c616ab1f6f0cbe87f94e3c12ee5d391c6a98df6cc3089c2db1
x86_64	unbound-libs-1.16.2-3.el9_3.5.x86_64.rpm	137afd200aa2136dd8d4c550bd079b709db858cd4756ef314d93c6eb020c0c99
x86_64	unbound-devel-1.16.2-3.el9_3.5.x86_64.rpm	4e964e25a70fca72be9837070320265bc947a26cdbac7985b827b432e92c14ea
x86_64	python3-unbound-1.16.2-3.el9_3.5.x86_64.rpm	97762676dea518a4cdfb9249e0f7b918379cbcb2b8a7acb4d737ee11f3820e87
x86_64	unbound-1.16.2-3.el9_3.5.x86_64.rpm	cea24f4f2b54029d2f9d0d3146c58e5b8282c590de49823e7f131fc596fc0793

Notes:

This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.