Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 03 Oct 2019 19:09:48 +0000
From:      bugzilla-noreply@freebsd.org
To:        ports-bugs@FreeBSD.org
Subject:   [Bug 241033] dns/unbound:Update to 1.9.4 (fixes CVE-2019-16866)
Message-ID:  <bug-241033-7788-WZYGM11Z84@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-241033-7788@https.bugs.freebsd.org/bugzilla/>
References:  <bug-241033-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D241033

Jaap Akkerhuis <jaap@NLnetLabs.nl> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #208071|                            |maintainer-approval+
              Flags|                            |

--- Comment #1 from Jaap Akkerhuis <jaap@NLnetLabs.nl> ---
Created attachment 208071
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D208071&action=
=3Dedit
Patch to upgrade


This release is a fix for vulnerability CVE-2019-16866 that causes a
failure when a specially crafted query is received.

Bug Fixes:
- Fix for the reported vulnerability.

The CVE number for this vulnerability is CVE-2019-16866

=3D=3D Summary
Recent versions of Unbound contain a problem that may cause Unbound to
crash after receiving a specially crafted query. This issue can only be
triggered by queries received from addresses allowed by Unbound's ACL.

=3D=3D Affected products
Unbound 1.7.1 up to and including 1.9.3.

=3D=3D Description
Due to an error in parsing NOTIFY queries, it is possible for Unbound to
continue processing malformed queries and may ultimately result in a
pointer dereference in uninitialized memory. This results in a crash of
the Unbound daemon.

Whether this issue leads to a crash depends on the content of the
uninitialized memory space and cannot be predicted. This issue can only
be triggered by queries received from addresses that are allowed to send
queries according to Unbound's ACL (access-control in the Unbound
configuration).

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-241033-7788-WZYGM11Z84>