Date: Tue, 19 Nov 2019 12:27:22 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 242075] [MAINTAINER] dns/unbound: Update to unbound version 1.9.5, fixes vulnerability CVE-2019-18934 Message-ID: <bug-242075-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D242075 Bug ID: 242075 Summary: [MAINTAINER] dns/unbound: Update to unbound version 1.9.5, fixes vulnerability CVE-2019-18934 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: jaap@NLnetLabs.nl Attachment #209248 maintainer-approval+ Flags: Flags: maintainer-feedback- Created attachment 209248 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D209248&action= =3Dedit patch to update Note: The port doesn't has an option to enable the vulnerable module ipsecmod so = the port itself is not affected by the reported CVE This release is a fix for vulnerability CVE-2019-18934, that can cause shell execution in ipsecmod. Bug Fixes: - Fix for the reported vulnerability. The CVE number for this vulnerability is CVE-2019-18934 =3D=3D Summary Recent versions of Unbound contain a vulnerability that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration. =3D=3D Affected products Unbound 1.6.4 up to and including 1.9.4. =3D=3D Description Due to unsanitized characters passed to the ipsecmod-hook shell command, it is possible for Unbound to allow shell code execution from a specially crafted IPSECKEY answer. This issue can only be triggered when *all* of the below conditions are met: * unbound was compiled with `--enable-ipsecmod` support, and * ipsecmod is enabled and used in the configuration, and * a domain is part of the ipsecmod-whitelist (if ipsecmod-whitelist is used), and * unbound receives an A/AAAA query for a domain that has an A/AAAA record(s) *and* an IPSECKEY record(s) available. The shell code execution can then happen if either the qname or the gateway field of the IPSECKEY (when gateway type =3D=3D 3) contain a specially crafted domain name. See also https://nlnetlabs.nl/projects/unbound/security-advisories/#vulnerability-in= -ipsec-module --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-242075-7788>