Created attachment 209248 [details] patch to update Note: The port doesn't has an option to enable the vulnerable module ipsecmod so the port itself is not affected by the reported CVE This release is a fix for vulnerability CVE-2019-18934, that can cause shell execution in ipsecmod. Bug Fixes: - Fix for the reported vulnerability. The CVE number for this vulnerability is CVE-2019-18934 == Summary Recent versions of Unbound contain a vulnerability that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration. == Affected products Unbound 1.6.4 up to and including 1.9.4. == Description Due to unsanitized characters passed to the ipsecmod-hook shell command, it is possible for Unbound to allow shell code execution from a specially crafted IPSECKEY answer. This issue can only be triggered when *all* of the below conditions are met: * unbound was compiled with `--enable-ipsecmod` support, and * ipsecmod is enabled and used in the configuration, and * a domain is part of the ipsecmod-whitelist (if ipsecmod-whitelist is used), and * unbound receives an A/AAAA query for a domain that has an A/AAAA record(s) *and* an IPSECKEY record(s) available. The shell code execution can then happen if either the qname or the gateway field of the IPSECKEY (when gateway type == 3) contain a specially crafted domain name. See also https://nlnetlabs.nl/projects/unbound/security-advisories/#vulnerability-in-ipsec-module
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/96961291
Ping? This is a security update, please also MFH to 2019Q4.
Please use "Approved by: ports-secteam (delphij)" when MFH'ing, thanks
(In reply to Xin LI from comment #3) thanks, but i am ports-secteam too ;-)
(In reply to Xin LI from comment #2) As I explained in the note, the port itself cannot enable the vulnerability. The only way to do that is for the user to change the port. So MFH is just to be on the very prudent side.
A commit references this bug: Author: joneum Date: Sat Nov 23 12:51:00 UTC 2019 New revision: 518226 URL: https://svnweb.freebsd.org/changeset/ports/518226 Log: Add entry for dns/unbound PR: 242075 Sponsored by: Netzkommune GmbH Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: joneum Date: Sat Nov 23 12:54:17 UTC 2019 New revision: 518229 URL: https://svnweb.freebsd.org/changeset/ports/518229 Log: Update to 1.9.5 Changelog: https://nlnetlabs.nl/projects/unbound/security-advisories/#vulnerability-in-ipsec-module PR: 242075 Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer) MFH: 2019Q4 Sponsored by: Netzkommune GmbH Changes: head/dns/unbound/Makefile head/dns/unbound/distinfo head/dns/unbound/pkg-plist
A commit references this bug: Author: joneum Date: Sat Nov 23 12:55:48 UTC 2019 New revision: 518230 URL: https://svnweb.freebsd.org/changeset/ports/518230 Log: MFH: r518229 Update to 1.9.5 Changelog: https://nlnetlabs.nl/projects/unbound/security-advisories/#vulnerability-in-ipsec-module PR: 242075 Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer) Sponsored by: Netzkommune GmbH Approved by: ports-secteam (joneum) Changes: _U branches/2019Q4/ branches/2019Q4/dns/unbound/Makefile branches/2019Q4/dns/unbound/distinfo branches/2019Q4/dns/unbound/pkg-plist