https://nlnetlabs.nl/pipermail/unbound-users/2019-October/011832.html
Created attachment 208071 [details] Patch to upgrade This release is a fix for vulnerability CVE-2019-16866 that causes a failure when a specially crafted query is received. Bug Fixes: - Fix for the reported vulnerability. The CVE number for this vulnerability is CVE-2019-16866 == Summary Recent versions of Unbound contain a problem that may cause Unbound to crash after receiving a specially crafted query. This issue can only be triggered by queries received from addresses allowed by Unbound's ACL. == Affected products Unbound 1.7.1 up to and including 1.9.3. == Description Due to an error in parsing NOTIFY queries, it is possible for Unbound to continue processing malformed queries and may ultimately result in a pointer dereference in uninitialized memory. This results in a crash of the Unbound daemon. Whether this issue leads to a crash depends on the content of the uninitialized memory space and cannot be predicted. This issue can only be triggered by queries received from addresses that are allowed to send queries according to Unbound's ACL (access-control in the Unbound configuration).
A commit references this bug: Author: sunpoet Date: Thu Oct 3 19:28:48 UTC 2019 New revision: 513730 URL: https://svnweb.freebsd.org/changeset/ports/513730 Log: Update to 1.9.4 Changes: https://github.com/NLnetLabs/unbound/blob/master/doc/Changelog PR: 241033 Reported by: C <cm@appliedprivacy.net> Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer) Security: 108a4be3-e612-11e9-9963-5f1753e0aca0 MFH: 2019Q4 Changes: head/dns/unbound/Makefile head/dns/unbound/distinfo head/dns/unbound/pkg-plist
Committed. Thanks!
^Triage: VuXML entry was added in ports r513729. Re-open pending MFH @Sunpoet Please include PR: references for VuXMl entries so they're tracked in issues too.
Thanks for re-opening. It has now been a week waiting for the MFH to 2019Q4. The users using this port from the default pkg(8) repository receive daily security status mails from periodic(8) reminding dns/unbound being vulnerable.
A commit references this bug: Author: sunpoet Date: Sun Oct 20 14:10:04 UTC 2019 New revision: 514892 URL: https://svnweb.freebsd.org/changeset/ports/514892 Log: MFH: r513730 Update to 1.9.4 Changes: https://github.com/NLnetLabs/unbound/blob/master/doc/Changelog PR: 241033 Reported by: C <cm@appliedprivacy.net> Submitted by: Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer) Security: 108a4be3-e612-11e9-9963-5f1753e0aca0 Approved by: ports-secteam (miwi) Changes: _U branches/2019Q4/ branches/2019Q4/dns/unbound/Makefile branches/2019Q4/dns/unbound/distinfo branches/2019Q4/dns/unbound/pkg-plist