Attachment #254050 for bug #281894

View | Details | Raw Unified | Return to bug 281894
Collapse All | Expand All

Lines 1-5 Link Here

(-)b/dns/unbound/Makefile (-1 / +1 lines)
1	PORTNAME= unbound	1	PORTNAME= unbound
2	DISTVERSION= 1.21.0	2	DISTVERSION= 1.21.1
3	CATEGORIES= dns	3	CATEGORIES= dns
4	MASTER_SITES= https://www.nlnetlabs.nl/downloads/unbound/	4	MASTER_SITES= https://www.nlnetlabs.nl/downloads/unbound/
5		5

Lines 1-3 Link Here

(-)b/dns/unbound/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1723714724	1	TIMESTAMP = 1727979122
2	SHA256 (unbound-1.21.0.tar.gz) = e7dca7d6b0f81bdfa6fa64ebf1053b5a999a5ae9278a87ef182425067ea14521	2	SHA256 (unbound-1.21.1.tar.gz) = 3036d23c23622b36d3c87e943117bdec1ac8f819636eb978d806416b0fa9ea46
3	SIZE (unbound-1.21.0.tar.gz) = 6575675	3	SIZE (unbound-1.21.1.tar.gz) = 6568258

Added Link Here

(-)b/dns/unbound/files/patch-smallapp_unbound-control-setup.sh.in (+11 lines)
1	--- smallapp/unbound-control-setup.sh.in.orig 2024-10-03 12:44:59 UTC
2	+++ smallapp/unbound-control-setup.sh.in
3	@@ -104,7 +104,7 @@ while getopts 'd:hr' arg; do
4	done
5	shift $((OPTIND - 1))
6
7	-if ! openssl >/dev/null 2>&1; then
8	+if ! openssl version >/dev/null 2>&1; then
9	echo "$0 requires openssl to be installed for keys/certificates generation." >&2
10	exit 1
11	fi

Lines 5-11 libdata/pkgconfig/libunbound.pc Link Here

(-)b/dns/unbound/pkg-plist (-1 / +1 lines)
5	lib/libunbound.a	5	lib/libunbound.a
6	lib/libunbound.so	6	lib/libunbound.so
7	lib/libunbound.so.8	7	lib/libunbound.so.8
8	lib/libunbound.so.8.1.28	8	lib/libunbound.so.8.1.29
9	%%PYTHON%%%%PYTHON_SITELIBDIR%%/_unbound.so	9	%%PYTHON%%%%PYTHON_SITELIBDIR%%/_unbound.so
10	%%PYTHON%%%%PYTHON_SITELIBDIR%%/unbound.py	10	%%PYTHON%%%%PYTHON_SITELIBDIR%%/unbound.py
11	%%PYTHON%%%%PYTHON_SITELIBDIR%%/unboundmodule.py	11	%%PYTHON%%%%PYTHON_SITELIBDIR%%/unboundmodule.py




  <vuln vid="27a69d8c-7edc-444c-a083-0508b5e4fa69">
    <topic>null -- Unbounded name compression could lead to Denial of Service</topic>
    <affects>
      <package>
	<name>unbound</name>
	<range><lt>1.21.1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>sep@nlnetlabs.nl reports:</p>
	<blockquote cite="https://www.nlnetlabs.nl/downloads/unbound/CVE-2024-8508.txt">
	  <p>NLnet Labs Unbound up to and including version 1.21.0 contains a
	vulnerability when handling replies with very large RRsets that it
	needs to perform name compression for.  Malicious upstreams responses
	with very large RRsets can cause Unbound to spend a considerable
	time applying name compression to downstream replies.  This can
	lead to degraded performance and eventually denial of service in
	well orchestrated attacks.  The vulnerability can be exploited by
	a malicious actor querying Unbound for the specially crafted contents
	of a malicious zone with very large RRsets.  Before Unbound replies
	to the query it will try to apply name compression which was an
	unbounded operation that could lock the CPU until the whole packet
	was complete.  Unbound version 1.21.1 introduces a hard limit on
	the number of name compression calculations it is willing to do per
	packet.  Packets that need more compression will result in
	semi-compressed packets or truncated packets, even on TCP for huge
	messages, to avoid locking the CPU for long.  This change should
	not affect normal DNS traffic.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2024-8508</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2024-8508</url>
    </references>
    <dates>
      <discovery>2024-10-03</discovery>
      <entry>2024-10-05</entry>
    </dates>
  </vuln>

  <vuln vid="0417d41a-8175-11ef-a5dc-b42e991fc52e">
    <topic>firefox -- multiple vulnerabilities</topic>
    <affects>
- 

Return to bug 281894

Lines 1-3 Link Here

(-)b/security/vuxml/vuln/2024.xml (-1 / +42 lines)
		1	<vuln vid="27a69d8c-7edc-444c-a083-0508b5e4fa69">
		2	<topic>null -- Unbounded name compression could lead to Denial of Service</topic>
		3	<affects>
		4	<package>
		5	<name>unbound</name>
		6	<range><lt>1.21.1</lt></range>
		7	</package>
		8	</affects>
		9	<description>
		10	<body xmlns="http://www.w3.org/1999/xhtml">
		11	<p>sep@nlnetlabs.nl reports:</p>
		12	<blockquote cite="https://www.nlnetlabs.nl/downloads/unbound/CVE-2024-8508.txt">
		13	<p>NLnet Labs Unbound up to and including version 1.21.0 contains a
		14	vulnerability when handling replies with very large RRsets that it
		15	needs to perform name compression for. Malicious upstreams responses
		16	with very large RRsets can cause Unbound to spend a considerable
		17	time applying name compression to downstream replies. This can
		18	lead to degraded performance and eventually denial of service in
		19	well orchestrated attacks. The vulnerability can be exploited by
		20	a malicious actor querying Unbound for the specially crafted contents
		21	of a malicious zone with very large RRsets. Before Unbound replies
		22	to the query it will try to apply name compression which was an
		23	unbounded operation that could lock the CPU until the whole packet
		24	was complete. Unbound version 1.21.1 introduces a hard limit on
		25	the number of name compression calculations it is willing to do per
		26	packet. Packets that need more compression will result in
		27	semi-compressed packets or truncated packets, even on TCP for huge
		28	messages, to avoid locking the CPU for long. This change should
		29	not affect normal DNS traffic.</p>
		30	</blockquote>
		31	</body>
		32	</description>
		33	<references>
		34	<cvename>CVE-2024-8508</cvename>
		35	<url>https://nvd.nist.gov/vuln/detail/CVE-2024-8508</url>
		36	</references>
		37	<dates>
		38	<discovery>2024-10-03</discovery>
		39	<entry>2024-10-05</entry>
		40	</dates>
		41	</vuln>
		42
1	<vuln vid="0417d41a-8175-11ef-a5dc-b42e991fc52e">	43	<vuln vid="0417d41a-8175-11ef-a5dc-b42e991fc52e">
2	<topic>firefox -- multiple vulnerabilities</topic>	44	<topic>firefox -- multiple vulnerabilities</topic>
3	<affects>	45	<affects>
4	-