Bug 242075

Summary: [MAINTAINER] dns/unbound: Update to unbound version 1.9.5, fixes vulnerability CVE-2019-18934
Product: Ports & Packages Reporter: Jaap Akkerhuis <jaap>
Component: Individual Port(s)Assignee: Jochen Neumeister <joneum>
Status: Closed FIXED    
Severity: Affects Many People CC: delphij, joneum
Priority: --- Keywords: buildisok
Version: LatestFlags: jaap: maintainer-feedback+
delphij: merge-quarterly+
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch to update jaap: maintainer-approval+

Description Jaap Akkerhuis 2019-11-19 12:27:22 UTC 
Created attachment 209248 [details]
patch to update

Note:
The port doesn't has an option to enable the vulnerable module ipsecmod so the port itself is not affected by the reported CVE


This release is a fix for vulnerability CVE-2019-18934, that can cause
shell execution in ipsecmod.

Bug Fixes:
- Fix for the reported vulnerability.

The CVE number for this vulnerability is CVE-2019-18934

== Summary
Recent versions of Unbound contain a vulnerability that can cause shell
code execution after receiving a specially crafted answer. This issue
can only be triggered if unbound was compiled with `--enable-ipsecmod`
support, and ipsecmod is enabled and used in the configuration.

== Affected products
Unbound 1.6.4 up to and including 1.9.4.

== Description
Due to unsanitized characters passed to the ipsecmod-hook shell command,
it is possible for Unbound to allow shell code execution from a
specially crafted IPSECKEY answer.

This issue can only be triggered when *all* of the below conditions are met:
* unbound was compiled with `--enable-ipsecmod` support, and
* ipsecmod is enabled and used in the configuration, and
* a domain is part of the ipsecmod-whitelist (if ipsecmod-whitelist is
  used), and
* unbound receives an A/AAAA query for a domain that has an A/AAAA
  record(s) *and* an IPSECKEY record(s) available.

The shell code execution can then happen if either the qname or the
gateway field of the IPSECKEY (when gateway type == 3) contain a
specially crafted domain name.

See also
https://nlnetlabs.nl/projects/unbound/security-advisories/#vulnerability-in-ipsec-module
Comment 1 Automation User 2019-11-19 15:43:33 UTC 
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/96961291
Comment 2 Xin LI freebsd_committer freebsd_triage 2019-11-21 08:02:54 UTC 
Ping?  This is a security update, please also MFH to 2019Q4.
Comment 3 Xin LI freebsd_committer freebsd_triage 2019-11-21 08:04:52 UTC 
Please use "Approved by: ports-secteam (delphij)" when MFH'ing, thanks
Comment 4 Jochen Neumeister freebsd_committer freebsd_triage 2019-11-21 08:21:45 UTC 
(In reply to Xin LI from comment #3)

thanks, but i am ports-secteam too ;-)
Comment 5 Jaap Akkerhuis 2019-11-21 09:17:37 UTC 
(In reply to Xin LI from comment #2)
As I explained in the note, the port itself cannot enable the vulnerability. The only way to do that is for the user to change the port. So MFH is just to be on the very prudent side.
Comment 6 commit-hook freebsd_committer freebsd_triage 2019-11-23 12:51:39 UTC 
A commit references this bug:

Author: joneum
Date: Sat Nov 23 12:51:00 UTC 2019
New revision: 518226
URL: https://svnweb.freebsd.org/changeset/ports/518226

Log:
  Add entry for dns/unbound

  PR:		242075
  Sponsored by:	Netzkommune GmbH

Changes:
  head/security/vuxml/vuln.xml
Comment 7 commit-hook freebsd_committer freebsd_triage 2019-11-23 12:54:44 UTC 
A commit references this bug:

Author: joneum
Date: Sat Nov 23 12:54:17 UTC 2019
New revision: 518229
URL: https://svnweb.freebsd.org/changeset/ports/518229

Log:
  Update to 1.9.5

  Changelog: https://nlnetlabs.nl/projects/unbound/security-advisories/#vulnerability-in-ipsec-module

  PR:		242075
  Submitted by:	Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
  MFH:		2019Q4
  Sponsored by:	Netzkommune GmbH

Changes:
  head/dns/unbound/Makefile
  head/dns/unbound/distinfo
  head/dns/unbound/pkg-plist
Comment 8 commit-hook freebsd_committer freebsd_triage 2019-11-23 12:56:45 UTC 
A commit references this bug:

Author: joneum
Date: Sat Nov 23 12:55:48 UTC 2019
New revision: 518230
URL: https://svnweb.freebsd.org/changeset/ports/518230

Log:
  MFH: r518229

  Update to 1.9.5

  Changelog: https://nlnetlabs.nl/projects/unbound/security-advisories/#vulnerability-in-ipsec-module

  PR:		242075
  Submitted by:	Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
  Sponsored by:	Netzkommune GmbH

  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2019Q4/
  branches/2019Q4/dns/unbound/Makefile
  branches/2019Q4/dns/unbound/distinfo
  branches/2019Q4/dns/unbound/pkg-plist