Bug 266654

Summary: dns/unbound: Update to 1.16.3
Product: Ports & Packages Reporter: Herbert J. Skuhra <herbert>
Component: Individual Port(s)Assignee: Fernando Apesteguía <fernape>
Status: Closed FIXED    
Severity: Affects Many People CC: fernape, jaap, ports-secteam
Priority: --- Keywords: security
Version: LatestFlags: fernape: maintainer-feedback+
Hardware: Any   
OS: Any   
URL: https://nlnetlabs.nl/news/2022/Sep/21/unbound-1.16.3-released/
Attachments:
Description Flags
Unbound 1.16.3 none

Description Herbert J. Skuhra 2022-09-27 10:50:36 UTC 
Created attachment 236869 [details]
Unbound 1.16.3

The attached patch updates dns/unbound to version 1.16.3:

https://www.nlnetlabs.nl/projects/unbound/download/#unbound-1-16-3

Bug Fixes
    Patch for CVE-2022-3204 Non-Responsive Delegation Attack.

Tested on stable/13 and main.
Comment 1 Jaap Akkerhuis 2022-09-27 14:57:52 UTC 
(In reply to Herbert J. Skuhra from comment #0)
I was just about to send the same patch. I tested on all official releases, so yup, approved.
Comment 2 Fernando Apesteguía freebsd_committer freebsd_triage 2022-09-28 05:19:06 UTC 
^Triage: If there is a changelog or release notes URL available for this version, please add it to the URL field.


Thanks!
Comment 3 Jaap Akkerhuis 2022-09-28 09:53:56 UTC 
(In reply to Fernando Apesteguía from comment #2)
I Cannot add the URL, but it is: <https://nlnetlabs.nl/news/2022/Sep/21/unbound-1.16.3-released/>

I quote the text below,



Published: Wed 21 September 2022
We are pleased to announce the release of version 1.16.3 of the Unbound recursive DNS resolver.

This release fixes CVE-2022-3204 'Non-Responsive Delegation Attack'. It was reported by Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr and Shani Stajnrod from Reichman University.

This fixes for better performance when under load, by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can look in the cache for missing records.

For a full list of changes and binary and source packages, see the download page.
Comment 4 commit-hook freebsd_committer freebsd_triage 2022-09-29 05:42:41 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=90c18b46cfbe234e0d483984cf44cc1867935ab8

commit 90c18b46cfbe234e0d483984cf44cc1867935ab8
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2022-09-29 05:35:45 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2022-09-29 05:35:45 +0000

    security/vuxml: Document unbound vulnerability

    PR:     266654
    Reported by:    Herbert J. Skuhra <herbert@gojira.at>
    Security:       CVE-2022-3204

 security/vuxml/vuln-2022.xml | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
Comment 5 commit-hook freebsd_committer freebsd_triage 2022-09-29 05:43:43 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=2efbd2b027c85ab8a3ec41de872affb7dc5963de

commit 2efbd2b027c85ab8a3ec41de872affb7dc5963de
Author:     Herbert J. Skuhra <herbert@gojira.at>
AuthorDate: 2022-09-28 05:16:17 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2022-09-29 05:39:14 +0000

    dns/unbound: Update to 1.16.3

    ChangeLog: https://nlnetlabs.nl/news/2022/Sep/21/unbound-1.16.3-released/

    Fixes Non-Responsive Delegation Attack.

    PR:             266654
    Reported by:    herbert@gojira.at
    Approved by:    jaap@NLnetLabs.nl (maintainer)
    Security:       CVE-2022-3204

 dns/unbound/Makefile  | 2 +-
 dns/unbound/distinfo  | 6 +++---
 dns/unbound/pkg-plist | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)
Comment 6 Fernando Apesteguía freebsd_committer freebsd_triage 2022-09-29 05:43:58 UTC 
Committed,

Thanks!

Note: not MFH since we are just about to create Q4.