Bug 241033 - dns/unbound:Update to 1.9.4 (fixes CVE-2019-16866)
Summary: dns/unbound:Update to 1.9.4 (fixes CVE-2019-16866)
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Sunpoet Po-Chuan Hsieh
URL: https://nlnetlabs.nl/pipermail/unboun...
Keywords: security
Depends on:
Reported: 2019-10-03 09:44 UTC by C
Modified: 2019-10-11 05:39 UTC (History)
3 users (show)

See Also:
koobs: maintainer-feedback+
koobs: merge-quarterly?

Patch to upgrade (1.20 KB, patch)
2019-10-03 19:09 UTC, Jaap Akkerhuis
jaap: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Jaap Akkerhuis 2019-10-03 19:09:48 UTC
Created attachment 208071 [details]
Patch to upgrade

This release is a fix for vulnerability CVE-2019-16866 that causes a
failure when a specially crafted query is received.

Bug Fixes:
- Fix for the reported vulnerability.

The CVE number for this vulnerability is CVE-2019-16866

== Summary
Recent versions of Unbound contain a problem that may cause Unbound to
crash after receiving a specially crafted query. This issue can only be
triggered by queries received from addresses allowed by Unbound's ACL.

== Affected products
Unbound 1.7.1 up to and including 1.9.3.

== Description
Due to an error in parsing NOTIFY queries, it is possible for Unbound to
continue processing malformed queries and may ultimately result in a
pointer dereference in uninitialized memory. This results in a crash of
the Unbound daemon.

Whether this issue leads to a crash depends on the content of the
uninitialized memory space and cannot be predicted. This issue can only
be triggered by queries received from addresses that are allowed to send
queries according to Unbound's ACL (access-control in the Unbound
Comment 2 commit-hook freebsd_committer 2019-10-03 19:29:13 UTC
A commit references this bug:

Author: sunpoet
Date: Thu Oct  3 19:28:48 UTC 2019
New revision: 513730
URL: https://svnweb.freebsd.org/changeset/ports/513730

  Update to 1.9.4

  Changes:	https://github.com/NLnetLabs/unbound/blob/master/doc/Changelog
  PR:		241033
  Reported by:	C <cm@appliedprivacy.net>
  Submitted by:	Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
  Security:	108a4be3-e612-11e9-9963-5f1753e0aca0
  MFH:		2019Q4

Comment 3 Sunpoet Po-Chuan Hsieh freebsd_committer 2019-10-03 19:32:21 UTC
Committed. Thanks!
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2019-10-05 10:47:41 UTC
^Triage: VuXML entry was added in ports r513729.

Re-open pending MFH

@Sunpoet Please include PR: references for VuXMl entries so they're tracked in issues too.
Comment 5 swegen 2019-10-11 05:39:51 UTC
Thanks for re-opening.

It has now been a week waiting for the MFH to 2019Q4.

The users using this port from the default pkg(8) repository receive daily security status mails from periodic(8) reminding dns/unbound being vulnerable.