Bug 242075 - [MAINTAINER] dns/unbound: Update to unbound version 1.9.5, fixes vulnerability CVE-2019-18934
Summary: [MAINTAINER] dns/unbound: Update to unbound version 1.9.5, fixes vulnerabilit...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Jochen Neumeister
URL:
Keywords: buildisok
Depends on:
Blocks:
 
Reported: 2019-11-19 12:27 UTC by Jaap Akkerhuis
Modified: 2019-11-23 12:57 UTC (History)
2 users (show)

See Also:
jaap: maintainer-feedback+
delphij: merge-quarterly+


Attachments
patch to update (1.20 KB, patch)
2019-11-19 12:27 UTC, Jaap Akkerhuis
jaap: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jaap Akkerhuis 2019-11-19 12:27:22 UTC
Created attachment 209248 [details]
patch to update

Note:
The port doesn't has an option to enable the vulnerable module ipsecmod so the port itself is not affected by the reported CVE


This release is a fix for vulnerability CVE-2019-18934, that can cause
shell execution in ipsecmod.

Bug Fixes:
- Fix for the reported vulnerability.

The CVE number for this vulnerability is CVE-2019-18934

== Summary
Recent versions of Unbound contain a vulnerability that can cause shell
code execution after receiving a specially crafted answer. This issue
can only be triggered if unbound was compiled with `--enable-ipsecmod`
support, and ipsecmod is enabled and used in the configuration.

== Affected products
Unbound 1.6.4 up to and including 1.9.4.

== Description
Due to unsanitized characters passed to the ipsecmod-hook shell command,
it is possible for Unbound to allow shell code execution from a
specially crafted IPSECKEY answer.

This issue can only be triggered when *all* of the below conditions are met:
* unbound was compiled with `--enable-ipsecmod` support, and
* ipsecmod is enabled and used in the configuration, and
* a domain is part of the ipsecmod-whitelist (if ipsecmod-whitelist is
  used), and
* unbound receives an A/AAAA query for a domain that has an A/AAAA
  record(s) *and* an IPSECKEY record(s) available.

The shell code execution can then happen if either the qname or the
gateway field of the IPSECKEY (when gateway type == 3) contain a
specially crafted domain name.

See also
https://nlnetlabs.nl/projects/unbound/security-advisories/#vulnerability-in-ipsec-module
Comment 1 Automation User 2019-11-19 15:43:33 UTC
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/96961291
Comment 2 Xin LI freebsd_committer 2019-11-21 08:02:54 UTC
Ping?  This is a security update, please also MFH to 2019Q4.
Comment 3 Xin LI freebsd_committer 2019-11-21 08:04:52 UTC
Please use "Approved by: ports-secteam (delphij)" when MFH'ing, thanks
Comment 4 Jochen Neumeister freebsd_committer 2019-11-21 08:21:45 UTC
(In reply to Xin LI from comment #3)

thanks, but i am ports-secteam too ;-)
Comment 5 Jaap Akkerhuis 2019-11-21 09:17:37 UTC
(In reply to Xin LI from comment #2)
As I explained in the note, the port itself cannot enable the vulnerability. The only way to do that is for the user to change the port. So MFH is just to be on the very prudent side.
Comment 6 commit-hook freebsd_committer 2019-11-23 12:51:39 UTC
A commit references this bug:

Author: joneum
Date: Sat Nov 23 12:51:00 UTC 2019
New revision: 518226
URL: https://svnweb.freebsd.org/changeset/ports/518226

Log:
  Add entry for dns/unbound

  PR:		242075
  Sponsored by:	Netzkommune GmbH

Changes:
  head/security/vuxml/vuln.xml
Comment 7 commit-hook freebsd_committer 2019-11-23 12:54:44 UTC
A commit references this bug:

Author: joneum
Date: Sat Nov 23 12:54:17 UTC 2019
New revision: 518229
URL: https://svnweb.freebsd.org/changeset/ports/518229

Log:
  Update to 1.9.5

  Changelog: https://nlnetlabs.nl/projects/unbound/security-advisories/#vulnerability-in-ipsec-module

  PR:		242075
  Submitted by:	Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
  MFH:		2019Q4
  Sponsored by:	Netzkommune GmbH

Changes:
  head/dns/unbound/Makefile
  head/dns/unbound/distinfo
  head/dns/unbound/pkg-plist
Comment 8 commit-hook freebsd_committer 2019-11-23 12:56:45 UTC
A commit references this bug:

Author: joneum
Date: Sat Nov 23 12:55:48 UTC 2019
New revision: 518230
URL: https://svnweb.freebsd.org/changeset/ports/518230

Log:
  MFH: r518229

  Update to 1.9.5

  Changelog: https://nlnetlabs.nl/projects/unbound/security-advisories/#vulnerability-in-ipsec-module

  PR:		242075
  Submitted by:	Jaap Akkerhuis <jaap@NLnetLabs.nl> (maintainer)
  Sponsored by:	Netzkommune GmbH

  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2019Q4/
  branches/2019Q4/dns/unbound/Makefile
  branches/2019Q4/dns/unbound/distinfo
  branches/2019Q4/dns/unbound/pkg-plist