摘要:
unbound security update
安全等级: High
公告ID: KylinSec-SA-2024-1474
发布日期: 2024年3月1日
Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. To help increase online privacy, Unbound supports DNS-over-TLS which allows clients to encrypt their communication. Unbound is available for most platforms such as FreeBSD, OpenBSD, NetBSD, MacOS, Linux and Microsoft Windows. Unbound is a totally free, open source software under the BSD license. It doesn't make custom builds or provide specific features to paying customers only.
Security Fix(es):
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.(CVE-2023-50387)
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.(CVE-2023-50868)
A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged attacker to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether.(CVE-2024-1488)
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2023-50387 | KY3.4-5A | unbound | Fixed |
| CVE-2023-50387 | KY3.5.2 | unbound | Fixed |
| CVE-2023-50868 | KY3.4-5A | unbound | Fixed |
| CVE-2023-50868 | KY3.5.2 | unbound | Fixed |
| CVE-2024-1488 | KY3.4-5A | unbound | Fixed |
| CVE-2024-1488 | KY3.5.2 | unbound | Fixed |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| unbound-help | x86_64 | 1.11.0-11.kb1.ky3_4 |
| python3-unbound | x86_64 | 1.11.0-11.kb1.ky3_4 |
| unbound | x86_64 | 1.11.0-11.kb1.ky3_4 |
| unbound-devel | x86_64 | 1.11.0-11.kb1.ky3_4 |
| unbound-libs | x86_64 | 1.11.0-11.kb1.ky3_4 |
| python3-unbound | aarch64 | 1.11.0-11.kb1.ky3_4 |
| unbound-devel | aarch64 | 1.11.0-11.kb1.ky3_4 |
| unbound-help | aarch64 | 1.11.0-11.kb1.ky3_4 |
| unbound-libs | aarch64 | 1.11.0-11.kb1.ky3_4 |
| unbound | aarch64 | 1.11.0-11.kb1.ky3_4 |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| python3-unbound | x86_64 | 1.13.2-11.ky3_5 |
| unbound | x86_64 | 1.13.2-11.ky3_5 |
| unbound-devel | x86_64 | 1.13.2-11.ky3_5 |
| unbound-help | x86_64 | 1.13.2-11.ky3_5 |
| unbound-libs | x86_64 | 1.13.2-11.ky3_5 |
| unbound | aarch64 | 1.13.2-11.ky3_5 |
| unbound-help | aarch64 | 1.13.2-11.ky3_5 |
| unbound-devel | aarch64 | 1.13.2-11.ky3_5 |
| python3-unbound | aarch64 | 1.13.2-11.ky3_5 |
| unbound-libs | aarch64 | 1.13.2-11.ky3_5 |
方法一:下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存,如 xxx.rpm
2、通过rpm命令升级,如 rpm -Uvh xxx.rpm
方法二:通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包,如 yum install 包名
