[Bug 242075] [MAINTAINER] dns/unbound: Update to unbound version 1.9.5, fixes vulnerability CVE-2019-18934

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Nov 19 12:27:23 UTC 2019 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242075

            Bug ID: 242075
           Summary: [MAINTAINER] dns/unbound: Update to unbound version
                    1.9.5, fixes vulnerability CVE-2019-18934
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs at FreeBSD.org
          Reporter: jaap at NLnetLabs.nl
 Attachment #209248 maintainer-approval+
             Flags:
             Flags: maintainer-feedback-

Created attachment 209248
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=209248&action=edit
patch to update

Note:
The port doesn't has an option to enable the vulnerable module ipsecmod so the
port itself is not affected by the reported CVE


This release is a fix for vulnerability CVE-2019-18934, that can cause
shell execution in ipsecmod.

Bug Fixes:
- Fix for the reported vulnerability.

The CVE number for this vulnerability is CVE-2019-18934

== Summary
Recent versions of Unbound contain a vulnerability that can cause shell
code execution after receiving a specially crafted answer. This issue
can only be triggered if unbound was compiled with `--enable-ipsecmod`
support, and ipsecmod is enabled and used in the configuration.

== Affected products
Unbound 1.6.4 up to and including 1.9.4.

== Description
Due to unsanitized characters passed to the ipsecmod-hook shell command,
it is possible for Unbound to allow shell code execution from a
specially crafted IPSECKEY answer.

This issue can only be triggered when *all* of the below conditions are met:
* unbound was compiled with `--enable-ipsecmod` support, and
* ipsecmod is enabled and used in the configuration, and
* a domain is part of the ipsecmod-whitelist (if ipsecmod-whitelist is
  used), and
* unbound receives an A/AAAA query for a domain that has an A/AAAA
  record(s) *and* an IPSECKEY record(s) available.

The shell code execution can then happen if either the qname or the
gateway field of the IPSECKEY (when gateway type == 3) contain a
specially crafted domain name.

See also
https://nlnetlabs.nl/projects/unbound/security-advisories/#vulnerability-in-ipsec-module

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list