Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1864
unbound security update
27 May 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: unbound
Publisher: Debian
Operating System: Debian GNU/Linux 10
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-12663 CVE-2020-12662
Reference: ESB-2020.1843
Original Bulletin:
http://www.debian.org/security/2020/dsa-4694
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4694-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 26, 2020 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : unbound
CVE ID : CVE-2020-12662 CVE-2020-12663
Two vulnerabiliites have been discovered in Unbound, a recursive-only
caching DNS server; a traffic amplification attack against third party
authoritative name servers (NXNSAttack) and insufficient sanitisation
of replies from upstream servers could result in denial of service via
an infinite loop.
The version of Unbound in the oldstable distribution (stretch) is
no longer supported. If these security issues affect your setup, you
should upgrade to the stable distribution (buster).
For the stable distribution (buster), these problems have been fixed in
version 1.9.0-2+deb10u2.
We recommend that you upgrade your unbound packages.
For the detailed security status of unbound please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/unbound
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl7NiOIACgkQEMKTtsN8
TjZ/9BAAt5M24/ptZACrxestREWO5ybtVWdzn0ffROyd+Rw+8A+C1Zb+lJBZt1dV
xxAqO0aW4JYeYdhhZMwVR/nu9csTVMg6k6oEdd4tmqlJwtX4ke9DsU9KmtmREvfO
nW4Mab1fldFqSO1bp3jzbyLoozZgBO791CKKPRBAn6ewvOaL4QmljmJgLA0l8oYV
O0ab2jI1iC86hll7Av0m6HFbqkvaBBpTdgHatkZjQEd3hUh57BbQOFm4AYuaUj09
x3vVtD1AzLA4R7DbwnE7c7ngflxD4wbRXdMjyjcLWWj+jPMvZ/aoP1xHyb13WLg7
iT9dX8/0H6yiT+VQg8zjwBynBUdq8PnhDLBBDfV7VcXwZsC8dQhtx/k0KYpL6w1J
eJ4kvyp3Ub7XnoK8frimuE3/K87aLTlbuY+7yr1fYjtz8jI+u/caG2/N0F8coT6c
v+PUJX12XNlxnJsSVS07VSbsyWYaRi63bupiN+bOmvWm7uW3uFU8n+NDlioorTor
Mf47id1ijb3GWOz1fcUZC8s3a7m0cOkbyBAHMDWloK6/jWFw50MxOKDVR3Ky1unp
1nxQWbhWNaca4Kwtg1vdDeOf+gr+SbI0YER3jOtseFx7xK53HRC/1y8ecdft9ofJ
JuarPZEQLZX9OfrBd3NfqYTIVrKTJ3p/zlkjnHRR5vNRuRXVpXM=
=p2bf
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXs3kZuNLKJtyKPYoAQj7PhAApJ8RFjosGveVCWosPb37+uk9wrNFxAm3
/4qvcXTLAeu+e3az9afPkpsgyi9wuErHZT6UTMMDByS1MrqrWAu65Q5SuPK4iSB2
lV42Id8bXEjeCy5pw3uEsm/4fdW3Q0e0yMtIfAQipYkXVKVlBdQrYRMLLPbdsytC
KqcHiMC42Sq7ot7iFS2bC6VTKk4W6fsHfPkE/329UKQRCCjp9h+eQVMElJx3V5u7
hJkY0u0QG8FiebPN62fj6umgOUosBlUbY31R50IHRh9QsKyiD5bbzUD+XuOloo0n
cCzg+My2kE9MPW2wgZoOSa6e70c7DoIuEymMWSSBkkW1TALVBoVrfbmcJv8t5EYK
SFtopqTIXoD4NbJuKIyPrdwEmucZ4AkvyfiaomozIIZ7QtVmZgJbYD7o3fiy07Rj
Ur6QICgVgStotXf1+yAIqJSSlF9iMG3g8gSmd0d7tKsRJ6F464lZFhX0bU+C+psa
SVdg6UWFLG83INRbcL7+TOBJJ6eUpMzPHhPAWXdXpuxWumwptVESGkwANsDuCPyR
NT5yjY3nfQIXFYrCil/aTfnmmP+ols6ZtN9TZ8HCKkY5RIgEOL95ti5IXtLAqgoT
3d9MeGuswbtaIMe0FzY4AmuagOLAVvjIEqYCOQ8Sxnd7qBNgnJm1PZarWdnTN/4+
l8oxSOCsyxs=
=WOhg
-----END PGP SIGNATURE-----