Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1864 unbound security update 27 May 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: unbound Publisher: Debian Operating System: Debian GNU/Linux 10 Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-12663 CVE-2020-12662 Reference: ESB-2020.1843 Original Bulletin: http://www.debian.org/security/2020/dsa-4694 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4694-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 26, 2020 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : unbound CVE ID : CVE-2020-12662 CVE-2020-12663 Two vulnerabiliites have been discovered in Unbound, a recursive-only caching DNS server; a traffic amplification attack against third party authoritative name servers (NXNSAttack) and insufficient sanitisation of replies from upstream servers could result in denial of service via an infinite loop. The version of Unbound in the oldstable distribution (stretch) is no longer supported. If these security issues affect your setup, you should upgrade to the stable distribution (buster). For the stable distribution (buster), these problems have been fixed in version 1.9.0-2+deb10u2. We recommend that you upgrade your unbound packages. For the detailed security status of unbound please refer to its security tracker page at: https://security-tracker.debian.org/tracker/unbound Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl7NiOIACgkQEMKTtsN8 TjZ/9BAAt5M24/ptZACrxestREWO5ybtVWdzn0ffROyd+Rw+8A+C1Zb+lJBZt1dV xxAqO0aW4JYeYdhhZMwVR/nu9csTVMg6k6oEdd4tmqlJwtX4ke9DsU9KmtmREvfO nW4Mab1fldFqSO1bp3jzbyLoozZgBO791CKKPRBAn6ewvOaL4QmljmJgLA0l8oYV O0ab2jI1iC86hll7Av0m6HFbqkvaBBpTdgHatkZjQEd3hUh57BbQOFm4AYuaUj09 x3vVtD1AzLA4R7DbwnE7c7ngflxD4wbRXdMjyjcLWWj+jPMvZ/aoP1xHyb13WLg7 iT9dX8/0H6yiT+VQg8zjwBynBUdq8PnhDLBBDfV7VcXwZsC8dQhtx/k0KYpL6w1J eJ4kvyp3Ub7XnoK8frimuE3/K87aLTlbuY+7yr1fYjtz8jI+u/caG2/N0F8coT6c v+PUJX12XNlxnJsSVS07VSbsyWYaRi63bupiN+bOmvWm7uW3uFU8n+NDlioorTor Mf47id1ijb3GWOz1fcUZC8s3a7m0cOkbyBAHMDWloK6/jWFw50MxOKDVR3Ky1unp 1nxQWbhWNaca4Kwtg1vdDeOf+gr+SbI0YER3jOtseFx7xK53HRC/1y8ecdft9ofJ JuarPZEQLZX9OfrBd3NfqYTIVrKTJ3p/zlkjnHRR5vNRuRXVpXM= =p2bf - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXs3kZuNLKJtyKPYoAQj7PhAApJ8RFjosGveVCWosPb37+uk9wrNFxAm3 /4qvcXTLAeu+e3az9afPkpsgyi9wuErHZT6UTMMDByS1MrqrWAu65Q5SuPK4iSB2 lV42Id8bXEjeCy5pw3uEsm/4fdW3Q0e0yMtIfAQipYkXVKVlBdQrYRMLLPbdsytC KqcHiMC42Sq7ot7iFS2bC6VTKk4W6fsHfPkE/329UKQRCCjp9h+eQVMElJx3V5u7 hJkY0u0QG8FiebPN62fj6umgOUosBlUbY31R50IHRh9QsKyiD5bbzUD+XuOloo0n cCzg+My2kE9MPW2wgZoOSa6e70c7DoIuEymMWSSBkkW1TALVBoVrfbmcJv8t5EYK SFtopqTIXoD4NbJuKIyPrdwEmucZ4AkvyfiaomozIIZ7QtVmZgJbYD7o3fiy07Rj Ur6QICgVgStotXf1+yAIqJSSlF9iMG3g8gSmd0d7tKsRJ6F464lZFhX0bU+C+psa SVdg6UWFLG83INRbcL7+TOBJJ6eUpMzPHhPAWXdXpuxWumwptVESGkwANsDuCPyR NT5yjY3nfQIXFYrCil/aTfnmmP+ols6ZtN9TZ8HCKkY5RIgEOL95ti5IXtLAqgoT 3d9MeGuswbtaIMe0FzY4AmuagOLAVvjIEqYCOQ8Sxnd7qBNgnJm1PZarWdnTN/4+ l8oxSOCsyxs= =WOhg -----END PGP SIGNATURE-----