Your message dated Fri, 12 Aug 2022 11:04:40 +0000 with message-id <e1omst2-00ga99...@fasolo.debian.org> and subject line Bug#1016493: fixed in unbound 1.16.2-1 has caused the Debian Bug report #1016493, regarding unbound: CVE-2022-30698 CVE-2022-30699 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1016493: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016493 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: unbound Version: 1.16.0-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for unbound. CVE-2022-30698[0]: | NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable | to a novel type of the "ghost domain names" attack. The vulnerability | works by targeting an Unbound instance. Unbound is queried for a | subdomain of a rogue domain name. The rogue nameserver returns | delegation information for the subdomain that updates Unbound's | delegation cache. This action can be repeated before expiry of the | delegation information by querying Unbound for a second level | subdomain which the rogue nameserver provides new delegation | information. Since Unbound is a child-centric resolver, the ever- | updating child delegation information can keep a rogue domain name | resolvable long after revocation. From version 1.16.2 on, Unbound | checks the validity of parent delegation records before using cached | delegation information. CVE-2022-30699[1]: | NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable | to a novel type of the "ghost domain names" attack. The vulnerability | works by targeting an Unbound instance. Unbound is queried for a rogue | domain name when the cached delegation information is about to expire. | The rogue nameserver delays the response so that the cached delegation | information is expired. Upon receiving the delayed answer containing | the delegation information, Unbound overwrites the now expired | entries. This action can be repeated when the delegation information | is about to expire making the rogue delegation information ever- | updating. From version 1.16.2 on, Unbound stores the start time for a | query and uses that to decide if the cached delegation information can | be overwritten. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-30698 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30698 [1] https://security-tracker.debian.org/tracker/CVE-2022-30699 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30699 [2] https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt [3] https://github.com/NLnetLabs/unbound/commit/f6753a0f1018133df552347a199e0362fc1dac68 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: unbound Source-Version: 1.16.2-1 Done: Michael Tokarev <m...@tls.msk.ru> We believe that the bug you reported is fixed in the latest version of unbound, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1016...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Tokarev <m...@tls.msk.ru> (supplier of updated unbound package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 12 Aug 2022 12:57:33 +0300 Source: unbound Architecture: source Version: 1.16.2-1 Distribution: unstable Urgency: medium Maintainer: unbound packagers <unbo...@packages.debian.org> Changed-By: Michael Tokarev <m...@tls.msk.ru> Closes: 1016493 Changes: unbound (1.16.2-1) unstable; urgency=medium . * new upstream minor release with many bugfixes and 2 features. Closes: #1016493, CVE-2022-30698, CVE-2022-30699 * d/unbound.docs: install doc/Changelog file * d/copyright: mark debian/patches/* as GPL-2 (#1013957) (not closing the bug since it is more than d/patches/) Checksums-Sha1: fc94e8d311ed9f55aedb0255635d85288548453a 2843 unbound_1.16.2-1.dsc 9aea0e923b9d6779b5bc360094e24a4017e2bb25 6204297 unbound_1.16.2.orig.tar.gz 3b8ef6eb285bfb6577b0f15ad83cfd5adb9f2159 833 unbound_1.16.2.orig.tar.gz.asc c3a3fb0ff7c714d4df7fb0005c78458d261d4c90 28460 unbound_1.16.2-1.debian.tar.xz 3db45172160bd67a562b38513710e15f427c0361 7760 unbound_1.16.2-1_source.buildinfo Checksums-Sha256: 74d1a4ad407b5cf31bd796c0f6d1a7570ac403caa5344d7667d84f991d10da28 2843 unbound_1.16.2-1.dsc 2e32f283820c24c51ca1dd8afecfdb747c7385a137abe865c99db4b257403581 6204297 unbound_1.16.2.orig.tar.gz 586403278ddf4de213f3b5a5c46f81e87822546c62e08c8be12de39aea069b35 833 unbound_1.16.2.orig.tar.gz.asc 8101ea951301508489e22a698a139c96436fac2a3d6c06b125fef7eaec4b6213 28460 unbound_1.16.2-1.debian.tar.xz ada233ccf1c787ecff08b70bcb6d12d34727bc4ad1e6c5bd06973ba8f7f2a444 7760 unbound_1.16.2-1_source.buildinfo Files: faef42f0a45c24220de088f033c4ec17 2843 net optional unbound_1.16.2-1.dsc 974cbd17e2e2373f36bfce0ad5b1d4a1 6204297 net optional unbound_1.16.2.orig.tar.gz 61e4f9e3c7e40867555a2690e73f1942 833 net optional unbound_1.16.2.orig.tar.gz.asc be71ba23eff3ce7fc879f7d488552d3a 28460 net optional unbound_1.16.2-1.debian.tar.xz 12f76455699d212bc621fdede6a4d9de 7760 net optional unbound_1.16.2-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAmL2JgsPHG1qdEB0bHMu bXNrLnJ1AAoJEHAbT2saaT5ZxGwH/jSU1nsxEEj/NMTl4abLinNfupdBlRiM6jip hMVlXNAqEq4IFfY20KEhgQ+Z05ntsE4U27dnh5ID4Amvt/6QStDd1I5Vvq+1Khxm kYKCS104726jxXw/pP2wFpKCTrGq5qkmt7E5zR5vVxAK0UBu/J0xbiIAgrs3ZneX x9pwr+lqTIcDcoc+XSLnIdkAfwQVhdy4qs6nc1LVljsNys9cLbykfRjc08uWCRcD NTw6BFT0hDbFrnI9J+DTjxus5eDlQxAhxpkoDz49zsU8ScVOJ35lG+5whdNSdz27 my7+wVmOd4IAOaVRceweoXlsf5cEHNjobHzujHv1BF0R8wGUU6w= =a3VD -----END PGP SIGNATURE-----
--- End Message ---
