Security update for unbound SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0913-1 Final 1 1 2020-06-29T18:20:32Z current 2020-06-29T18:20:32Z 2020-06-29T18:20:32Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for unbound This update for unbound fixes the following issues: - CVE-2020-12662: Fixed an issue where unbound could have been tricked into amplifying an incoming query into a large number of queries directed to a target (bsc#1171889). - CVE-2020-12663: Fixed an issue where malformed answers from upstream name servers could have been used to make unbound unresponsive (bsc#1171889). - CVE-2019-18934: Fixed a vulnerability in the IPSec module which could have allowed code execution after receiving a special crafted answer (bsc#1157268). This update was imported from the SUSE:SLE-15-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-913 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T55GJ6QH6PJCNSGR6UDZXXY5UJWCQYT3/ E-Mail link for openSUSE-SU-2020:0913-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1157268 SUSE Bug 1157268 https://bugzilla.suse.com/1171889 SUSE Bug 1171889 https://www.suse.com/security/cve/CVE-2019-18934/ SUSE CVE CVE-2019-18934 page https://www.suse.com/security/cve/CVE-2020-12662/ SUSE CVE CVE-2020-12662 page https://www.suse.com/security/cve/CVE-2020-12663/ SUSE CVE CVE-2020-12663 page openSUSE Leap 15.2 libunbound-devel-mini-1.6.8-lp152.9.3.1 libunbound2-1.6.8-lp152.9.3.1 unbound-1.6.8-lp152.9.3.1 unbound-anchor-1.6.8-lp152.9.3.1 unbound-devel-1.6.8-lp152.9.3.1 unbound-munin-1.6.8-lp152.9.3.1 unbound-python-1.6.8-lp152.9.3.1 libunbound-devel-mini-1.6.8-lp152.9.3.1 as a component of openSUSE Leap 15.2 libunbound2-1.6.8-lp152.9.3.1 as a component of openSUSE Leap 15.2 unbound-1.6.8-lp152.9.3.1 as a component of openSUSE Leap 15.2 unbound-anchor-1.6.8-lp152.9.3.1 as a component of openSUSE Leap 15.2 unbound-devel-1.6.8-lp152.9.3.1 as a component of openSUSE Leap 15.2 unbound-munin-1.6.8-lp152.9.3.1 as a component of openSUSE Leap 15.2 unbound-python-1.6.8-lp152.9.3.1 as a component of openSUSE Leap 15.2 Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration. CVE-2019-18934 openSUSE Leap 15.2:libunbound-devel-mini-1.6.8-lp152.9.3.1 openSUSE Leap 15.2:libunbound2-1.6.8-lp152.9.3.1 openSUSE Leap 15.2:unbound-1.6.8-lp152.9.3.1 openSUSE Leap 15.2:unbound-anchor-1.6.8-lp152.9.3.1 openSUSE Leap 15.2:unbound-devel-1.6.8-lp152.9.3.1 openSUSE Leap 15.2:unbound-munin-1.6.8-lp152.9.3.1 openSUSE Leap 15.2:unbound-python-1.6.8-lp152.9.3.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T55GJ6QH6PJCNSGR6UDZXXY5UJWCQYT3/ https://www.suse.com/security/cve/CVE-2019-18934.html CVE-2019-18934 https://bugzilla.suse.com/1157268 SUSE Bug 1157268 Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records. CVE-2020-12662 openSUSE Leap 15.2:libunbound-devel-mini-1.6.8-lp152.9.3.1 openSUSE Leap 15.2:libunbound2-1.6.8-lp152.9.3.1 openSUSE Leap 15.2:unbound-1.6.8-lp152.9.3.1 openSUSE Leap 15.2:unbound-anchor-1.6.8-lp152.9.3.1 openSUSE Leap 15.2:unbound-devel-1.6.8-lp152.9.3.1 openSUSE Leap 15.2:unbound-munin-1.6.8-lp152.9.3.1 openSUSE Leap 15.2:unbound-python-1.6.8-lp152.9.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T55GJ6QH6PJCNSGR6UDZXXY5UJWCQYT3/ https://www.suse.com/security/cve/CVE-2020-12662.html CVE-2020-12662 https://bugzilla.suse.com/1171889 SUSE Bug 1171889 Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers. CVE-2020-12663 openSUSE Leap 15.2:libunbound-devel-mini-1.6.8-lp152.9.3.1 openSUSE Leap 15.2:libunbound2-1.6.8-lp152.9.3.1 openSUSE Leap 15.2:unbound-1.6.8-lp152.9.3.1 openSUSE Leap 15.2:unbound-anchor-1.6.8-lp152.9.3.1 openSUSE Leap 15.2:unbound-devel-1.6.8-lp152.9.3.1 openSUSE Leap 15.2:unbound-munin-1.6.8-lp152.9.3.1 openSUSE Leap 15.2:unbound-python-1.6.8-lp152.9.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T55GJ6QH6PJCNSGR6UDZXXY5UJWCQYT3/ https://www.suse.com/security/cve/CVE-2020-12663.html CVE-2020-12663 https://bugzilla.suse.com/1171889 SUSE Bug 1171889