[Full-disclosure] [SECURITY] [DSA 2370-1] unbound security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2370-1 security@xxxxxxxxxx
http://www.debian.org/security/ Florian Weimer
December 22, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : unbound
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-4528 CVE-2011-4869

It was discovered that Unbound, a recursive DNS resolver, would crash
when processing certain malformed DNS responses from authoritative DNS
servers, leading to denial of service.

CVE-2011-4528
Unbound attempts to free unallocated memory during processing
of duplicate CNAME records in a signed zone.

CVE-2011-4869
Unbound does not properly process malformed responses which
lack expected NSEC3 records.

For the oldstable distribution (lenny), these problems have been fixed in
version 1.4.6-1~lenny2.

For the stable distribution (squeeze), these problems have been fixed in
version 1.4.6-1+squeeze2.

For the testing distribution (wheezy) and the unstable distribution
(sid), these problems have been fixed in version 1.4.14-1.

We recommend that you upgrade your unbound packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJO84AiAAoJEL97/wQC1SS+o7MIALCSkqwBIcOdsT10ltH6nHvB
+Of40Vs6QNCDhplmX8+Y6e5Ha6UG5hZLdV/PALok3OkMj0Oyd2cIs6EXXT+QICg9
BgFgDwFtpFSZw5/X9WN3AensVmp2RXmIowM9CQ1MigHCrc08BIRVqiYKK9ZoQZ6m
4zE2ZDbug92pIK4ax1qUBzPoxESlw8E1zgcntZxS7AgaaLvKrEFXPlymsu+Eavv/
E3qyyXAEtE+DQ1Sl9X2w0o59CR9SKgWbTahsY2kS5tO631e3N3/RmApYGxssWl4h
IGKJaONRjyOh13HVK1FZ7Um2y0KCXNlEtiKbTrCstx0Aa9Ka04LRfHSUPdEpeIs=
=cEIS
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [SECURITY] [DSA 2370-1] unbound security update
    ... It was discovered that Unbound, a recursive DNS resolver, would crash ... when processing certain malformed DNS responses from authoritative DNS ... For the oldstable distribution, these problems have been fixed in ...
    (Bugtraq)
  • Re: How to set up unbound on FreeBSD 10
    ... as I can see there is a new default dns server shipping with FreeBSD 10: ... I am locked out of my internet connection and nobody is served any dns. ... As soon as I activate unbound I no dns requests from my machine (neither ... # nameserver 192.168.11.1 ...
    (freebsd-questions)
  • Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?)
    ... I don't think there will be as much whinging as you expect. ... I'm willing to import and maintain unbound (BSD-licensed validating, ... and caching DNS resolver) if you remove BIND. ... It solves the problem of BIND release cycles not matching ...
    (freebsd-hackers)
  • Replacing BIND with unbound (Was: Re: Pull in upstream before 9.1 code freeze?)
    ... I don't think there will be as much whinging as you expect. ... I'm willing to import and maintain unbound (BSD-licensed validating, ... and caching DNS resolver) if you remove BIND. ... It solves the problem of BIND release cycles not matching ...
    (FreeBSD-Security)