What Are You Looking For?

Sign Up

   openSUSE Security Update: Security update for unbound
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:0176-1
Rating:             important
References:         #1076963 #1112009 #1112033 #1179191 #1185382 
                    #1185383 #1185384 #1185385 #1185386 #1185387 
                    #1185388 #1185389 #1185390 #1185391 #1185392 
                    #1185393 
Cross-References:   CVE-2019-25031 CVE-2019-25032 CVE-2019-25033
                    CVE-2019-25034 CVE-2019-25035 CVE-2019-25036
                    CVE-2019-25037 CVE-2019-25038 CVE-2019-25039
                    CVE-2019-25040 CVE-2019-25041 CVE-2019-25042
                    CVE-2020-28935
CVSS scores:
                    CVE-2019-25031 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
                    CVE-2019-25031 (SUSE): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
                    CVE-2019-25032 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2019-25032 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
                    CVE-2019-25033 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2019-25033 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
                    CVE-2019-25034 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2019-25034 (SUSE): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
                    CVE-2019-25035 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2019-25035 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
                    CVE-2019-25036 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2019-25036 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
                    CVE-2019-25037 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2019-25037 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
                    CVE-2019-25038 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2019-25038 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
                    CVE-2019-25039 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2019-25039 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
                    CVE-2019-25040 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2019-25040 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
                    CVE-2019-25041 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2019-25041 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
                    CVE-2019-25042 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2019-25042 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
                    CVE-2020-28935 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
                    CVE-2020-28935 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Affected Products:
                    openSUSE Leap 15.4
                    openSUSE Leap 15.3
______________________________________________________________________________

   An update that solves 13 vulnerabilities and has three
   fixes is now available.

Description:

   This update for unbound fixes the following issues:

   - CVE-2019-25031: Fixed configuration injection in
     create_unbound_ad_servers.sh upon a successful man-in-the-middle attack
     (bsc#1185382).
   - CVE-2019-25032: Fixed integer overflow in the regional allocator via
     regional_alloc (bsc#1185383).
   - CVE-2019-25033: Fixed integer overflow in the regional allocator via the
     ALIGN_UP macro (bsc#1185384).
   - CVE-2019-25034: Fixed integer overflow in
     sldns_str2wire_dname_buf_origin, leading to an out-of-bounds write
     (bsc#1185385).
   - CVE-2019-25035: Fixed out-of-bounds write in sldns_bget_token_par
     (bsc#1185386).
   - CVE-2019-25036: Fixed assertion failure and denial of service in
     synth_cname (bsc#1185387).
   - CVE-2019-25037: Fixed assertion failure and denial of service in
     dname_pkt_copy via an invalid packet (bsc#1185388).
   - CVE-2019-25038: Fixed integer overflow in a size calculation in
     dnscrypt/dnscrypt.c (bsc#1185389).
   - CVE-2019-25039: Fixed integer overflow in a size calculation in
     respip/respip.c (bsc#1185390).
   - CVE-2019-25040: Fixed infinite loop via a compressed name in
     dname_pkt_copy (bsc#1185391).
   - CVE-2019-25041: Fixed assertion failure via a compressed name in
     dname_pkt_copy (bsc#1185392).
   - CVE-2019-25042: Fixed out-of-bounds write via a compressed name in
     rdata_copy (bsc#1185393).
   - CVE-2020-28935: Fixed symbolic link traversal when writing PID file
     (bsc#1179191).


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.4:

      zypper in -t patch openSUSE-SLE-15.4-2022-176=1

   - openSUSE Leap 15.3:

      zypper in -t patch openSUSE-SLE-15.3-2022-176=1



Package List:

   - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):

      libunbound2-1.6.8-10.6.1
      libunbound2-debuginfo-1.6.8-10.6.1
      unbound-1.6.8-10.6.1
      unbound-anchor-1.6.8-10.6.1
      unbound-anchor-debuginfo-1.6.8-10.6.1
      unbound-debuginfo-1.6.8-10.6.1
      unbound-debugsource-1.6.8-10.6.1
      unbound-devel-1.6.8-10.6.1
      unbound-python-1.6.8-10.6.1
      unbound-python-debuginfo-1.6.8-10.6.1

   - openSUSE Leap 15.4 (noarch):

      unbound-munin-1.6.8-10.6.1

   - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):

      libunbound2-1.6.8-10.6.1
      libunbound2-debuginfo-1.6.8-10.6.1
      unbound-1.6.8-10.6.1
      unbound-anchor-1.6.8-10.6.1
      unbound-anchor-debuginfo-1.6.8-10.6.1
      unbound-debuginfo-1.6.8-10.6.1
      unbound-debugsource-1.6.8-10.6.1
      unbound-devel-1.6.8-10.6.1
      unbound-python-1.6.8-10.6.1
      unbound-python-debuginfo-1.6.8-10.6.1

   - openSUSE Leap 15.3 (noarch):

      unbound-munin-1.6.8-10.6.1


References:

   https://www.suse.com/security/cve/CVE-2019-25031.html
   https://www.suse.com/security/cve/CVE-2019-25032.html
   https://www.suse.com/security/cve/CVE-2019-25033.html
   https://www.suse.com/security/cve/CVE-2019-25034.html
   https://www.suse.com/security/cve/CVE-2019-25035.html
   https://www.suse.com/security/cve/CVE-2019-25036.html
   https://www.suse.com/security/cve/CVE-2019-25037.html
   https://www.suse.com/security/cve/CVE-2019-25038.html
   https://www.suse.com/security/cve/CVE-2019-25039.html
   https://www.suse.com/security/cve/CVE-2019-25040.html
   https://www.suse.com/security/cve/CVE-2019-25041.html
   https://www.suse.com/security/cve/CVE-2019-25042.html
   https://www.suse.com/security/cve/CVE-2020-28935.html
   https://bugzilla.suse.com/1076963
   https://bugzilla.suse.com/1112009
   https://bugzilla.suse.com/1112033
   https://bugzilla.suse.com/1179191
   https://bugzilla.suse.com/1185382
   https://bugzilla.suse.com/1185383
   https://bugzilla.suse.com/1185384
   https://bugzilla.suse.com/1185385
   https://bugzilla.suse.com/1185386
   https://bugzilla.suse.com/1185387
   https://bugzilla.suse.com/1185388
   https://bugzilla.suse.com/1185389
   https://bugzilla.suse.com/1185390
   https://bugzilla.suse.com/1185391
   https://bugzilla.suse.com/1185392
   https://bugzilla.suse.com/1185393

openSUSE: 2022:0176-1 important: unbound

January 25, 2022
An update that solves 13 vulnerabilities and has three fixes is now available

Description

This update for unbound fixes the following issues: - CVE-2019-25031: Fixed configuration injection in create_unbound_ad_servers.sh upon a successful man-in-the-middle attack (bsc#1185382). - CVE-2019-25032: Fixed integer overflow in the regional allocator via regional_alloc (bsc#1185383). - CVE-2019-25033: Fixed integer overflow in the regional allocator via the ALIGN_UP macro (bsc#1185384). - CVE-2019-25034: Fixed integer overflow in sldns_str2wire_dname_buf_origin, leading to an out-of-bounds write (bsc#1185385). - CVE-2019-25035: Fixed out-of-bounds write in sldns_bget_token_par (bsc#1185386). - CVE-2019-25036: Fixed assertion failure and denial of service in synth_cname (bsc#1185387). - CVE-2019-25037: Fixed assertion failure and denial of service in dname_pkt_copy via an invalid packet (bsc#1185388). - CVE-2019-25038: Fixed integer overflow in a size calculation in dnscrypt/dnscrypt.c (bsc#1185389). - CVE-2019-25039: Fixed integer overflow in a size calculation in respip/respip.c (bsc#1185390). - CVE-2019-25040: Fixed infinite loop via a compressed name in dname_pkt_copy (bsc#1185391). - CVE-2019-25041: Fixed assertion failure via a compressed name in dname_pkt_copy (bsc#1185392). - CVE-2019-25042: Fixed out-of-bounds write via a compressed name in rdata_copy (bsc#1185393). - CVE-2020-28935: Fixed symbolic link traversal when writing PID file (bsc#1179191).

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-176=1 - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-176=1


Package List

- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64): libunbound2-1.6.8-10.6.1 libunbound2-debuginfo-1.6.8-10.6.1 unbound-1.6.8-10.6.1 unbound-anchor-1.6.8-10.6.1 unbound-anchor-debuginfo-1.6.8-10.6.1 unbound-debuginfo-1.6.8-10.6.1 unbound-debugsource-1.6.8-10.6.1 unbound-devel-1.6.8-10.6.1 unbound-python-1.6.8-10.6.1 unbound-python-debuginfo-1.6.8-10.6.1 - openSUSE Leap 15.4 (noarch): unbound-munin-1.6.8-10.6.1 - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): libunbound2-1.6.8-10.6.1 libunbound2-debuginfo-1.6.8-10.6.1 unbound-1.6.8-10.6.1 unbound-anchor-1.6.8-10.6.1 unbound-anchor-debuginfo-1.6.8-10.6.1 unbound-debuginfo-1.6.8-10.6.1 unbound-debugsource-1.6.8-10.6.1 unbound-devel-1.6.8-10.6.1 unbound-python-1.6.8-10.6.1 unbound-python-debuginfo-1.6.8-10.6.1 - openSUSE Leap 15.3 (noarch): unbound-munin-1.6.8-10.6.1


References

https://www.suse.com/security/cve/CVE-2019-25031.html https://www.suse.com/security/cve/CVE-2019-25032.html https://www.suse.com/security/cve/CVE-2019-25033.html https://www.suse.com/security/cve/CVE-2019-25034.html https://www.suse.com/security/cve/CVE-2019-25035.html https://www.suse.com/security/cve/CVE-2019-25036.html https://www.suse.com/security/cve/CVE-2019-25037.html https://www.suse.com/security/cve/CVE-2019-25038.html https://www.suse.com/security/cve/CVE-2019-25039.html https://www.suse.com/security/cve/CVE-2019-25040.html https://www.suse.com/security/cve/CVE-2019-25041.html https://www.suse.com/security/cve/CVE-2019-25042.html https://www.suse.com/security/cve/CVE-2020-28935.html https://bugzilla.suse.com/1076963 https://bugzilla.suse.com/1112009 https://bugzilla.suse.com/1112033 https://bugzilla.suse.com/1179191 https://bugzilla.suse.com/1185382 https://bugzilla.suse.com/1185383 https://bugzilla.suse.com/1185384 https://bugzilla.suse.com/1185385 https://bugzilla.suse.com/1185386 https://bugzilla.suse.com/1185387 https://bugzilla.suse.com/1185388 https://bugzilla.suse.com/1185389 https://bugzilla.suse.com/1185390 https://bugzilla.suse.com/1185391 https://bugzilla.suse.com/1185392 https://bugzilla.suse.com/1185393


Severity
Announcement ID: openSUSE-SU-2022:0176-1
Rating: important
Affected Products: openSUSE Leap 15.4 openSUSE Leap 15.3 ble.

Related News

Kubernetes Security on AWS: A Practical Guide

Nov 18, 2023

Nitrux 3.2.0 Linux Distro Released with Enhanced Security and New Features

Nov 28, 2023

Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits

Nov 25, 2023

Severe Firefox, Thunderbird Bugs Could Lead to System Takeover

Dec 2, 2023

News

Advisories

HOWTOs

Features

Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!
Unlocking the Future of Authentication: Passkeys vs. Passwords
Empowering MSPs with Straightforward Linux Device Management
A Complete Guide to Torrenting Safely in 2024
Cloud Security Basics for Small Businesses

About Us

Powered By

Footer Logo