GitLab

Unbound 1.9.5 is available: https://nlnetlabs.nl/downloads/unbound/unbound-1.9.5.tar.gz
sha256 8a8d400f697c61d73d109c250743a1b6b79848297848026d82b43e831045db57
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.9.5.tar.gz

This release is a fix for vulnerability CVE-2019-18934, that can cause shell execution in ipsecmod.

Bug Fixes:

• Fix for the reported vulnerability.

The CVE number for this vulnerability is CVE-2019-18934

== Summary Recent versions of Unbound contain a vulnerability that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with --enable-ipsecmod support, and ipsecmod is enabled and used in the configuration.

== Affected products Unbound 1.6.4 up to and including 1.9.4.

== Description Due to unsanitized characters passed to the ipsecmod-hook shell command, it is possible for Unbound to allow shell code execution from a specially crafted IPSECKEY answer.

This issue can only be triggered when all of the below conditions are met:

• unbound was compiled with --enable-ipsecmod support, and
• ipsecmod is enabled and used in the configuration, and
• a domain is part of the ipsecmod-whitelist (if ipsecmod-whitelist is used), and
• unbound receives an A/AAAA query for a domain that has an A/AAAA record(s) and an IPSECKEY record(s) available.

The shell code execution can then happen if either the qname or the gateway field of the IPSECKEY (when gateway type == 3) contain a specially crafted domain name.

== Solution Download patched version of Unbound, or apply the patch manually.

• Downloading patched version Unbound 1.9.5 is released with the patch https://nlnetlabs.nl/downloads/unbound/unbound-1.9.5.tar.gz

• Applying the Patch manually For Unbound 1.6.4 up to and including 1.9.4 the patch is: https://nlnetlabs.nl/downloads/unbound/patch_cve_2019-18934.diff

Apply the patch on the Unbound source directory with: 'patch -p1 < patch_cve_2019-18934.diff' then run 'make install' to install Unbound.