Add SA-14:30
This commit is contained in:
Dag-Erling Smørgrav
parent
d94c299cc0
commit
0cfc9585b8
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=46095
4 changed files with 304 additions and 0 deletions
131
share/security/advisories/FreeBSD-SA-14:30.unbound.asc
Normal file
131
share/security/advisories/FreeBSD-SA-14:30.unbound.asc
Normal file
|
|
@ -0,0 +1,131 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-SA-14:30.unbound Security Advisory
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: unbound remote denial of service vulnerability
|
||||
|
||||
Category: contrib
|
||||
Module: unbound
|
||||
Announced: 2014-12-17
|
||||
Affects: FreeBSD 10.0-RELEASE and later
|
||||
Credits: Florian Maury (ANSSI)
|
||||
Corrected: 2014-12-17 06:58:00 UTC (stable/10, 10.1-STABLE)
|
||||
2014-12-17 06:59:47 UTC (releng/10.1, 10.1-RELEASE-p2)
|
||||
2014-12-17 06:59:47 UTC (releng/10.0, 10.0-RELEASE-p14)
|
||||
CVE Name: CVE-2014-8602
|
||||
|
||||
For general information regarding FreeBSD Security Advisories,
|
||||
including descriptions of the fields above, security branches, and the
|
||||
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
Unbound is a validating, recursive, and caching DNS resolver.
|
||||
|
||||
II. Problem Description
|
||||
|
||||
By causing queries to be made against a maliciously-constructed zone or
|
||||
against a malicious DNS server, an attacker who is able to cause
|
||||
specific queries to be sent to a nameserver can trick unbound(8) resolver
|
||||
into following an endless series of delegations, which consumes a lot of
|
||||
resources.
|
||||
|
||||
III. Impact
|
||||
|
||||
Unbound will spend a lot of resources on this query, and this will impact
|
||||
unbound's CPU and network resources. Unbound may therefore lose some
|
||||
ability or timelines for the service of customer queries (a denial of
|
||||
service). Unbound will continue to respond normally for cached queries.
|
||||
|
||||
IV. Workaround
|
||||
|
||||
No workaround is available, but hosts not running unbound(8) are not
|
||||
vulnerable.
|
||||
|
||||
V. Solution
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||
release / security branch (releng) dated after the correction date.
|
||||
|
||||
2) To update your vulnerable system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
3) To update your vulnerable system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
[FreeBSD 10.x]
|
||||
# fetch https://security.FreeBSD.org/patches/SA-14:30/unbound.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-14:30/unbound.patch.asc
|
||||
# gpg --verify unbound.patch.asc
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile the operating system using buildworld and installworld as
|
||||
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
||||
|
||||
Restart the unbound(8) daemons, or reboot the system.
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the correction revision numbers for each
|
||||
affected branch.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/10/ r275853
|
||||
releng/10.0/ r275854
|
||||
releng/10.1/ r275854
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing NNNNNN with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||
|
||||
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||
|
||||
VII. References
|
||||
|
||||
<URL:https://unbound.net/downloads/CVE-2014-8602.txt>
|
||||
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8602>
|
||||
|
||||
The latest revision of this advisory is available at
|
||||
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-14:30.unbound.asc>
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIcBAEBCgAGBQJUkTg1AAoJEO1n7NZdz2rn+iUP/3RP0KKn8B2SnSpSLbXws/eY
|
||||
GEOTYEsZJpGTtCyIg5eKmJ/AU7dKiD34da2uaL41Lt4hWa/Icyk13CtV6cK9TfN4
|
||||
oSrrgDCbqErrFh74lhQX3v3bYHNMhZRVnaM9tHXHmpa9NAKhyTP+eyo+Ss7iK/am
|
||||
lVBW2xPv92OKyjo0Onp5h3o5QT6DHpPgW91f9He4GygYfShMXtOb+VhGpllxwbeM
|
||||
aS59yPkhGJLVhxQn2QtFpj67QxS5GIhK6iccwrRKo8Okij2mlRfR4fuD5Ol4L9TK
|
||||
sZKMGtgESPLGmfW1Pj/BRobyCWcs+cYLchZkxbomQBcH7ybpOMW+SqTB0FkZcscU
|
||||
ODMzvum2VZuSl5fAlu3F6V0/k+8cFiE4B/Xyioqa8aRsfYNfWjoETmfE7ld+zXqX
|
||||
8cPizwGYdsuO4g6mNS0HFuuexkJem9qviRfnQUQ/EJQPNfXB33GYBoFquE0mvFUO
|
||||
WN5QiietSnNp4/TF+BjXlaeo/PtO+Q8xIdqgdSzouslx95a4j3N127k8Yoz55Nx+
|
||||
3mEeqvZRf5/7ieIgyHti/v/xKZOyGCs6NwlZ6xN+0kanNqMDfjpKnfzTJnnSTbj6
|
||||
z6FCzXn986EqL8kpJisKZEJfntvZu4ft/KUo4qzZAtuNgnoUGFYXv5DfQrM75ZJ/
|
||||
9PFQzCA+8snPiCyUhAaC
|
||||
=fkvr
|
||||
-----END PGP SIGNATURE-----
|
||||
Loading…
Add table
Add a link
Reference in a new issue