Fix CVE-2026-40622 and CVE-2026-44390

More information can be found in the upstream's security advisories:

https://nlnetlabs.nl/downloads/unbound/CVE-2026-40622.txt
https://nlnetlabs.nl/downloads/unbound/CVE-2026-44390.txt

Resolves-Vulnerability: CVE-2026-40622
Resolves: RHEL-184832

Resolves-Vulnerability: CVE-2026-44390
Resolves: RHEL-186680
This commit is contained in:
Fedor Vorobev 2026-06-23 17:49:03 +02:00
parent 88bc741fe3
commit 11440f4964
3 changed files with 67 additions and 1 deletions

View File

@ -0,0 +1,36 @@
diff --git a/unbound-1.16.2/services/cache/rrset.c b/unbound-1.16.2/services/cache/rrset.c
index 4e3d08b..b2c357f 100644
--- a/unbound-1.16.2/services/cache/rrset.c
+++ b/unbound-1.16.2/services/cache/rrset.c
@@ -143,6 +143,16 @@ need_to_update_rrset(void* nd, void* cd, time_t timenow, int equal, int ns)
if(equal && cached->ttl >= timenow &&
cached->security == sec_status_bogus)
return 0;
+ /* ghost-domain: never let an NS overwrite extend lifetime
+ * past the entry it replaces, regardless of trust. */
+ if(ns && !TTL_IS_EXPIRED(cached->ttl, timenow) &&
+ newd->ttl > cached->ttl) {
+ size_t i;
+ newd->ttl = cached->ttl;
+ for(i=0; i<(newd->count+newd->rrsig_count); i++)
+ if(newd->rr_ttl[i] > newd->ttl)
+ newd->rr_ttl[i] = newd->ttl;
+ }
return 1;
}
/* o item in cache has expired */
diff --git a/unbound-1.16.2/util/data/msgparse.h b/unbound-1.16.2/util/data/msgparse.h
index 0c458e6..f1319ff 100644
--- a/unbound-1.16.2/util/data/msgparse.h
+++ b/unbound-1.16.2/util/data/msgparse.h
@@ -92,6 +92,10 @@ extern time_t SERVE_EXPIRED_REPLY_TTL;
/** If we serve the original TTL or decrementing TTLs */
extern int SERVE_ORIGINAL_TTL;
+/** Check if TTL is expired. 0 TTL is considered expired.
+ * Used mainly to identify parts of the code that do this comparison. */
+#define TTL_IS_EXPIRED(ttl, now) ((ttl) <= (now))
+
/**
* Data stored in scratch pad memory during parsing.
* Stores the data that will enter into the msgreply and packet result.

View File

@ -0,0 +1,20 @@
diff --git a/unbound-1.16.2/util/data/msgencode.c b/unbound-1.16.2/util/data/msgencode.c
index f9e95e6..f60b359 100644
--- a/unbound-1.16.2/util/data/msgencode.c
+++ b/unbound-1.16.2/util/data/msgencode.c
@@ -352,7 +352,6 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
(p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
if(!write_compressed_dname(pkt, dname, labs, p))
return RETVAL_TRUNC;
- (*compress_count)++;
} else {
if(!dname_buffer_write(pkt, dname))
return RETVAL_TRUNC;
@@ -360,6 +359,7 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
!compress_tree_store(dname, labs, pos, region, p, insertpt))
return RETVAL_OUTMEM;
+ (*compress_count)++;
return RETVAL_OK;
}

View File

@ -34,7 +34,7 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
Version: 1.16.2
Release: 5.11%{?extra_version:.%{extra_version}}%{?dist}
Release: 5.12%{?extra_version:.%{extra_version}}%{?dist}
License: BSD
Url: https://www.unbound.net/
Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@ -82,6 +82,10 @@ Patch7: unbound-1.20-unbound-anchor-key-38696.patch
Patch8: unbound-1.25.1-CVE-2026-42944.patch
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42959.diff
Patch9: unbound-1.25.1-CVE-2026-42959.patch
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-40622.diff
Patch10: unbound-1.25.1-CVE-2026-40622.patch
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-44390.diff
Patch11: unbound-1.25.1-CVE-2026-44390.patch
BuildRequires: gdb
@ -191,6 +195,8 @@ pushd %{pkgname}
%patch7 -p2 -b .dnssec-ta-2024
%patch8 -p2 -b .CVE-2026-42944
%patch9 -p2 -b .CVE-2026-42959
%patch10 -p2 -b .CVE-2026-40622
%patch11 -p2 -b .CVE-2026-44390
# copy common doc files - after here, since it may be patched
cp -pr doc pythonmod libunbound ../
@ -457,6 +463,10 @@ popd
%verify(not md5 size mtime) %{_sharedstatedir}/%{name}/root.key
%changelog
* Tue Jun 23 2026 Fedor Vorobev <fvorobev@redhat.com> - 1.16.2-5.12
- Fix CVE-2026-40622 (RHEL-184832)
- Fix CVE-2026-44390 (RHEL-186680)
* Mon May 25 2026 Fedor Vorobev <fvorobev@redhat.com> - 1.16.2-5.11
- Fix CVE-2026-42944 (RHEL177909)
- Fix CVE-2026-42959 (RHEL-177809)