Fix CVE-2026-40622 and CVE-2026-44390
More information can be found in the upstream's security advisories: https://nlnetlabs.nl/downloads/unbound/CVE-2026-40622.txt https://nlnetlabs.nl/downloads/unbound/CVE-2026-44390.txt Resolves-Vulnerability: CVE-2026-40622 Resolves: RHEL-184832 Resolves-Vulnerability: CVE-2026-44390 Resolves: RHEL-186680
This commit is contained in:
parent
88bc741fe3
commit
11440f4964
36
unbound-1.25.1-CVE-2026-40622.patch
Normal file
36
unbound-1.25.1-CVE-2026-40622.patch
Normal file
@ -0,0 +1,36 @@
|
||||
diff --git a/unbound-1.16.2/services/cache/rrset.c b/unbound-1.16.2/services/cache/rrset.c
|
||||
index 4e3d08b..b2c357f 100644
|
||||
--- a/unbound-1.16.2/services/cache/rrset.c
|
||||
+++ b/unbound-1.16.2/services/cache/rrset.c
|
||||
@@ -143,6 +143,16 @@ need_to_update_rrset(void* nd, void* cd, time_t timenow, int equal, int ns)
|
||||
if(equal && cached->ttl >= timenow &&
|
||||
cached->security == sec_status_bogus)
|
||||
return 0;
|
||||
+ /* ghost-domain: never let an NS overwrite extend lifetime
|
||||
+ * past the entry it replaces, regardless of trust. */
|
||||
+ if(ns && !TTL_IS_EXPIRED(cached->ttl, timenow) &&
|
||||
+ newd->ttl > cached->ttl) {
|
||||
+ size_t i;
|
||||
+ newd->ttl = cached->ttl;
|
||||
+ for(i=0; i<(newd->count+newd->rrsig_count); i++)
|
||||
+ if(newd->rr_ttl[i] > newd->ttl)
|
||||
+ newd->rr_ttl[i] = newd->ttl;
|
||||
+ }
|
||||
return 1;
|
||||
}
|
||||
/* o item in cache has expired */
|
||||
diff --git a/unbound-1.16.2/util/data/msgparse.h b/unbound-1.16.2/util/data/msgparse.h
|
||||
index 0c458e6..f1319ff 100644
|
||||
--- a/unbound-1.16.2/util/data/msgparse.h
|
||||
+++ b/unbound-1.16.2/util/data/msgparse.h
|
||||
@@ -92,6 +92,10 @@ extern time_t SERVE_EXPIRED_REPLY_TTL;
|
||||
/** If we serve the original TTL or decrementing TTLs */
|
||||
extern int SERVE_ORIGINAL_TTL;
|
||||
|
||||
+/** Check if TTL is expired. 0 TTL is considered expired.
|
||||
+ * Used mainly to identify parts of the code that do this comparison. */
|
||||
+#define TTL_IS_EXPIRED(ttl, now) ((ttl) <= (now))
|
||||
+
|
||||
/**
|
||||
* Data stored in scratch pad memory during parsing.
|
||||
* Stores the data that will enter into the msgreply and packet result.
|
||||
20
unbound-1.25.1-CVE-2026-44390.patch
Normal file
20
unbound-1.25.1-CVE-2026-44390.patch
Normal file
@ -0,0 +1,20 @@
|
||||
diff --git a/unbound-1.16.2/util/data/msgencode.c b/unbound-1.16.2/util/data/msgencode.c
|
||||
index f9e95e6..f60b359 100644
|
||||
--- a/unbound-1.16.2/util/data/msgencode.c
|
||||
+++ b/unbound-1.16.2/util/data/msgencode.c
|
||||
@@ -352,7 +352,6 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
|
||||
(p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
|
||||
if(!write_compressed_dname(pkt, dname, labs, p))
|
||||
return RETVAL_TRUNC;
|
||||
- (*compress_count)++;
|
||||
} else {
|
||||
if(!dname_buffer_write(pkt, dname))
|
||||
return RETVAL_TRUNC;
|
||||
@@ -360,6 +359,7 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
|
||||
if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
|
||||
!compress_tree_store(dname, labs, pos, region, p, insertpt))
|
||||
return RETVAL_OUTMEM;
|
||||
+ (*compress_count)++;
|
||||
return RETVAL_OK;
|
||||
}
|
||||
|
||||
12
unbound.spec
12
unbound.spec
@ -34,7 +34,7 @@
|
||||
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
||||
Name: unbound
|
||||
Version: 1.16.2
|
||||
Release: 5.11%{?extra_version:.%{extra_version}}%{?dist}
|
||||
Release: 5.12%{?extra_version:.%{extra_version}}%{?dist}
|
||||
License: BSD
|
||||
Url: https://www.unbound.net/
|
||||
Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
|
||||
@ -82,6 +82,10 @@ Patch7: unbound-1.20-unbound-anchor-key-38696.patch
|
||||
Patch8: unbound-1.25.1-CVE-2026-42944.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42959.diff
|
||||
Patch9: unbound-1.25.1-CVE-2026-42959.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-40622.diff
|
||||
Patch10: unbound-1.25.1-CVE-2026-40622.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-44390.diff
|
||||
Patch11: unbound-1.25.1-CVE-2026-44390.patch
|
||||
|
||||
|
||||
BuildRequires: gdb
|
||||
@ -191,6 +195,8 @@ pushd %{pkgname}
|
||||
%patch7 -p2 -b .dnssec-ta-2024
|
||||
%patch8 -p2 -b .CVE-2026-42944
|
||||
%patch9 -p2 -b .CVE-2026-42959
|
||||
%patch10 -p2 -b .CVE-2026-40622
|
||||
%patch11 -p2 -b .CVE-2026-44390
|
||||
|
||||
# copy common doc files - after here, since it may be patched
|
||||
cp -pr doc pythonmod libunbound ../
|
||||
@ -457,6 +463,10 @@ popd
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/%{name}/root.key
|
||||
|
||||
%changelog
|
||||
* Tue Jun 23 2026 Fedor Vorobev <fvorobev@redhat.com> - 1.16.2-5.12
|
||||
- Fix CVE-2026-40622 (RHEL-184832)
|
||||
- Fix CVE-2026-44390 (RHEL-186680)
|
||||
|
||||
* Mon May 25 2026 Fedor Vorobev <fvorobev@redhat.com> - 1.16.2-5.11
|
||||
- Fix CVE-2026-42944 (RHEL‑177909)
|
||||
- Fix CVE-2026-42959 (RHEL-177809)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user