Ensure group access correction reaches also updated configs
If the user has already modified configuration file unbound.conf, our change of defaults would not affect them. Let's move the change to extra file, which will be applied even when main config file were not modified. Correct new config snippet typo in CVE id ; Resolves: CVE-2024-1488 Resolves: RHEL-25501
This commit is contained in:
Petr Menšík
parent
f52cac55d8
commit
bd43b9312b
9
remote-control.conf
Normal file
9
remote-control.conf
Normal file
@ -0,0 +1,9 @@
|
||||
# Remote control config section update.
|
||||
# Previous defaults allowed any process to change settings, CVE-2024-1488
|
||||
remote-control:
|
||||
# set to an absolute path to use a unix local name pipe, certificates
|
||||
# are not used for that, so key and cert files need not be present.
|
||||
control-interface: "/run/unbound/control"
|
||||
|
||||
# For local sockets this option is ignored, and TLS is not used.
|
||||
control-use-cert: "yes"
|
||||
@ -998,7 +998,7 @@ remote-control:
|
||||
# are not used for that, so key and cert files need not be present.
|
||||
# control-interface: 127.0.0.1
|
||||
# control-interface: ::1
|
||||
control-interface: "/run/unbound/control"
|
||||
# moved to /etc/unbound/conf.d/remote-control.conf
|
||||
|
||||
# port number for remote control operations.
|
||||
# control-port: 8953
|
||||
|
||||
@ -30,7 +30,7 @@
|
||||
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
||||
Name: unbound
|
||||
Version: 1.16.2
|
||||
Release: 7%{?extra_version:.%{extra_version}}%{?dist}
|
||||
Release: 8%{?extra_version:.%{extra_version}}%{?dist}
|
||||
License: BSD
|
||||
Url: https://nlnetlabs.nl/projects/unbound/
|
||||
Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
|
||||
@ -52,6 +52,7 @@ Source16: unbound-munin.README
|
||||
Source17: unbound-anchor.service
|
||||
Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
|
||||
Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
|
||||
Source21: remote-control.conf
|
||||
|
||||
# https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554
|
||||
Patch1: unbound-1.16-CVE-2022-3204.patch
|
||||
@ -317,6 +318,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
|
||||
install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
|
||||
install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
|
||||
install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
|
||||
install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/
|
||||
|
||||
# Link unbound-control-setup.8 manpage to unbound-control.8
|
||||
echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
|
||||
@ -451,6 +453,9 @@ popd
|
||||
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
|
||||
|
||||
%changelog
|
||||
* Mon Mar 11 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-8
|
||||
- Ensure group access correction reaches also updated configs (CVE-2024-1488)
|
||||
|
||||
* Wed Feb 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-7
|
||||
- Ensure only unbound group can change configuration (CVE-2024-1488)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user