diff --git a/remote-control.conf b/remote-control.conf new file mode 100644 index 0000000..90072d3 --- /dev/null +++ b/remote-control.conf @@ -0,0 +1,9 @@ +# Remote control config section update. +# Previous defaults allowed any process to change settings, CVE-2024-1488 +remote-control: + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. + control-interface: "/run/unbound/control" + + # For local sockets this option is ignored, and TLS is not used. + control-use-cert: "yes" diff --git a/unbound.conf b/unbound.conf index 0f83196..18fad43 100644 --- a/unbound.conf +++ b/unbound.conf @@ -998,7 +998,7 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 - control-interface: "/run/unbound/control" + # moved to /etc/unbound/conf.d/remote-control.conf # port number for remote control operations. # control-port: 8953 diff --git a/unbound.spec b/unbound.spec index 9541e35..ac79355 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.2 -Release: 7%{?extra_version:.%{extra_version}}%{?dist} +Release: 8%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -52,6 +52,7 @@ Source16: unbound-munin.README Source17: unbound-anchor.service Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key +Source21: remote-control.conf # https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554 Patch1: unbound-1.16-CVE-2022-3204.patch @@ -317,6 +318,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ +install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 @@ -451,6 +453,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Mon Mar 11 2024 Petr Menšík - 1.16.2-8 +- Ensure group access correction reaches also updated configs (CVE-2024-1488) + * Wed Feb 28 2024 Petr Menšík - 1.16.2-7 - Ensure only unbound group can change configuration (CVE-2024-1488)