From bd43b9312bcbfd6519f1715acd1e5e7375b458bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Mon, 11 Mar 2024 10:33:46 +0100 Subject: [PATCH] Ensure group access correction reaches also updated configs If the user has already modified configuration file unbound.conf, our change of defaults would not affect them. Let's move the change to extra file, which will be applied even when main config file were not modified. Correct new config snippet typo in CVE id ; Resolves: CVE-2024-1488 Resolves: RHEL-25501 --- remote-control.conf | 9 +++++++++ unbound.conf | 2 +- unbound.spec | 7 ++++++- 3 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 remote-control.conf diff --git a/remote-control.conf b/remote-control.conf new file mode 100644 index 0000000..90072d3 --- /dev/null +++ b/remote-control.conf @@ -0,0 +1,9 @@ +# Remote control config section update. +# Previous defaults allowed any process to change settings, CVE-2024-1488 +remote-control: + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. + control-interface: "/run/unbound/control" + + # For local sockets this option is ignored, and TLS is not used. + control-use-cert: "yes" diff --git a/unbound.conf b/unbound.conf index 0f83196..18fad43 100644 --- a/unbound.conf +++ b/unbound.conf @@ -998,7 +998,7 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 - control-interface: "/run/unbound/control" + # moved to /etc/unbound/conf.d/remote-control.conf # port number for remote control operations. # control-port: 8953 diff --git a/unbound.spec b/unbound.spec index 9541e35..ac79355 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.2 -Release: 7%{?extra_version:.%{extra_version}}%{?dist} +Release: 8%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -52,6 +52,7 @@ Source16: unbound-munin.README Source17: unbound-anchor.service Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key +Source21: remote-control.conf # https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554 Patch1: unbound-1.16-CVE-2022-3204.patch @@ -317,6 +318,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ +install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 @@ -451,6 +453,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Mon Mar 11 2024 Petr Menšík - 1.16.2-8 +- Ensure group access correction reaches also updated configs (CVE-2024-1488) + * Wed Feb 28 2024 Petr Menšík - 1.16.2-7 - Ensure only unbound group can change configuration (CVE-2024-1488)