Ensure group access correction reaches also updated configs

If the user has already modified configuration file unbound.conf, our
change of defaults would not affect them. Let's move the change to extra
file, which will be applied even when main config file were not
modified.

Correct new config snippet typo in CVE id

; Resolves: CVE-2024-1488
Resolves: RHEL-25501
This commit is contained in:
Petr Menšík 2024-03-11 10:33:46 +01:00
parent f52cac55d8
commit bd43b9312b
3 changed files with 16 additions and 2 deletions

9
remote-control.conf Normal file
View File

@ -0,0 +1,9 @@
# Remote control config section update.
# Previous defaults allowed any process to change settings, CVE-2024-1488
remote-control:
# set to an absolute path to use a unix local name pipe, certificates
# are not used for that, so key and cert files need not be present.
control-interface: "/run/unbound/control"
# For local sockets this option is ignored, and TLS is not used.
control-use-cert: "yes"

View File

@ -998,7 +998,7 @@ remote-control:
# are not used for that, so key and cert files need not be present.
# control-interface: 127.0.0.1
# control-interface: ::1
control-interface: "/run/unbound/control"
# moved to /etc/unbound/conf.d/remote-control.conf
# port number for remote control operations.
# control-port: 8953

View File

@ -30,7 +30,7 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
Version: 1.16.2
Release: 7%{?extra_version:.%{extra_version}}%{?dist}
Release: 8%{?extra_version:.%{extra_version}}%{?dist}
License: BSD
Url: https://nlnetlabs.nl/projects/unbound/
Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@ -52,6 +52,7 @@ Source16: unbound-munin.README
Source17: unbound-anchor.service
Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
Source21: remote-control.conf
# https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554
Patch1: unbound-1.16-CVE-2022-3204.patch
@ -317,6 +318,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/
# Link unbound-control-setup.8 manpage to unbound-control.8
echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
@ -451,6 +453,9 @@ popd
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
%changelog
* Mon Mar 11 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-8
- Ensure group access correction reaches also updated configs (CVE-2024-1488)
* Wed Feb 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-7
- Ensure only unbound group can change configuration (CVE-2024-1488)