Fix CVE-2026-42534: Jostle logic bypass degrades resolution performance

More information can be found in the upstream's advisory:
https://nlnetlabs.nl/downloads/unbound/CVE-2026-42534.txt

Resolves-Vulnerability: CVE-2026-42534
Resolves: RHEL-187081
This commit is contained in:
Fedor Vorobev 2026-06-24 11:54:42 +02:00
parent c2fe64e3f1
commit dba36540fd
2 changed files with 56 additions and 0 deletions

View File

@ -0,0 +1,51 @@
diff --git a/unbound-1.16.2/services/mesh.c b/unbound-1.16.2/services/mesh.c
index 30bcf7c..0f5a2a3 100644
--- a/unbound-1.16.2/services/mesh.c
+++ b/unbound-1.16.2/services/mesh.c
@@ -338,12 +338,14 @@ int mesh_make_new_space(struct mesh_area* mesh, sldns_buffer* qbuf)
if(mesh->num_reply_states < mesh->max_reply_states)
return 1;
/* try to kick out a jostle-list item */
- if(m && m->reply_list && m->list_select == mesh_jostle_list) {
+ if(m && m->list_select == mesh_jostle_list) {
/* how old is it? */
struct timeval age;
- timeval_subtract(&age, mesh->env->now_tv,
- &m->reply_list->start_time);
- if(timeval_smaller(&mesh->jostle_max, &age)) {
+ if(m->has_first_reply_time)
+ timeval_subtract(&age, mesh->env->now_tv,
+ &m->first_reply_time);
+ if(!m->has_first_reply_time ||
+ timeval_smaller(&mesh->jostle_max, &age)) {
/* its a goner */
log_nametypeclass(VERB_ALGO, "query jostled out to "
"make space for a new one",
@@ -1690,6 +1692,10 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
r->qid = qid;
r->qflags = qflags;
r->start_time = *s->s.env->now_tv;
+ if(s->reply_list == NULL && !s->has_first_reply_time) {
+ s->first_reply_time = r->start_time;
+ s->has_first_reply_time = 1;
+ }
r->next = s->reply_list;
r->qname = regional_alloc_init(s->s.region, qinfo->qname,
s->s.qinfo.qname_len);
diff --git a/unbound-1.16.2/services/mesh.h b/unbound-1.16.2/services/mesh.h
index 3be9b63..8194994 100644
--- a/unbound-1.16.2/services/mesh.h
+++ b/unbound-1.16.2/services/mesh.h
@@ -174,6 +174,12 @@ struct mesh_state {
struct module_qstate s;
/** the list of replies to clients for the results */
struct mesh_reply* reply_list;
+ /** if it has a first reply time */
+ int has_first_reply_time;
+ /** wall-clock time the first client reply was attached;
+ * used by mesh_make_new_space() so duplicate retransmits
+ * cannot reset jostle aging. */
+ struct timeval first_reply_time;
/** the list of callbacks for the results */
struct mesh_cb* cb_list;
/** set of superstates (that want this state's result)

View File

@ -90,6 +90,9 @@ Patch11: unbound-1.25.1-CVE-2026-40622-test.patch
Patch12: unbound-1.25.1-CVE-2026-44390.patch
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-41292.diff
Patch13: unbound-1.25.1-CVE-2026-41292.patch
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42534.diff
Patch14: unbound-1.25.1-CVE-2026-42534.patch
BuildRequires: gdb
BuildRequires: gcc, make
@ -202,6 +205,7 @@ pushd %{pkgname}
%patch11 -p2 -b .CVE-2026-40622-test
%patch12 -p2 -b .CVE-2026-44390
%patch13 -p2 -b .CVE-2026-41292
%patch14 -p2 -b .CVE-2026-42534
# copy common doc files - after here, since it may be patched
cp -pr doc pythonmod libunbound ../
@ -472,6 +476,7 @@ popd
- Fix CVE-2026-40622 (RHEL-184832)
- Fix CVE-2026-44390 (RHEL-186680)
- Fix CVE-2026-41292 (RHEL-187346)
- Fix CVE-2026-42534 (RHEL-187081)
* Mon May 25 2026 Fedor Vorobev <fvorobev@redhat.com> - 1.16.2-5.11
- Fix CVE-2026-42944 (RHEL177909)