From f52cac55d8beb7e96bfadeb0fb4d124389943864 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 13 Feb 2024 22:47:36 +0100 Subject: [PATCH] Ensure only unbound group members can make changes unbound-control should allow only privileged users from unbound group to modify running instance. ; Resolves: CVE-2024-1488 Resolves: RHEL-25501 --- unbound.conf | 6 ++---- unbound.spec | 5 ++++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/unbound.conf b/unbound.conf index 977d39f..0f83196 100644 --- a/unbound.conf +++ b/unbound.conf @@ -989,6 +989,7 @@ remote-control: # Set to no and use an absolute path as control-interface to use # a unix local named pipe for unbound-control. + # For local sockets this option is ignored, and TLS is not used. # control-use-cert: yes # what interfaces are listened to for remote control. @@ -997,14 +998,11 @@ remote-control: # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 + control-interface: "/run/unbound/control" # port number for remote control operations. # control-port: 8953 - # for localhost, you can disable use of TLS by setting this to "no" - # For local sockets this option is ignored, and TLS is not used. - control-use-cert: "no" - # Unbound server key file. server-key-file: "/etc/unbound/unbound_server.key" diff --git a/unbound.spec b/unbound.spec index fddb810..9541e35 100644 --- a/unbound.spec +++ b/unbound.spec @@ -30,7 +30,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.2 -Release: 6%{?extra_version:.%{extra_version}}%{?dist} +Release: 7%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -451,6 +451,9 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Wed Feb 28 2024 Petr Menšík - 1.16.2-7 +- Ensure only unbound group can change configuration (CVE-2024-1488) + * Fri Feb 16 2024 Tomas Korbar - 1.16.2-6 - Fix KeyTrap - Extreme CPU consumption in DNSSEC validator CVE-2023-50387 - Fix Preparing an NSEC3 closest encloser proof can exhaust CPU resources CVE-2023-50868