From f52cac55d8beb7e96bfadeb0fb4d124389943864 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 13 Feb 2024 22:47:36 +0100
Subject: [PATCH] Ensure only unbound group members can make changes

unbound-control should allow only privileged users from unbound group to
modify running instance.

; Resolves: CVE-2024-1488
Resolves: RHEL-25501
---
 unbound.conf | 6 ++----
 unbound.spec | 5 ++++-
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/unbound.conf b/unbound.conf
index 977d39f..0f83196 100644
--- a/unbound.conf
+++ b/unbound.conf
@@ -989,6 +989,7 @@ remote-control:
 
 	# Set to no and use an absolute path as control-interface to use
 	# a unix local named pipe for unbound-control.
+	# For local sockets this option is ignored, and TLS is not used.
 	# control-use-cert: yes
 
 	# what interfaces are listened to for remote control.
@@ -997,14 +998,11 @@ remote-control:
 	# are not used for that, so key and cert files need not be present.
 	# control-interface: 127.0.0.1
 	# control-interface: ::1
+	control-interface: "/run/unbound/control"
 
 	# port number for remote control operations.
 	# control-port: 8953
 
-	# for localhost, you can disable use of TLS by setting this to "no"
-	# For local sockets this option is ignored, and TLS is not used.
-	control-use-cert: "no"
-
 	# Unbound server key file.
 	server-key-file: "/etc/unbound/unbound_server.key"
 
diff --git a/unbound.spec b/unbound.spec
index fddb810..9541e35 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -30,7 +30,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.16.2
-Release: 6%{?extra_version:.%{extra_version}}%{?dist}
+Release: 7%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://nlnetlabs.nl/projects/unbound/
 Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@@ -451,6 +451,9 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 
 %changelog
+* Wed Feb 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-7
+- Ensure only unbound group can change configuration (CVE-2024-1488)
+
 * Fri Feb 16 2024 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-6
 - Fix KeyTrap - Extreme CPU consumption in DNSSEC validator CVE-2023-50387
 - Fix Preparing an NSEC3 closest encloser proof can exhaust CPU resources CVE-2023-50868