Security update for unbound SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:1772-1 Final 1 1 2020-06-26T06:05:15Z current 2020-06-26T06:05:15Z 2020-06-26T06:05:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for unbound This update for unbound fixes the following issues: - CVE-2020-12662: Fixed an issue where unbound could have been tricked into amplifying an incoming query into a large number of queries directed to a target (bsc#1171889). - CVE-2020-12663: Fixed an issue where malformed answers from upstream name servers could have been used to make unbound unresponsive (bsc#1171889). - CVE-2019-18934: Fixed a vulnerability in the IPSec module which could have allowed code execution after receiving a special crafted answer (bsc#1157268). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2020-1772,SUSE-SLE-Module-Basesystem-15-SP1-2020-1772,SUSE-SLE-Module-Basesystem-15-SP2-2020-1772 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20201772-1/ Link for SUSE-SU-2020:1772-1 https://lists.suse.com/pipermail/sle-security-updates/2020-June/007040.html E-Mail link for SUSE-SU-2020:1772-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1157268 SUSE Bug 1157268 https://bugzilla.suse.com/1171889 SUSE Bug 1171889 https://www.suse.com/security/cve/CVE-2019-18934/ SUSE CVE CVE-2019-18934 page https://www.suse.com/security/cve/CVE-2020-12662/ SUSE CVE CVE-2020-12662 page https://www.suse.com/security/cve/CVE-2020-12663/ SUSE CVE CVE-2020-12663 page SUSE Linux Enterprise Module for Basesystem 15 SP1 SUSE Linux Enterprise Module for Basesystem 15 SP2 libunbound-devel-mini-1.6.8-10.3.1 libunbound2-1.6.8-10.3.1 unbound-1.6.8-10.3.1 unbound-anchor-1.6.8-10.3.1 unbound-devel-1.6.8-10.3.1 unbound-munin-1.6.8-10.3.1 unbound-python-1.6.8-10.3.1 libunbound2-1.6.8-10.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP1 unbound-anchor-1.6.8-10.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP1 unbound-devel-1.6.8-10.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP1 libunbound2-1.6.8-10.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 unbound-anchor-1.6.8-10.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 unbound-devel-1.6.8-10.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration. CVE-2019-18934 SUSE Linux Enterprise Module for Basesystem 15 SP1:libunbound2-1.6.8-10.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP1:unbound-anchor-1.6.8-10.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP1:unbound-devel-1.6.8-10.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:libunbound2-1.6.8-10.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:unbound-anchor-1.6.8-10.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:unbound-devel-1.6.8-10.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201772-1/ https://www.suse.com/security/cve/CVE-2019-18934.html CVE-2019-18934 https://bugzilla.suse.com/1157268 SUSE Bug 1157268 Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records. CVE-2020-12662 SUSE Linux Enterprise Module for Basesystem 15 SP1:libunbound2-1.6.8-10.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP1:unbound-anchor-1.6.8-10.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP1:unbound-devel-1.6.8-10.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:libunbound2-1.6.8-10.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:unbound-anchor-1.6.8-10.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:unbound-devel-1.6.8-10.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201772-1/ https://www.suse.com/security/cve/CVE-2020-12662.html CVE-2020-12662 https://bugzilla.suse.com/1171889 SUSE Bug 1171889 Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers. CVE-2020-12663 SUSE Linux Enterprise Module for Basesystem 15 SP1:libunbound2-1.6.8-10.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP1:unbound-anchor-1.6.8-10.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP1:unbound-devel-1.6.8-10.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:libunbound2-1.6.8-10.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:unbound-anchor-1.6.8-10.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:unbound-devel-1.6.8-10.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201772-1/ https://www.suse.com/security/cve/CVE-2020-12663.html CVE-2020-12663 https://bugzilla.suse.com/1171889 SUSE Bug 1171889