cvelistv5 - cve-2024-33655

CVE-2024-33655 (GCVE-0-2024-33655)

Vulnerability from cvelistv5

Published

2024-06-06 00:00

Modified

2024-08-22 18:26

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

Summary

The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the "DNSBomb" issue.

References

►

URL

	Vendor	Product	Version
	n/a	n/a	Version: n/a

gsd-2024-33655

Vulnerability from gsd

Modified

2024-04-26 05:02

Details

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Aliases

CVE-2024-33655

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-33655"
      ],
      "id": "GSD-2024-33655",
      "modified": "2024-04-26T05:02:19.215383Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2024-33655",
        "STATE": "RESERVED"
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
          }
        ]
      }
    }
  }
}

opensuse-su-2024:13944-1

Vulnerability from csaf_opensuse

Published

2024-06-15 00:00

Modified

2024-06-15 00:00

Summary

libunbound8-1.20.0-1.1 on GA media

Notes

Title of the patch

libunbound8-1.20.0-1.1 on GA media

Description of the patch

These are all security issues fixed in the libunbound8-1.20.0-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-13944

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "libunbound8-1.20.0-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the libunbound8-1.20.0-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13944",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13944-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-33655 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-33655/"
      }
    ],
    "title": "libunbound8-1.20.0-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13944-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libunbound8-1.20.0-1.1.aarch64",
                "product": {
                  "name": "libunbound8-1.20.0-1.1.aarch64",
                  "product_id": "libunbound8-1.20.0-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python3-unbound-1.20.0-1.1.aarch64",
                "product": {
                  "name": "python3-unbound-1.20.0-1.1.aarch64",
                  "product_id": "python3-unbound-1.20.0-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-1.20.0-1.1.aarch64",
                "product": {
                  "name": "unbound-1.20.0-1.1.aarch64",
                  "product_id": "unbound-1.20.0-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-anchor-1.20.0-1.1.aarch64",
                "product": {
                  "name": "unbound-anchor-1.20.0-1.1.aarch64",
                  "product_id": "unbound-anchor-1.20.0-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-devel-1.20.0-1.1.aarch64",
                "product": {
                  "name": "unbound-devel-1.20.0-1.1.aarch64",
                  "product_id": "unbound-devel-1.20.0-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-munin-1.20.0-1.1.aarch64",
                "product": {
                  "name": "unbound-munin-1.20.0-1.1.aarch64",
                  "product_id": "unbound-munin-1.20.0-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libunbound8-1.20.0-1.1.ppc64le",
                "product": {
                  "name": "libunbound8-1.20.0-1.1.ppc64le",
                  "product_id": "libunbound8-1.20.0-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python3-unbound-1.20.0-1.1.ppc64le",
                "product": {
                  "name": "python3-unbound-1.20.0-1.1.ppc64le",
                  "product_id": "python3-unbound-1.20.0-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-1.20.0-1.1.ppc64le",
                "product": {
                  "name": "unbound-1.20.0-1.1.ppc64le",
                  "product_id": "unbound-1.20.0-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-anchor-1.20.0-1.1.ppc64le",
                "product": {
                  "name": "unbound-anchor-1.20.0-1.1.ppc64le",
                  "product_id": "unbound-anchor-1.20.0-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-devel-1.20.0-1.1.ppc64le",
                "product": {
                  "name": "unbound-devel-1.20.0-1.1.ppc64le",
                  "product_id": "unbound-devel-1.20.0-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-munin-1.20.0-1.1.ppc64le",
                "product": {
                  "name": "unbound-munin-1.20.0-1.1.ppc64le",
                  "product_id": "unbound-munin-1.20.0-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libunbound8-1.20.0-1.1.s390x",
                "product": {
                  "name": "libunbound8-1.20.0-1.1.s390x",
                  "product_id": "libunbound8-1.20.0-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python3-unbound-1.20.0-1.1.s390x",
                "product": {
                  "name": "python3-unbound-1.20.0-1.1.s390x",
                  "product_id": "python3-unbound-1.20.0-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-1.20.0-1.1.s390x",
                "product": {
                  "name": "unbound-1.20.0-1.1.s390x",
                  "product_id": "unbound-1.20.0-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-anchor-1.20.0-1.1.s390x",
                "product": {
                  "name": "unbound-anchor-1.20.0-1.1.s390x",
                  "product_id": "unbound-anchor-1.20.0-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-devel-1.20.0-1.1.s390x",
                "product": {
                  "name": "unbound-devel-1.20.0-1.1.s390x",
                  "product_id": "unbound-devel-1.20.0-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-munin-1.20.0-1.1.s390x",
                "product": {
                  "name": "unbound-munin-1.20.0-1.1.s390x",
                  "product_id": "unbound-munin-1.20.0-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libunbound8-1.20.0-1.1.x86_64",
                "product": {
                  "name": "libunbound8-1.20.0-1.1.x86_64",
                  "product_id": "libunbound8-1.20.0-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python3-unbound-1.20.0-1.1.x86_64",
                "product": {
                  "name": "python3-unbound-1.20.0-1.1.x86_64",
                  "product_id": "python3-unbound-1.20.0-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-1.20.0-1.1.x86_64",
                "product": {
                  "name": "unbound-1.20.0-1.1.x86_64",
                  "product_id": "unbound-1.20.0-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-anchor-1.20.0-1.1.x86_64",
                "product": {
                  "name": "unbound-anchor-1.20.0-1.1.x86_64",
                  "product_id": "unbound-anchor-1.20.0-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-devel-1.20.0-1.1.x86_64",
                "product": {
                  "name": "unbound-devel-1.20.0-1.1.x86_64",
                  "product_id": "unbound-devel-1.20.0-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-munin-1.20.0-1.1.x86_64",
                "product": {
                  "name": "unbound-munin-1.20.0-1.1.x86_64",
                  "product_id": "unbound-munin-1.20.0-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libunbound8-1.20.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libunbound8-1.20.0-1.1.aarch64"
        },
        "product_reference": "libunbound8-1.20.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libunbound8-1.20.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libunbound8-1.20.0-1.1.ppc64le"
        },
        "product_reference": "libunbound8-1.20.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libunbound8-1.20.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libunbound8-1.20.0-1.1.s390x"
        },
        "product_reference": "libunbound8-1.20.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libunbound8-1.20.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:libunbound8-1.20.0-1.1.x86_64"
        },
        "product_reference": "libunbound8-1.20.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-unbound-1.20.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python3-unbound-1.20.0-1.1.aarch64"
        },
        "product_reference": "python3-unbound-1.20.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-unbound-1.20.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python3-unbound-1.20.0-1.1.ppc64le"
        },
        "product_reference": "python3-unbound-1.20.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-unbound-1.20.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python3-unbound-1.20.0-1.1.s390x"
        },
        "product_reference": "python3-unbound-1.20.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-unbound-1.20.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python3-unbound-1.20.0-1.1.x86_64"
        },
        "product_reference": "python3-unbound-1.20.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-1.20.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:unbound-1.20.0-1.1.aarch64"
        },
        "product_reference": "unbound-1.20.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-1.20.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:unbound-1.20.0-1.1.ppc64le"
        },
        "product_reference": "unbound-1.20.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-1.20.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:unbound-1.20.0-1.1.s390x"
        },
        "product_reference": "unbound-1.20.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-1.20.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:unbound-1.20.0-1.1.x86_64"
        },
        "product_reference": "unbound-1.20.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-anchor-1.20.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:unbound-anchor-1.20.0-1.1.aarch64"
        },
        "product_reference": "unbound-anchor-1.20.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-anchor-1.20.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:unbound-anchor-1.20.0-1.1.ppc64le"
        },
        "product_reference": "unbound-anchor-1.20.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-anchor-1.20.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:unbound-anchor-1.20.0-1.1.s390x"
        },
        "product_reference": "unbound-anchor-1.20.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-anchor-1.20.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:unbound-anchor-1.20.0-1.1.x86_64"
        },
        "product_reference": "unbound-anchor-1.20.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-devel-1.20.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:unbound-devel-1.20.0-1.1.aarch64"
        },
        "product_reference": "unbound-devel-1.20.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-devel-1.20.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:unbound-devel-1.20.0-1.1.ppc64le"
        },
        "product_reference": "unbound-devel-1.20.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-devel-1.20.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:unbound-devel-1.20.0-1.1.s390x"
        },
        "product_reference": "unbound-devel-1.20.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-devel-1.20.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:unbound-devel-1.20.0-1.1.x86_64"
        },
        "product_reference": "unbound-devel-1.20.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-munin-1.20.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:unbound-munin-1.20.0-1.1.aarch64"
        },
        "product_reference": "unbound-munin-1.20.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-munin-1.20.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:unbound-munin-1.20.0-1.1.ppc64le"
        },
        "product_reference": "unbound-munin-1.20.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-munin-1.20.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:unbound-munin-1.20.0-1.1.s390x"
        },
        "product_reference": "unbound-munin-1.20.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-munin-1.20.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:unbound-munin-1.20.0-1.1.x86_64"
        },
        "product_reference": "unbound-munin-1.20.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-33655",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-33655"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the \"DNSBomb\" issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:libunbound8-1.20.0-1.1.aarch64",
          "openSUSE Tumbleweed:libunbound8-1.20.0-1.1.ppc64le",
          "openSUSE Tumbleweed:libunbound8-1.20.0-1.1.s390x",
          "openSUSE Tumbleweed:libunbound8-1.20.0-1.1.x86_64",
          "openSUSE Tumbleweed:python3-unbound-1.20.0-1.1.aarch64",
          "openSUSE Tumbleweed:python3-unbound-1.20.0-1.1.ppc64le",
          "openSUSE Tumbleweed:python3-unbound-1.20.0-1.1.s390x",
          "openSUSE Tumbleweed:python3-unbound-1.20.0-1.1.x86_64",
          "openSUSE Tumbleweed:unbound-1.20.0-1.1.aarch64",
          "openSUSE Tumbleweed:unbound-1.20.0-1.1.ppc64le",
          "openSUSE Tumbleweed:unbound-1.20.0-1.1.s390x",
          "openSUSE Tumbleweed:unbound-1.20.0-1.1.x86_64",
          "openSUSE Tumbleweed:unbound-anchor-1.20.0-1.1.aarch64",
          "openSUSE Tumbleweed:unbound-anchor-1.20.0-1.1.ppc64le",
          "openSUSE Tumbleweed:unbound-anchor-1.20.0-1.1.s390x",
          "openSUSE Tumbleweed:unbound-anchor-1.20.0-1.1.x86_64",
          "openSUSE Tumbleweed:unbound-devel-1.20.0-1.1.aarch64",
          "openSUSE Tumbleweed:unbound-devel-1.20.0-1.1.ppc64le",
          "openSUSE Tumbleweed:unbound-devel-1.20.0-1.1.s390x",
          "openSUSE Tumbleweed:unbound-devel-1.20.0-1.1.x86_64",
          "openSUSE Tumbleweed:unbound-munin-1.20.0-1.1.aarch64",
          "openSUSE Tumbleweed:unbound-munin-1.20.0-1.1.ppc64le",
          "openSUSE Tumbleweed:unbound-munin-1.20.0-1.1.s390x",
          "openSUSE Tumbleweed:unbound-munin-1.20.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-33655",
          "url": "https://www.suse.com/security/cve/CVE-2024-33655"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1224102 for CVE-2024-33655",
          "url": "https://bugzilla.suse.com/1224102"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:libunbound8-1.20.0-1.1.aarch64",
            "openSUSE Tumbleweed:libunbound8-1.20.0-1.1.ppc64le",
            "openSUSE Tumbleweed:libunbound8-1.20.0-1.1.s390x",
            "openSUSE Tumbleweed:libunbound8-1.20.0-1.1.x86_64",
            "openSUSE Tumbleweed:python3-unbound-1.20.0-1.1.aarch64",
            "openSUSE Tumbleweed:python3-unbound-1.20.0-1.1.ppc64le",
            "openSUSE Tumbleweed:python3-unbound-1.20.0-1.1.s390x",
            "openSUSE Tumbleweed:python3-unbound-1.20.0-1.1.x86_64",
            "openSUSE Tumbleweed:unbound-1.20.0-1.1.aarch64",
            "openSUSE Tumbleweed:unbound-1.20.0-1.1.ppc64le",
            "openSUSE Tumbleweed:unbound-1.20.0-1.1.s390x",
            "openSUSE Tumbleweed:unbound-1.20.0-1.1.x86_64",
            "openSUSE Tumbleweed:unbound-anchor-1.20.0-1.1.aarch64",
            "openSUSE Tumbleweed:unbound-anchor-1.20.0-1.1.ppc64le",
            "openSUSE Tumbleweed:unbound-anchor-1.20.0-1.1.s390x",
            "openSUSE Tumbleweed:unbound-anchor-1.20.0-1.1.x86_64",
            "openSUSE Tumbleweed:unbound-devel-1.20.0-1.1.aarch64",
            "openSUSE Tumbleweed:unbound-devel-1.20.0-1.1.ppc64le",
            "openSUSE Tumbleweed:unbound-devel-1.20.0-1.1.s390x",
            "openSUSE Tumbleweed:unbound-devel-1.20.0-1.1.x86_64",
            "openSUSE Tumbleweed:unbound-munin-1.20.0-1.1.aarch64",
            "openSUSE Tumbleweed:unbound-munin-1.20.0-1.1.ppc64le",
            "openSUSE Tumbleweed:unbound-munin-1.20.0-1.1.s390x",
            "openSUSE Tumbleweed:unbound-munin-1.20.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:libunbound8-1.20.0-1.1.aarch64",
            "openSUSE Tumbleweed:libunbound8-1.20.0-1.1.ppc64le",
            "openSUSE Tumbleweed:libunbound8-1.20.0-1.1.s390x",
            "openSUSE Tumbleweed:libunbound8-1.20.0-1.1.x86_64",
            "openSUSE Tumbleweed:python3-unbound-1.20.0-1.1.aarch64",
            "openSUSE Tumbleweed:python3-unbound-1.20.0-1.1.ppc64le",
            "openSUSE Tumbleweed:python3-unbound-1.20.0-1.1.s390x",
            "openSUSE Tumbleweed:python3-unbound-1.20.0-1.1.x86_64",
            "openSUSE Tumbleweed:unbound-1.20.0-1.1.aarch64",
            "openSUSE Tumbleweed:unbound-1.20.0-1.1.ppc64le",
            "openSUSE Tumbleweed:unbound-1.20.0-1.1.s390x",
            "openSUSE Tumbleweed:unbound-1.20.0-1.1.x86_64",
            "openSUSE Tumbleweed:unbound-anchor-1.20.0-1.1.aarch64",
            "openSUSE Tumbleweed:unbound-anchor-1.20.0-1.1.ppc64le",
            "openSUSE Tumbleweed:unbound-anchor-1.20.0-1.1.s390x",
            "openSUSE Tumbleweed:unbound-anchor-1.20.0-1.1.x86_64",
            "openSUSE Tumbleweed:unbound-devel-1.20.0-1.1.aarch64",
            "openSUSE Tumbleweed:unbound-devel-1.20.0-1.1.ppc64le",
            "openSUSE Tumbleweed:unbound-devel-1.20.0-1.1.s390x",
            "openSUSE Tumbleweed:unbound-devel-1.20.0-1.1.x86_64",
            "openSUSE Tumbleweed:unbound-munin-1.20.0-1.1.aarch64",
            "openSUSE Tumbleweed:unbound-munin-1.20.0-1.1.ppc64le",
            "openSUSE Tumbleweed:unbound-munin-1.20.0-1.1.s390x",
            "openSUSE Tumbleweed:unbound-munin-1.20.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-33655"
    }
  ]
}

ghsa-2xh4-pf7v-vh6h

Vulnerability from github

Published

2024-06-06 18:30

Modified

2024-08-22 21:31

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-33655"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-06T17:15:51Z",
    "severity": "HIGH"
  },
  "details": "The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the \"DNSBomb\" issue.",
  "id": "GHSA-2xh4-pf7v-vh6h",
  "modified": "2024-08-22T21:31:28Z",
  "published": "2024-06-06T18:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33655"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NLnetLabs/unbound/commit/c3206f4568f60c486be6d165b1f2b5b254fea3de"
    },
    {
      "type": "WEB",
      "url": "https://alas.aws.amazon.com/ALAS-2024-1934.html"
    },
    {
      "type": "WEB",
      "url": "https://datatracker.ietf.org/doc/html/rfc1035"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#version-120"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.isc.org/isc-projects/bind9/-/issues/4398"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TBXPRJ2Q235YUZKYDRWOSYNDFBJQWJ3"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QITY2QBX2OCBTZIXD2A5ES62STFIA4AL"
    },
    {
      "type": "WEB",
      "url": "https://meterpreter.org/researchers-uncover-dnsbomb-a-new-pdos-attack-exploiting-legitimate-dns-features"
    },
    {
      "type": "WEB",
      "url": "https://nlnetlabs.nl/downloads/unbound/CVE-2024-33655.txt"
    },
    {
      "type": "WEB",
      "url": "https://nlnetlabs.nl/projects/unbound/security-advisories"
    },
    {
      "type": "WEB",
      "url": "https://sp2024.ieee-security.org/accepted-papers.html"
    },
    {
      "type": "WEB",
      "url": "https://www.isc.org/blogs/2024-dnsbomb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

suse-su-2025:20024-1

Vulnerability from csaf_suse

Published

2025-02-03 08:50

Modified

2025-02-03 08:50

Summary

Security update for unbound

Notes

Title of the patch

Security update for unbound

Description of the patch

This update for unbound fixes the following issues: - Update to 1.20.0: Features: * The config for discard-timeout, wait-limit, wait-limit-cookie, wait-limit-netblock and wait-limit-cookie-netblock was added, for the fix to the DNSBomb issue. * Merge GH#1027: Introduce 'cache-min-negative-ttl' option. * Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support; updates config.guess(2024-01-01) and config.sub(2024-01-01), verified with upstream. * Implement cachedb-check-when-serve-expired: yes option, default is enabled. When serve expired is enabled with cachedb, it first checks cachedb before serving the expired response. * Fix GH#876: [FR] can unbound-checkconf be silenced when configuration is valid? Bug Fixes: * Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li from the Network and Information Security Lab of Tsinghua University for reporting it. * Update doc/unbound.doxygen with 'doxygen -u'. Fixes option deprecation warnings and updates with newer defaults. * Remove unused portion from iter_dname_ttl unit test. * Fix validator classification of qtype DNAME for positive and redirection answers, and fix validator signature routine for dealing with the synthesized CNAME for a DNAME without previously encountering it and also for when the qtype is DNAME. * Fix qname minimisation for reply with a DNAME for qtype CNAME that answers it. * Fix doc test so it ignores but outputs unsupported doxygen options. * Fix GH#1021 Inconsistent Behavior with Changing rpz-cname-override and doing a unbound-control reload. * Merge GH#1028: Clearer documentation for tcp-idle-timeout and edns-tcp-keepalive-timeout. * Fix GH#1029: rpz trigger clientip and action rpz-passthru not working as expected. * Fix rpz that the rpz override is taken in case of clientip triggers. Fix that the clientip passthru action is logged. Fix that the clientip localdata action is logged. Fix rpz override action cname for the clientip trigger. * Fix to unify codepath for local alias for rpz cname action override. * Fix rpz for cname override action after nsdname and nsip triggers. * Fix that addrinfo is not kept around but copied and freed, so that log-destaddr uses a copy of the information, much like NSD does. * Merge GH#1030: Persist the openssl and expat directories for repeated Windows builds. * Fix that rpz CNAME content is limited to the max number of cnames. * Fix rpz, it follows iterator CNAMEs for nsip and nsdname and sets the reply query_info values, that is better for debug logging. * Fix rpz that copies the cname override completely to the temp region, so there are no references to the rpz region. * Add rpz unit test for nsip action override. * Fix rpz for qtype CNAME after nameserver trigger. * Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that clientip and nsip can give a CNAME. * Fix localdata and rpz localdata to match CNAME only if no direct type match is available. * Merge GH#831 from Pierre4012: Improve Windows NSIS installer script (setup.nsi). * For GH#831: Format text, use exclamation icon and explicit label names. * Fix name of unit test for subnet cache response. * Fix GH#1032: The size of subnet_msg_cache calculation mistake cause memory usage increased beyond expectations. * Fix for GH#1032, add safeguard to make table space positive. * Fix comment in lruhash space function. * Fix to add unit test for lruhash space that exercises the routines. * Fix that when the server truncates the pidfile, it does not follow symbolic links. * Fix that the server does not chown the pidfile. * Fix GH#1034: DoT forward-zone via unbound-control. * Fix for crypto related failures to have a better error string. * Fix GH#1035: Potential Bug while parsing port from the "stub-host" string; also affected forward-zones and remote-control host directives. * Fix GH#369: dnstap showing extra responses; for client responses right from the cache when replying with expired data or prefetching. * Fix GH#1040: fix heap-buffer-overflow issue in function cfg_mark_ports of file util/config_file.c. * For GH#1040: adjust error text and disallow negative ports in other parts of cfg_mark_ports. * Fix comment syntax for view function views_find_view. * Fix GH#595: unbound-anchor cannot deal with full disk; it will now first write out to a temp file before replacing the original one, like Unbound already does for auto-trust-anchor-file. * Fixup compile without cachedb. * Add test for cachedb serve expired. * Extended test for cachedb serve expired. * Fix makefile dependencies for fake_event.c. * Fix cachedb for serve-expired with serve-expired-reply-ttl. * Fix to not reply serve expired unless enabled for cachedb. * Fix cachedb for serve-expired with serve-expired-client-timeout. * Fixup unit test for cachedb server expired client timeout with a check if response if from upstream or from cachedb. * Fixup cachedb to not refetch when serve-expired-client-timeout is used. * Merge GH#1049 from Petr Menšík: Py_NoSiteFlag is not needed since Python 3.8 * Fix GH#1048: Update ax_pkg_swig.m4 and ax_pthread.m4. * Fix configure, autoconf for GH#1048. * Add checklock feature verbose_locking to trace locks and unlocks. * Fix edns subnet to sort rrset references when storing messages in the cache. This fixes a race condition in the rrset locks. * Merge GH#1053: Remove child delegations from cache when grandchild delegations are returned from parent. * Fix ci workflow for macos for moved install locations. * Fix configure flto check error, by finding grep for it. * Merge GH#1041: Stub and Forward unshare. This has one structure for them and fixes GH#1038: fatal error: Could not initialize thread / error: reading root hints. * Fix to disable fragmentation on systems with IP_DONTFRAG, with a nonzero value for the socket option argument. * Fix doc unit test for out of directory build. * Fix cachedb with serve-expired-client-timeout disabled. The edns subnet module deletes global cache and cachedb cache when it stores a result, and serve-expired is enabled, so that the global reply, that is older than the ecs reply, does not return after the ecs reply expires. * Add unit tests for cachedb and subnet cache expired data. * Man page entry for unbound-checkconf -q. * Cleanup unnecessary strdup calls for EDE strings. * Fix doxygen comment for errinf_to_str_bogus. - Update to 1.19.3: * Features: - Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672. * Bug Fixes - Fix unit test parse of origin syntax. - Use 127.0.0.1 explicitly in tests to avoid delays and errors on newer systems. - Fix #964: config.h.in~ backup file in release tar balls. - Merge #968: Replace the obsolescent fgrep with grep -F in tests. - Merge #971: fix 'WARNING: Message has 41 extra bytes at end'. - Fix #969: [FR] distinguish Do53, DoT and DoH in the logs. - Fix dnstap that assertion failed on logging other than UDP and TCP traffic. It lists it as TCP traffic. - Fix to sync the tests script file common.sh. - iana portlist update. - Updated IPv4 and IPv6 address for b.root-servers.net in root hints. - Update test script file common.sh. - Fix tests to use new common.sh functions, wait_logfile and kill_from_pidfile. - Fix #974: doc: default number of outgoing ports without libevent. - Merge #975: Fixed some syntax errors in rpl files. - Fix root_zonemd unit test, it checks that the root ZONEMD verifies, now that the root has a valid ZONEMD. - Update example.conf with cookie options. - Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors for non-HTTP/2 DoH clients. - Merge #985: Add DoH and DoT to dnstap message. - Fix #983: Sha1 runtime insecure change was incomplete. - Remove unneeded newlines and improve indentation in remote control code. - Merge #987: skip edns frag retry if advertised udp payload size is not smaller. - Fix unit test for #987 change in udp1xxx retry packet send. - Merge #988: Fix NLnetLabs#981: dump_cache truncates large records. - Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows. - Fix to link with libssp for libcrypto and getaddrinfo check for only header. Also update crosscompile to remove ssp for 32bit. - Merge #993: Update b.root-servers.net also in example config file. - Update workflow for ports to use newer openssl on windows compile. - Fix warning for windres on resource files due to redefinition. - Fix for #997: Print details for SSL certificate failure. - Update error printout for duplicate trust anchors to include the trust anchor name (relates to #920). - Update message TTL when using cached RRSETs. It could result in non-expired messages with expired RRSETs (non-usable messages by Unbound). - Merge #999: Search for protobuf-c with pkg-config. - Fix #1006: Can't find protobuf-c package since #999. - Fix documentation for access-control in the unbound.conf man page. - Merge #1010: Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage. It also fixes the code to match the documentation about clients with a valid cookie that bypass the ratelimit regardless of the allow_cookie acl. - Document the suspend argument for process_ds_response(). - Move github workflows to use checkoutv4. - Fix edns subnet replies for scope zero answers to not get stored in the global cache, and in cachedb, when the upstream replies without an EDNS record. - Fix for #1022: Fix ede prohibited in access control refused answers. - Fix unbound-control-setup.cmd to use 3072 bits so that certificates are long enough for newer OpenSSL versions. - Fix TTL of synthesized CNAME when a DNAME is used from cache. - Fix unbound-control-setup.cmd to have CA v3 basicConstraints, like unbound-control-setup.sh has. - Update to 1.19.2: * Bug Fixes: - Fix CVE-2024-1931, Denial of service when trimming EDE text on positive replies. [bsc#1221164] - Update to 1.19.1: * Bug Fixes: [bsc#1219823, CVE-2023-50387][bsc#1219826, CVE-2023-50868] - Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers. - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU. - as we use --disable-explicit-port-randomisation, also disable outgoing-port-permit and outgoing-port-avoid in config file to suppress the related unbound-checkconf warnings on every start - Update to 1.19.0: * Features: - Fix #850: [FR] Ability to use specific database in Redis, with new redis-logical-db configuration option. - Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream requests. This can be helpful for devices that cannot handle DNSSEC information. But it should not be enabled otherwise, because that would stop DNSSEC validation. The DNSSEC validation would not work for Unbound itself, and also not for downstream users. Default is no. The option is disable-edns-do: no - Expose the script filename in the Python module environment 'mod_env' instead of the config_file structure which includes the linked list of scripts in a multi Python module setup; fixes #79. - Expose the configured listening and outgoing interfaces, if any, as a list of strings in the Python 'config_file' class instead of the current Swig object proxy; fixes #79. - Mailing list patches from Daniel Gröber for DNS64 fallback to plain AAAA when no A record exists for synthesis, and minor DNS64 code refactoring for better readability. - Merge #951: Cachedb no store. The cachedb-no-store: yes option is used to stop cachedb from writing messages to the backend storage. It reads messages when data is available from the backend. The default is no. * Bug Fixes: - Fix for version generation race condition that ignored changes. - Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL. - Fix for WKS call to getservbyname that creates allocation on exit in unit test by testing numbers first and testing from the services list later. - Fix autoconf 2.69 warnings in configure. - Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1. - Merge #931: Prevent warnings from -Wmissing-prototypes. - Fix to scrub resource records of type A and AAAA that have an inappropriate size. They are removed from responses. - Fix to move msgparse_rrset_remove_rr code to util/msgparse.c. - Fix to add EDE text when RRs have been removed due to length. - Fix to set ede match in unit test for rr length removal. - Fix to print EDE text in readable form in output logs. - Fix send of udp retries when ENOBUFS is returned. It stops looping and also waits for the condition to go away. Reported by Florian Obser. - Fix authority zone answers for obscured DNAMEs and delegations. - Merge #936: Check for c99 with autoconf versions prior to 2.70. - Fix to remove two c99 notations. - Fix rpz tcp-only action with rpz triggers nsdname and nsip. - Fix misplaced comment. - Merge #881: Generalise the proxy protocol code. - Fix #946: Forwarder returns servfail on upstream response noerror no data. - Fix edns subnet so that queries with a source prefix of zero cause the recursor send no edns subnet option to the upstream. - Fix that printout of EDNS options shows the EDNS cookie option by name. - Fix infinite loop when reading multiple lines of input on a broken remote control socket. Addesses #947 and #948. - Fix #949: "could not create control compt". - Fix that cachedb does not warn when serve-expired is disabled about use of serve-expired-reply-ttl and serve-expired-client-timeout. - Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x. - Better fix for infinite loop when reading multiple lines of input on a broken remote control socket, by treating a zero byte line the same as transmission end. Addesses #947 and #948. - For multi Python module setups, clean previously parsed module functions in __main__'s dictionary, if any, so that only current module functions are registered. - Fix #954: Inconsistent RPZ handling for A record returned along with CNAME. - Fixes for the DNS64 patches. - Update the dns64_lookup.rpl test for the DNS64 fallback patch. - Merge #955 from buevsan: fix ipset wrong behavior. - Update testdata/ipset.tdir test for ipset fix. - Fix to print detailed errors when an SSL IO routine fails via SSL_get_error. - Clearer configure text for missing protobuf-c development libraries. - autoconf. - Merge #930 from Stuart Henderson: add void to log_ident_revert_to_default declaration. - Fix #941: dnscrypt doesn't work after upgrade to 1.18 with suggestion by dukeartem to also fix the udp_ancil with dnscrypt. - Fix SSL compile failure for definition in log_crypto_err_io_code_arg. - Fix SSL compile failure for other missing definitions in log_crypto_err_io_code_arg. - Fix compilation without openssl, remove unused function warning. - Mention flex and bison in README.md when building from repository source. - Update to 1.18.0: * Features: - Аdd a metric about the maximum number of collisions in lrushah. - Set max-udp-size default to 1232. This is the same default value as the default value for edns-buffer-size. It restricts client edns buffer size choices, and makes unbound behave similar to other DNS resolvers. - Add harden-unknown-additional option. It removes unknown records from the authority section and additional section. - Added new static zone type block_a to suppress all A queries for specific zones. - [FR] Ability to use Redis unix sockets. - [FR] Ability to set the Redis password. - Features/dropqueuedpackets, with sock-queue-timeout option that drops packets that have been in the socket queue for too long. Added statistics num.queries_timed_out and query.queue_time_us.max that track the socket queue timeouts. - 'eqvinox' Lamparter: NAT64 support. - [FR] Use kernel timestamps for dnstap. - Add cachedb hit stat. Introduces 'num.query.cachedb' as a new statistical counter. - Add SVCB dohpath support. - Add validation EDEs to queries where the CD bit is set. - Add prefetch support for subnet cache entries. - Add EDE (RFC8914) caching. - Add support for EDE caching in cachedb and subnetcache. - Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server cookies for clients that send client cookies. This needs to be explicitly turned on in the config file with: `answer-cookie: yes`. * Bug Fixes - Response change to NODATA for some ANY queries since 1.12. - Fix not following cleared RD flags potentially enables amplification DDoS attacks. - Set default for harden-unknown-additional to no. So that it does not hamper future protocol developments. - Fix to ignore entirely empty responses, and try at another authority. This turns completely empty responses, a type of noerror/nodata into a servfail, but they do not conform to RFC2308, and the retry can fetch improved content. - Allow TTL refresh of expired error responses. - Fix: Unexpected behavior with client-subnet-always-forward and serve-expired - Fix unbound-dnstap-socket test program to reply the finish frame over a TLS connection correctly. - Fix: reserved identifier violation - Fix: Unencrypted query is sent when forward-tls-upstream: yes is used without tls-cert-bundle - Extra consistency check to make sure that when TLS is requested, either we set up a TLS connection or we return an error. - Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record. - Fix: Bad interaction with 0 TTL records and serve-expired - Fix RPZ IP responses with trigger rpz-drop on cache entries. - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR. - Fix dereference of NULL variable warning in mesh_do_callback. - Fix ip_ratelimit test to work with dig that enables DNS cookies. - Fix for iter_dec_attempts that could cause a hang, part of capsforid and qname minimisation, depending on the settings. - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg. - Fix stat_values test to work with dig that enables DNS cookies. - unbound.service: Main process exited, code=killed, status=11/SEGV. Fixes cachedb configuration handling. - Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply. - Update to 1.20.0: Features: * The config for discard-timeout, wait-limit, wait-limit-cookie, wait-limit-netblock and wait-limit-cookie-netblock was added, for the fix to the DNSBomb issue. * Merge GH#1027: Introduce 'cache-min-negative-ttl' option. * Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support; updates config.guess(2024-01-01) and config.sub(2024-01-01), verified with upstream. * Implement cachedb-check-when-serve-expired: yes option, default is enabled. When serve expired is enabled with cachedb, it first checks cachedb before serving the expired response. * Fix GH#876: [FR] can unbound-checkconf be silenced when configuration is valid? Bug Fixes: * Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li from the Network and Information Security Lab of Tsinghua University for reporting it. * Update doc/unbound.doxygen with 'doxygen -u'. Fixes option deprecation warnings and updates with newer defaults. * Remove unused portion from iter_dname_ttl unit test. * Fix validator classification of qtype DNAME for positive and redirection answers, and fix validator signature routine for dealing with the synthesized CNAME for a DNAME without previously encountering it and also for when the qtype is DNAME. * Fix qname minimisation for reply with a DNAME for qtype CNAME that answers it. * Fix doc test so it ignores but outputs unsupported doxygen options. * Fix GH#1021 Inconsistent Behavior with Changing rpz-cname-override and doing a unbound-control reload. * Merge GH#1028: Clearer documentation for tcp-idle-timeout and edns-tcp-keepalive-timeout. * Fix GH#1029: rpz trigger clientip and action rpz-passthru not working as expected. * Fix rpz that the rpz override is taken in case of clientip triggers. Fix that the clientip passthru action is logged. Fix that the clientip localdata action is logged. Fix rpz override action cname for the clientip trigger. * Fix to unify codepath for local alias for rpz cname action override. * Fix rpz for cname override action after nsdname and nsip triggers. * Fix that addrinfo is not kept around but copied and freed, so that log-destaddr uses a copy of the information, much like NSD does. * Merge GH#1030: Persist the openssl and expat directories for repeated Windows builds. * Fix that rpz CNAME content is limited to the max number of cnames. * Fix rpz, it follows iterator CNAMEs for nsip and nsdname and sets the reply query_info values, that is better for debug logging. * Fix rpz that copies the cname override completely to the temp region, so there are no references to the rpz region. * Add rpz unit test for nsip action override. * Fix rpz for qtype CNAME after nameserver trigger. * Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that clientip and nsip can give a CNAME. * Fix localdata and rpz localdata to match CNAME only if no direct type match is available. * Merge GH#831 from Pierre4012: Improve Windows NSIS installer script (setup.nsi). * For GH#831: Format text, use exclamation icon and explicit label names. * Fix name of unit test for subnet cache response. * Fix GH#1032: The size of subnet_msg_cache calculation mistake cause memory usage increased beyond expectations. * Fix for GH#1032, add safeguard to make table space positive. * Fix comment in lruhash space function. * Fix to add unit test for lruhash space that exercises the routines. * Fix that when the server truncates the pidfile, it does not follow symbolic links. * Fix that the server does not chown the pidfile. * Fix GH#1034: DoT forward-zone via unbound-control. * Fix for crypto related failures to have a better error string. * Fix GH#1035: Potential Bug while parsing port from the "stub-host" string; also affected forward-zones and remote-control host directives. * Fix GH#369: dnstap showing extra responses; for client responses right from the cache when replying with expired data or prefetching. * Fix GH#1040: fix heap-buffer-overflow issue in function cfg_mark_ports of file util/config_file.c. * For GH#1040: adjust error text and disallow negative ports in other parts of cfg_mark_ports. * Fix comment syntax for view function views_find_view. * Fix GH#595: unbound-anchor cannot deal with full disk; it will now first write out to a temp file before replacing the original one, like Unbound already does for auto-trust-anchor-file. * Fixup compile without cachedb. * Add test for cachedb serve expired. * Extended test for cachedb serve expired. * Fix makefile dependencies for fake_event.c. * Fix cachedb for serve-expired with serve-expired-reply-ttl. * Fix to not reply serve expired unless enabled for cachedb. * Fix cachedb for serve-expired with serve-expired-client-timeout. * Fixup unit test for cachedb server expired client timeout with a check if response if from upstream or from cachedb. * Fixup cachedb to not refetch when serve-expired-client-timeout is used. * Merge GH#1049 from Petr Menšík: Py_NoSiteFlag is not needed since Python 3.8 * Fix GH#1048: Update ax_pkg_swig.m4 and ax_pthread.m4. * Fix configure, autoconf for GH#1048. * Add checklock feature verbose_locking to trace locks and unlocks. * Fix edns subnet to sort rrset references when storing messages in the cache. This fixes a race condition in the rrset locks. * Merge GH#1053: Remove child delegations from cache when grandchild delegations are returned from parent. * Fix ci workflow for macos for moved install locations. * Fix configure flto check error, by finding grep for it. * Merge GH#1041: Stub and Forward unshare. This has one structure for them and fixes GH#1038: fatal error: Could not initialize thread / error: reading root hints. * Fix to disable fragmentation on systems with IP_DONTFRAG, with a nonzero value for the socket option argument. * Fix doc unit test for out of directory build. * Fix cachedb with serve-expired-client-timeout disabled. The edns subnet module deletes global cache and cachedb cache when it stores a result, and serve-expired is enabled, so that the global reply, that is older than the ecs reply, does not return after the ecs reply expires. * Add unit tests for cachedb and subnet cache expired data. * Man page entry for unbound-checkconf -q. * Cleanup unnecessary strdup calls for EDE strings. * Fix doxygen comment for errinf_to_str_bogus. - Update to 1.19.3: * Features: - Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672. * Bug Fixes - Fix unit test parse of origin syntax. - Use 127.0.0.1 explicitly in tests to avoid delays and errors on newer systems. - Fix #964: config.h.in~ backup file in release tar balls. - Merge #968: Replace the obsolescent fgrep with grep -F in tests. - Merge #971: fix 'WARNING: Message has 41 extra bytes at end'. - Fix #969: [FR] distinguish Do53, DoT and DoH in the logs. - Fix dnstap that assertion failed on logging other than UDP and TCP traffic. It lists it as TCP traffic. - Fix to sync the tests script file common.sh. - iana portlist update. - Updated IPv4 and IPv6 address for b.root-servers.net in root hints. - Update test script file common.sh. - Fix tests to use new common.sh functions, wait_logfile and kill_from_pidfile. - Fix #974: doc: default number of outgoing ports without libevent. - Merge #975: Fixed some syntax errors in rpl files. - Fix root_zonemd unit test, it checks that the root ZONEMD verifies, now that the root has a valid ZONEMD. - Update example.conf with cookie options. - Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors for non-HTTP/2 DoH clients. - Merge #985: Add DoH and DoT to dnstap message. - Fix #983: Sha1 runtime insecure change was incomplete. - Remove unneeded newlines and improve indentation in remote control code. - Merge #987: skip edns frag retry if advertised udp payload size is not smaller. - Fix unit test for #987 change in udp1xxx retry packet send. - Merge #988: Fix NLnetLabs#981: dump_cache truncates large records. - Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows. - Fix to link with libssp for libcrypto and getaddrinfo check for only header. Also update crosscompile to remove ssp for 32bit. - Merge #993: Update b.root-servers.net also in example config file. - Update workflow for ports to use newer openssl on windows compile. - Fix warning for windres on resource files due to redefinition. - Fix for #997: Print details for SSL certificate failure. - Update error printout for duplicate trust anchors to include the trust anchor name (relates to #920). - Update message TTL when using cached RRSETs. It could result in non-expired messages with expired RRSETs (non-usable messages by Unbound). - Merge #999: Search for protobuf-c with pkg-config. - Fix #1006: Can't find protobuf-c package since #999. - Fix documentation for access-control in the unbound.conf man page. - Merge #1010: Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage. It also fixes the code to match the documentation about clients with a valid cookie that bypass the ratelimit regardless of the allow_cookie acl. - Document the suspend argument for process_ds_response(). - Move github workflows to use checkoutv4. - Fix edns subnet replies for scope zero answers to not get stored in the global cache, and in cachedb, when the upstream replies without an EDNS record. - Fix for #1022: Fix ede prohibited in access control refused answers. - Fix unbound-control-setup.cmd to use 3072 bits so that certificates are long enough for newer OpenSSL versions. - Fix TTL of synthesized CNAME when a DNAME is used from cache. - Fix unbound-control-setup.cmd to have CA v3 basicConstraints, like unbound-control-setup.sh has. - Update to 1.19.2: * Bug Fixes: - Fix CVE-2024-1931, Denial of service when trimming EDE text on positive replies. [bsc#1221164] - Update to 1.19.1: * Bug Fixes: [bsc#1219823, CVE-2023-50387][bsc#1219826, CVE-2023-50868] - Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers. - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU. - as we use --disable-explicit-port-randomisation, also disable outgoing-port-permit and outgoing-port-avoid in config file to suppress the related unbound-checkconf warnings on every start - Use prefixes instead of sudo in unbound.service (bsc#1215628) - Update to 1.19.0: * Features: - Fix #850: [FR] Ability to use specific database in Redis, with new redis-logical-db configuration option. - Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream requests. This can be helpful for devices that cannot handle DNSSEC information. But it should not be enabled otherwise, because that would stop DNSSEC validation. The DNSSEC validation would not work for Unbound itself, and also not for downstream users. Default is no. The option is disable-edns-do: no - Expose the script filename in the Python module environment 'mod_env' instead of the config_file structure which includes the linked list of scripts in a multi Python module setup; fixes #79. - Expose the configured listening and outgoing interfaces, if any, as a list of strings in the Python 'config_file' class instead of the current Swig object proxy; fixes #79. - Mailing list patches from Daniel Gröber for DNS64 fallback to plain AAAA when no A record exists for synthesis, and minor DNS64 code refactoring for better readability. - Merge #951: Cachedb no store. The cachedb-no-store: yes option is used to stop cachedb from writing messages to the backend storage. It reads messages when data is available from the backend. The default is no. * Bug Fixes: - Fix for version generation race condition that ignored changes. - Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL. - Fix for WKS call to getservbyname that creates allocation on exit in unit test by testing numbers first and testing from the services list later. - Fix autoconf 2.69 warnings in configure. - Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1. - Merge #931: Prevent warnings from -Wmissing-prototypes. - Fix to scrub resource records of type A and AAAA that have an inappropriate size. They are removed from responses. - Fix to move msgparse_rrset_remove_rr code to util/msgparse.c. - Fix to add EDE text when RRs have been removed due to length. - Fix to set ede match in unit test for rr length removal. - Fix to print EDE text in readable form in output logs. - Fix send of udp retries when ENOBUFS is returned. It stops looping and also waits for the condition to go away. Reported by Florian Obser. - Fix authority zone answers for obscured DNAMEs and delegations. - Merge #936: Check for c99 with autoconf versions prior to 2.70. - Fix to remove two c99 notations. - Fix rpz tcp-only action with rpz triggers nsdname and nsip. - Fix misplaced comment. - Merge #881: Generalise the proxy protocol code. - Fix #946: Forwarder returns servfail on upstream response noerror no data. - Fix edns subnet so that queries with a source prefix of zero cause the recursor send no edns subnet option to the upstream. - Fix that printout of EDNS options shows the EDNS cookie option by name. - Fix infinite loop when reading multiple lines of input on a broken remote control socket. Addesses #947 and #948. - Fix #949: "could not create control compt". - Fix that cachedb does not warn when serve-expired is disabled about use of serve-expired-reply-ttl and serve-expired-client-timeout. - Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x. - Better fix for infinite loop when reading multiple lines of input on a broken remote control socket, by treating a zero byte line the same as transmission end. Addesses #947 and #948. - For multi Python module setups, clean previously parsed module functions in __main__'s dictionary, if any, so that only current module functions are registered. - Fix #954: Inconsistent RPZ handling for A record returned along with CNAME. - Fixes for the DNS64 patches. - Update the dns64_lookup.rpl test for the DNS64 fallback patch. - Merge #955 from buevsan: fix ipset wrong behavior. - Update testdata/ipset.tdir test for ipset fix. - Fix to print detailed errors when an SSL IO routine fails via SSL_get_error. - Clearer configure text for missing protobuf-c development libraries. - autoconf. - Merge #930 from Stuart Henderson: add void to log_ident_revert_to_default declaration. - Fix #941: dnscrypt doesn't work after upgrade to 1.18 with suggestion by dukeartem to also fix the udp_ancil with dnscrypt. - Fix SSL compile failure for definition in log_crypto_err_io_code_arg. - Fix SSL compile failure for other missing definitions in log_crypto_err_io_code_arg. - Fix compilation without openssl, remove unused function warning. - Mention flex and bison in README.md when building from repository source. - Update to 1.18.0: * Features: - Аdd a metric about the maximum number of collisions in lrushah. - Set max-udp-size default to 1232. This is the same default value as the default value for edns-buffer-size. It restricts client edns buffer size choices, and makes unbound behave similar to other DNS resolvers. - Add harden-unknown-additional option. It removes unknown records from the authority section and additional section. - Added new static zone type block_a to suppress all A queries for specific zones. - [FR] Ability to use Redis unix sockets. - [FR] Ability to set the Redis password. - Features/dropqueuedpackets, with sock-queue-timeout option that drops packets that have been in the socket queue for too long. Added statistics num.queries_timed_out and query.queue_time_us.max that track the socket queue timeouts. - 'eqvinox' Lamparter: NAT64 support. - [FR] Use kernel timestamps for dnstap. - Add cachedb hit stat. Introduces 'num.query.cachedb' as a new statistical counter. - Add SVCB dohpath support. - Add validation EDEs to queries where the CD bit is set. - Add prefetch support for subnet cache entries. - Add EDE (RFC8914) caching. - Add support for EDE caching in cachedb and subnetcache. - Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server cookies for clients that send client cookies. This needs to be explicitly turned on in the config file with: `answer-cookie: yes`. * Bug Fixes - Response change to NODATA for some ANY queries since 1.12. - Fix not following cleared RD flags potentially enables amplification DDoS attacks. - Set default for harden-unknown-additional to no. So that it does not hamper future protocol developments. - Fix to ignore entirely empty responses, and try at another authority. This turns completely empty responses, a type of noerror/nodata into a servfail, but they do not conform to RFC2308, and the retry can fetch improved content. - Allow TTL refresh of expired error responses. - Fix: Unexpected behavior with client-subnet-always-forward and serve-expired - Fix unbound-dnstap-socket test program to reply the finish frame over a TLS connection correctly. - Fix: reserved identifier violation - Fix: Unencrypted query is sent when forward-tls-upstream: yes is used without tls-cert-bundle - Extra consistency check to make sure that when TLS is requested, either we set up a TLS connection or we return an error. - Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record. - Fix: Bad interaction with 0 TTL records and serve-expired - Fix RPZ IP responses with trigger rpz-drop on cache entries. - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR. - Fix dereference of NULL variable warning in mesh_do_callback. - Fix ip_ratelimit test to work with dig that enables DNS cookies. - Fix for iter_dec_attempts that could cause a hang, part of capsforid and qname minimisation, depending on the settings. - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg. - Fix stat_values test to work with dig that enables DNS cookies. - unbound.service: Main process exited, code=killed, status=11/SEGV. Fixes cachedb configuration handling. - Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply.

Patchnames

SUSE-SLE-Micro-6.0-31

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for unbound",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for unbound fixes the following issues:\n\n- Update to 1.20.0:\n  Features:\n  * The config for discard-timeout, wait-limit, wait-limit-cookie,\n    wait-limit-netblock and wait-limit-cookie-netblock was added,\n    for the fix to the DNSBomb issue.\n  * Merge GH#1027: Introduce \u0027cache-min-negative-ttl\u0027 option.\n  * Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support;\n    updates config.guess(2024-01-01) and config.sub(2024-01-01),\n    verified with upstream.\n  * Implement cachedb-check-when-serve-expired: yes option, default\n    is enabled. When serve expired is enabled with cachedb, it\n    first checks cachedb before serving the expired response.\n  * Fix GH#876: [FR] can unbound-checkconf be silenced when\n    configuration is valid?\n\n  Bug Fixes:\n  * Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to\n    Xiang Li from the Network and Information Security Lab of\n    Tsinghua University for reporting it.\n  * Update doc/unbound.doxygen with \u0027doxygen -u\u0027. Fixes option\n    deprecation warnings and updates with newer defaults.\n  * Remove unused portion from iter_dname_ttl unit test.\n  * Fix validator classification of qtype DNAME for positive and\n    redirection answers, and fix validator signature routine for\n    dealing with the synthesized CNAME for a DNAME without\n    previously encountering it and also for when the qtype is\n    DNAME.\n  * Fix qname minimisation for reply with a DNAME for qtype CNAME\n    that answers it.\n  * Fix doc test so it ignores but outputs unsupported doxygen\n    options.\n  * Fix GH#1021 Inconsistent Behavior with Changing\n    rpz-cname-override and doing a unbound-control reload.\n  * Merge GH#1028: Clearer documentation for tcp-idle-timeout and\n    edns-tcp-keepalive-timeout.\n  * Fix GH#1029: rpz trigger clientip and action rpz-passthru not\n    working as expected.\n  * Fix rpz that the rpz override is taken in case of clientip\n    triggers. Fix that the clientip passthru action is logged. Fix\n    that the clientip localdata action is logged. Fix rpz override\n    action cname for the clientip trigger.\n  * Fix to unify codepath for local alias for rpz cname action\n    override.\n  * Fix rpz for cname override action after nsdname and nsip\n    triggers.\n  * Fix that addrinfo is not kept around but copied and freed, so\n    that log-destaddr uses a copy of the information, much like NSD\n    does.\n  * Merge GH#1030: Persist the openssl and expat directories for\n    repeated Windows builds.\n  * Fix that rpz CNAME content is limited to the max number of\n    cnames.\n  * Fix rpz, it follows iterator CNAMEs for nsip and nsdname and\n    sets the reply query_info values, that is better for debug\n    logging.\n  * Fix rpz that copies the cname override completely to the temp\n    region, so there are no references to the rpz region.\n  * Add rpz unit test for nsip action override.\n  * Fix rpz for qtype CNAME after nameserver trigger.\n  * Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix\n    that clientip and nsip can give a CNAME.\n  * Fix localdata and rpz localdata to match CNAME only if no\n    direct type match is available.\n  * Merge GH#831 from Pierre4012: Improve Windows NSIS installer\n    script (setup.nsi).\n  * For GH#831: Format text, use exclamation icon and explicit label\n    names.\n  * Fix name of unit test for subnet cache response.\n  * Fix GH#1032: The size of subnet_msg_cache calculation mistake\n    cause memory usage increased beyond expectations.\n  * Fix for GH#1032, add safeguard to make table space positive.\n  * Fix comment in lruhash space function.\n  * Fix to add unit test for lruhash space that exercises the\n    routines.\n  * Fix that when the server truncates the pidfile, it does not\n    follow symbolic links.\n  * Fix that the server does not chown the pidfile.\n  * Fix GH#1034: DoT forward-zone via unbound-control.\n  * Fix for crypto related failures to have a better error string.\n  * Fix GH#1035: Potential Bug while parsing port from the\n    \"stub-host\" string; also affected forward-zones and\n    remote-control host directives.\n  * Fix GH#369: dnstap showing extra responses; for client responses\n    right from the cache when replying with expired data or\n    prefetching.\n  * Fix GH#1040: fix heap-buffer-overflow issue in function\n    cfg_mark_ports of file util/config_file.c.\n  * For GH#1040: adjust error text and disallow negative ports in\n    other parts of cfg_mark_ports.\n  * Fix comment syntax for view function views_find_view.\n  * Fix GH#595: unbound-anchor cannot deal with full disk; it will\n    now first write out to a temp file before replacing the\n    original one, like Unbound already does for\n    auto-trust-anchor-file.\n  * Fixup compile without cachedb.\n  * Add test for cachedb serve expired.\n  * Extended test for cachedb serve expired.\n  * Fix makefile dependencies for fake_event.c.\n  * Fix cachedb for serve-expired with serve-expired-reply-ttl.\n  * Fix to not reply serve expired unless enabled for cachedb.\n  * Fix cachedb for serve-expired with\n    serve-expired-client-timeout.\n  * Fixup unit test for cachedb server expired client timeout with\n    a check if response if from upstream or from cachedb.\n  * Fixup cachedb to not refetch when serve-expired-client-timeout\n    is used.\n  * Merge GH#1049 from Petr Men\u0161\u00edk: Py_NoSiteFlag is not needed since\n    Python 3.8\n  * Fix GH#1048: Update ax_pkg_swig.m4 and ax_pthread.m4.\n  * Fix configure, autoconf for GH#1048.\n  * Add checklock feature verbose_locking to trace locks and\n    unlocks.\n  * Fix edns subnet to sort rrset references when storing messages\n    in the cache. This fixes a race condition in the rrset locks.\n  * Merge GH#1053: Remove child delegations from cache when\n    grandchild delegations are returned from parent.\n  * Fix ci workflow for macos for moved install locations.\n  * Fix configure flto check error, by finding grep for it.\n  * Merge GH#1041: Stub and Forward unshare. This has one structure\n    for them and fixes GH#1038: fatal error: Could not initialize\n    thread / error: reading root hints.\n  * Fix to disable fragmentation on systems with IP_DONTFRAG, with\n    a nonzero value for the socket option argument.\n  * Fix doc unit test for out of directory build.\n  * Fix cachedb with serve-expired-client-timeout disabled. The\n    edns subnet module deletes global cache and cachedb cache when\n    it stores a result, and serve-expired is enabled, so that the\n    global reply, that is older than the ecs reply, does not return\n    after the ecs reply expires.\n  * Add unit tests for cachedb and subnet cache expired data.\n  * Man page entry for unbound-checkconf -q.\n  * Cleanup unnecessary strdup calls for EDE strings.\n  * Fix doxygen comment for errinf_to_str_bogus.\n\n- Update to 1.19.3:\n  * Features:\n    - Merge PR #973: Use the origin (DNAME) TTL for synthesized\n      CNAMEs as per RFC 6672.\n  * Bug Fixes\n    - Fix unit test parse of origin syntax.\n    - Use 127.0.0.1 explicitly in tests to avoid delays and errors\n      on newer systems.\n    - Fix #964: config.h.in~ backup file in release tar balls.\n    - Merge #968: Replace the obsolescent fgrep with grep -F in\n      tests.\n    - Merge #971: fix \u0027WARNING: Message has 41 extra bytes at end\u0027.\n    - Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.\n    - Fix dnstap that assertion failed on logging other than UDP\n      and TCP traffic. It lists it as TCP traffic.\n    - Fix to sync the tests script file common.sh.\n    - iana portlist update.\n    - Updated IPv4 and IPv6 address for b.root-servers.net in root\n      hints.\n    - Update test script file common.sh.\n    - Fix tests to use new common.sh functions, wait_logfile and\n      kill_from_pidfile.\n    - Fix #974: doc: default number of outgoing ports without\n      libevent.\n    - Merge #975: Fixed some syntax errors in rpl files.\n    - Fix root_zonemd unit test, it checks that the root ZONEMD\n      verifies, now that the root has a valid ZONEMD.\n    - Update example.conf with cookie options.\n    - Merge #980: DoH: reject non-h2 early. To fix #979: Improve\n      errors for non-HTTP/2 DoH clients.\n    - Merge #985: Add DoH and DoT to dnstap message.\n    - Fix #983: Sha1 runtime insecure change was incomplete.\n    - Remove unneeded newlines and improve indentation in remote\n      control code.\n    - Merge #987: skip edns frag retry if advertised udp payload\n      size is not smaller.\n    - Fix unit test for #987 change in udp1xxx retry packet send.\n    - Merge #988: Fix NLnetLabs#981: dump_cache truncates large\n      records.\n    - Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.\n    - Fix to link with libssp for libcrypto and getaddrinfo check\n      for only header. Also update crosscompile to remove ssp for\n      32bit.\n    - Merge #993: Update b.root-servers.net also in example config\n      file.\n    - Update workflow for ports to use newer openssl on windows\n      compile.\n    - Fix warning for windres on resource files due to\n      redefinition.\n    - Fix for #997: Print details for SSL certificate failure.\n    - Update error printout for duplicate trust anchors to include\n      the trust anchor name (relates to #920).\n    - Update message TTL when using cached RRSETs. It could result\n      in non-expired messages with expired RRSETs (non-usable\n      messages by Unbound).\n    - Merge #999: Search for protobuf-c with pkg-config.\n    - Fix #1006: Can\u0027t find protobuf-c package since #999.\n    - Fix documentation for access-control in the unbound.conf man\n      page.\n    - Merge #1010: Mention REFUSED has the TC bit set with\n      unmatched allow_cookie acl in the manpage. It also fixes the\n      code to match the documentation about clients with a valid\n      cookie that bypass the ratelimit regardless of the\n      allow_cookie acl.\n    - Document the suspend argument for process_ds_response().\n    - Move github workflows to use checkoutv4.\n    - Fix edns subnet replies for scope zero answers to not get\n      stored in the global cache, and in cachedb, when the upstream\n      replies without an EDNS record.\n    - Fix for #1022: Fix ede prohibited in access control refused\n      answers.\n    - Fix unbound-control-setup.cmd to use 3072 bits so that\n      certificates are long enough for newer OpenSSL versions.\n    - Fix TTL of synthesized CNAME when a DNAME is used from cache.\n    - Fix unbound-control-setup.cmd to have CA v3 basicConstraints,\n      like unbound-control-setup.sh has.\n\n- Update to 1.19.2:\n  * Bug Fixes:\n    - Fix CVE-2024-1931, Denial of service when trimming EDE text\n      on positive replies.\n      [bsc#1221164]\n\n- Update to 1.19.1:\n  * Bug Fixes: [bsc#1219823, CVE-2023-50387][bsc#1219826, CVE-2023-50868]\n    - Fix CVE-2023-50387, DNSSEC verification complexity can be\n      exploited to exhaust CPU resources and stall DNS resolvers.\n    - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.\n\n- as we use --disable-explicit-port-randomisation, also disable\n  outgoing-port-permit and outgoing-port-avoid in config file to\n  suppress the related unbound-checkconf warnings on every start\n\n- Update to 1.19.0:\n  * Features:\n    - Fix #850: [FR] Ability to use specific database in Redis, with\n      new redis-logical-db configuration option.\n    - Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream\n      requests. This can be helpful for devices that cannot handle\n      DNSSEC information. But it should not be enabled otherwise, because\n      that would stop DNSSEC validation. The DNSSEC validation would not\n      work for Unbound itself, and also not for downstream users. Default\n      is no. The option is disable-edns-do: no\n    - Expose the script filename in the Python module environment \u0027mod_env\u0027\n      instead of the config_file structure which includes the linked list\n      of scripts in a multi Python module setup; fixes #79.\n    - Expose the configured listening and outgoing interfaces, if any, as\n      a list of strings in the Python \u0027config_file\u0027 class instead of the\n      current Swig object proxy; fixes #79.\n    - Mailing list patches from Daniel Gr\u00f6ber for DNS64 fallback to plain\n      AAAA when no A record exists for synthesis, and minor DNS64 code\n      refactoring for better readability.\n    - Merge #951: Cachedb no store. The cachedb-no-store: yes option is\n      used to stop cachedb from writing messages to the backend storage.\n      It reads messages when data is available from the backend.\n      The default is no.\n  * Bug Fixes:\n    - Fix for version generation race condition that ignored changes.\n    - Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL.\n    - Fix for WKS call to getservbyname that creates allocation on exit in\n      unit test by testing numbers first and testing from the services list later.\n    - Fix autoconf 2.69 warnings in configure.\n    - Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1.\n    - Merge #931: Prevent warnings from -Wmissing-prototypes.\n    - Fix to scrub resource records of type A and AAAA that have an\n      inappropriate size. They are removed from responses.\n    - Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.\n    - Fix to add EDE text when RRs have been removed due to length.\n    - Fix to set ede match in unit test for rr length removal.\n    - Fix to print EDE text in readable form in output logs.\n    - Fix send of udp retries when ENOBUFS is returned. It stops looping\n      and also waits for the condition to go away. Reported by Florian Obser.\n    - Fix authority zone answers for obscured DNAMEs and delegations.\n    - Merge #936: Check for c99 with autoconf versions prior to 2.70.\n    - Fix to remove two c99 notations.\n    - Fix rpz tcp-only action with rpz triggers nsdname and nsip.\n    - Fix misplaced comment.\n    - Merge #881: Generalise the proxy protocol code.\n    - Fix #946: Forwarder returns servfail on upstream response noerror no data.\n    - Fix edns subnet so that queries with a source prefix of zero cause the\n      recursor send no edns subnet option to the upstream.\n    - Fix that printout of EDNS options shows the EDNS cookie option by name.\n    - Fix infinite loop when reading multiple lines of input on a broken remote\n      control socket. Addesses #947 and #948.\n    - Fix #949: \"could not create control compt\".\n    - Fix that cachedb does not warn when serve-expired is disabled about use\n      of serve-expired-reply-ttl and serve-expired-client-timeout.\n    - Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.\n    - Better fix for infinite loop when reading multiple lines of input on a\n      broken remote control socket, by treating a zero byte line the same as\n      transmission end. Addesses #947 and #948.\n    - For multi Python module setups, clean previously parsed module functions\n      in __main__\u0027s dictionary, if any, so that only current module functions\n      are registered.\n    - Fix #954: Inconsistent RPZ handling for A record returned along with CNAME.\n    - Fixes for the DNS64 patches.\n    - Update the dns64_lookup.rpl test for the DNS64 fallback patch.\n    - Merge #955 from buevsan: fix ipset wrong behavior.\n    - Update testdata/ipset.tdir test for ipset fix.\n    - Fix to print detailed errors when an SSL IO routine fails via SSL_get_error.\n    - Clearer configure text for missing protobuf-c development libraries.\n    - autoconf.\n    - Merge #930 from Stuart Henderson: add void to log_ident_revert_to_default\n      declaration.\n    - Fix #941: dnscrypt doesn\u0027t work after upgrade to 1.18 with suggestion by\n      dukeartem to also fix the udp_ancil with dnscrypt.\n    - Fix SSL compile failure for definition in log_crypto_err_io_code_arg.\n    - Fix SSL compile failure for other missing definitions in log_crypto_err_io_code_arg.\n    - Fix compilation without openssl, remove unused function warning.\n    - Mention flex and bison in README.md when building from repository source.\n\n- Update to 1.18.0:\n  * Features:\n    - \u0410dd a metric about the maximum number of collisions in lrushah.\n    - Set max-udp-size default to 1232. This is the same default value\n      as the default value for edns-buffer-size. It restricts client\n      edns buffer size choices, and makes unbound behave similar to\n      other DNS resolvers.\n    - Add harden-unknown-additional option. It removes unknown records\n      from the authority section and additional section.\n    - Added new static zone type block_a to suppress all A queries for\n      specific zones.\n    - [FR] Ability to use Redis unix sockets.\n    - [FR] Ability to set the Redis password.\n    - Features/dropqueuedpackets, with sock-queue-timeout option that\n      drops packets that have been in the socket queue for too long.\n      Added statistics num.queries_timed_out and query.queue_time_us.max\n      that track the socket queue timeouts.\n    - \u0027eqvinox\u0027 Lamparter: NAT64 support.\n    - [FR] Use kernel timestamps for dnstap.\n    - Add cachedb hit stat. Introduces \u0027num.query.cachedb\u0027 as a new\n      statistical counter.\n    - Add SVCB dohpath support.\n    - Add validation EDEs to queries where the CD bit is set.\n    - Add prefetch support for subnet cache entries.\n    - Add EDE (RFC8914) caching.\n    - Add support for EDE caching in cachedb and subnetcache.\n    - Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server\n      cookies for clients that send client cookies. This needs to be explicitly\n      turned on in the config file with: `answer-cookie: yes`.\n  * Bug Fixes\n    - Response change to NODATA for some ANY queries since 1.12.\n    - Fix not following cleared RD flags potentially enables\n      amplification DDoS attacks.\n    - Set default for harden-unknown-additional to no. So that it\n      does not hamper future protocol developments.\n    - Fix to ignore entirely empty responses, and try at another authority.\n      This turns completely empty responses, a type of noerror/nodata into\n      a servfail, but they do not conform to RFC2308, and the retry can fetch\n      improved content.\n    - Allow TTL refresh of expired error responses.\n    - Fix: Unexpected behavior with client-subnet-always-forward and serve-expired\n    - Fix unbound-dnstap-socket test program to reply the finish frame over\n      a TLS connection correctly.\n    - Fix: reserved identifier violation\n    - Fix: Unencrypted query is sent when forward-tls-upstream: yes is used\n      without tls-cert-bundle\n    - Extra consistency check to make sure that when TLS is requested,\n      either we set up a TLS connection or we return an error.\n    - Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record.\n    - Fix: Bad interaction with 0 TTL records and serve-expired\n    - Fix RPZ IP responses with trigger rpz-drop on cache entries.\n    - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.\n    - Fix dereference of NULL variable warning in mesh_do_callback.\n    - Fix ip_ratelimit test to work with dig that enables DNS cookies.\n    - Fix for iter_dec_attempts that could cause a hang, part of capsforid\n      and qname minimisation, depending on the settings.\n    - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.\n    - Fix stat_values test to work with dig that enables DNS cookies.\n    - unbound.service: Main process exited, code=killed, status=11/SEGV.\n      Fixes cachedb configuration handling.\n    - Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply.\n\n- Update to 1.20.0:\n  Features:\n  * The config for discard-timeout, wait-limit, wait-limit-cookie,\n    wait-limit-netblock and wait-limit-cookie-netblock was added,\n    for the fix to the DNSBomb issue.\n  * Merge GH#1027: Introduce \u0027cache-min-negative-ttl\u0027 option.\n  * Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support;\n    updates config.guess(2024-01-01) and config.sub(2024-01-01),\n    verified with upstream.\n  * Implement cachedb-check-when-serve-expired: yes option, default\n    is enabled. When serve expired is enabled with cachedb, it\n    first checks cachedb before serving the expired response.\n  * Fix GH#876: [FR] can unbound-checkconf be silenced when\n    configuration is valid?\n\n  Bug Fixes:\n  * Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to\n    Xiang Li from the Network and Information Security Lab of\n    Tsinghua University for reporting it.\n  * Update doc/unbound.doxygen with \u0027doxygen -u\u0027. Fixes option\n    deprecation warnings and updates with newer defaults.\n  * Remove unused portion from iter_dname_ttl unit test.\n  * Fix validator classification of qtype DNAME for positive and\n    redirection answers, and fix validator signature routine for\n    dealing with the synthesized CNAME for a DNAME without\n    previously encountering it and also for when the qtype is\n    DNAME.\n  * Fix qname minimisation for reply with a DNAME for qtype CNAME\n    that answers it.\n  * Fix doc test so it ignores but outputs unsupported doxygen\n    options.\n  * Fix GH#1021 Inconsistent Behavior with Changing\n    rpz-cname-override and doing a unbound-control reload.\n  * Merge GH#1028: Clearer documentation for tcp-idle-timeout and\n    edns-tcp-keepalive-timeout.\n  * Fix GH#1029: rpz trigger clientip and action rpz-passthru not\n    working as expected.\n  * Fix rpz that the rpz override is taken in case of clientip\n    triggers. Fix that the clientip passthru action is logged. Fix\n    that the clientip localdata action is logged. Fix rpz override\n    action cname for the clientip trigger.\n  * Fix to unify codepath for local alias for rpz cname action\n    override.\n  * Fix rpz for cname override action after nsdname and nsip\n    triggers.\n  * Fix that addrinfo is not kept around but copied and freed, so\n    that log-destaddr uses a copy of the information, much like NSD\n    does.\n  * Merge GH#1030: Persist the openssl and expat directories for\n    repeated Windows builds.\n  * Fix that rpz CNAME content is limited to the max number of\n    cnames.\n  * Fix rpz, it follows iterator CNAMEs for nsip and nsdname and\n    sets the reply query_info values, that is better for debug\n    logging.\n  * Fix rpz that copies the cname override completely to the temp\n    region, so there are no references to the rpz region.\n  * Add rpz unit test for nsip action override.\n  * Fix rpz for qtype CNAME after nameserver trigger.\n  * Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix\n    that clientip and nsip can give a CNAME.\n  * Fix localdata and rpz localdata to match CNAME only if no\n    direct type match is available.\n  * Merge GH#831 from Pierre4012: Improve Windows NSIS installer\n    script (setup.nsi).\n  * For GH#831: Format text, use exclamation icon and explicit label\n    names.\n  * Fix name of unit test for subnet cache response.\n  * Fix GH#1032: The size of subnet_msg_cache calculation mistake\n    cause memory usage increased beyond expectations.\n  * Fix for GH#1032, add safeguard to make table space positive.\n  * Fix comment in lruhash space function.\n  * Fix to add unit test for lruhash space that exercises the\n    routines.\n  * Fix that when the server truncates the pidfile, it does not\n    follow symbolic links.\n  * Fix that the server does not chown the pidfile.\n  * Fix GH#1034: DoT forward-zone via unbound-control.\n  * Fix for crypto related failures to have a better error string.\n  * Fix GH#1035: Potential Bug while parsing port from the\n    \"stub-host\" string; also affected forward-zones and\n    remote-control host directives.\n  * Fix GH#369: dnstap showing extra responses; for client responses\n    right from the cache when replying with expired data or\n    prefetching.\n  * Fix GH#1040: fix heap-buffer-overflow issue in function\n    cfg_mark_ports of file util/config_file.c.\n  * For GH#1040: adjust error text and disallow negative ports in\n    other parts of cfg_mark_ports.\n  * Fix comment syntax for view function views_find_view.\n  * Fix GH#595: unbound-anchor cannot deal with full disk; it will\n    now first write out to a temp file before replacing the\n    original one, like Unbound already does for\n    auto-trust-anchor-file.\n  * Fixup compile without cachedb.\n  * Add test for cachedb serve expired.\n  * Extended test for cachedb serve expired.\n  * Fix makefile dependencies for fake_event.c.\n  * Fix cachedb for serve-expired with serve-expired-reply-ttl.\n  * Fix to not reply serve expired unless enabled for cachedb.\n  * Fix cachedb for serve-expired with\n    serve-expired-client-timeout.\n  * Fixup unit test for cachedb server expired client timeout with\n    a check if response if from upstream or from cachedb.\n  * Fixup cachedb to not refetch when serve-expired-client-timeout\n    is used.\n  * Merge GH#1049 from Petr Men\u0161\u00edk: Py_NoSiteFlag is not needed since\n    Python 3.8\n  * Fix GH#1048: Update ax_pkg_swig.m4 and ax_pthread.m4.\n  * Fix configure, autoconf for GH#1048.\n  * Add checklock feature verbose_locking to trace locks and\n    unlocks.\n  * Fix edns subnet to sort rrset references when storing messages\n    in the cache. This fixes a race condition in the rrset locks.\n  * Merge GH#1053: Remove child delegations from cache when\n    grandchild delegations are returned from parent.\n  * Fix ci workflow for macos for moved install locations.\n  * Fix configure flto check error, by finding grep for it.\n  * Merge GH#1041: Stub and Forward unshare. This has one structure\n    for them and fixes GH#1038: fatal error: Could not initialize\n    thread / error: reading root hints.\n  * Fix to disable fragmentation on systems with IP_DONTFRAG, with\n    a nonzero value for the socket option argument.\n  * Fix doc unit test for out of directory build.\n  * Fix cachedb with serve-expired-client-timeout disabled. The\n    edns subnet module deletes global cache and cachedb cache when\n    it stores a result, and serve-expired is enabled, so that the\n    global reply, that is older than the ecs reply, does not return\n    after the ecs reply expires.\n  * Add unit tests for cachedb and subnet cache expired data.\n  * Man page entry for unbound-checkconf -q.\n  * Cleanup unnecessary strdup calls for EDE strings.\n  * Fix doxygen comment for errinf_to_str_bogus.\n\n- Update to 1.19.3:\n  * Features:\n    - Merge PR #973: Use the origin (DNAME) TTL for synthesized\n      CNAMEs as per RFC 6672.\n  * Bug Fixes\n    - Fix unit test parse of origin syntax.\n    - Use 127.0.0.1 explicitly in tests to avoid delays and errors\n      on newer systems.\n    - Fix #964: config.h.in~ backup file in release tar balls.\n    - Merge #968: Replace the obsolescent fgrep with grep -F in\n      tests.\n    - Merge #971: fix \u0027WARNING: Message has 41 extra bytes at end\u0027.\n    - Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.\n    - Fix dnstap that assertion failed on logging other than UDP\n      and TCP traffic. It lists it as TCP traffic.\n    - Fix to sync the tests script file common.sh.\n    - iana portlist update.\n    - Updated IPv4 and IPv6 address for b.root-servers.net in root\n      hints.\n    - Update test script file common.sh.\n    - Fix tests to use new common.sh functions, wait_logfile and\n      kill_from_pidfile.\n    - Fix #974: doc: default number of outgoing ports without\n      libevent.\n    - Merge #975: Fixed some syntax errors in rpl files.\n    - Fix root_zonemd unit test, it checks that the root ZONEMD\n      verifies, now that the root has a valid ZONEMD.\n    - Update example.conf with cookie options.\n    - Merge #980: DoH: reject non-h2 early. To fix #979: Improve\n      errors for non-HTTP/2 DoH clients.\n    - Merge #985: Add DoH and DoT to dnstap message.\n    - Fix #983: Sha1 runtime insecure change was incomplete.\n    - Remove unneeded newlines and improve indentation in remote\n      control code.\n    - Merge #987: skip edns frag retry if advertised udp payload\n      size is not smaller.\n    - Fix unit test for #987 change in udp1xxx retry packet send.\n    - Merge #988: Fix NLnetLabs#981: dump_cache truncates large\n      records.\n    - Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.\n    - Fix to link with libssp for libcrypto and getaddrinfo check\n      for only header. Also update crosscompile to remove ssp for\n      32bit.\n    - Merge #993: Update b.root-servers.net also in example config\n      file.\n    - Update workflow for ports to use newer openssl on windows\n      compile.\n    - Fix warning for windres on resource files due to\n      redefinition.\n    - Fix for #997: Print details for SSL certificate failure.\n    - Update error printout for duplicate trust anchors to include\n      the trust anchor name (relates to #920).\n    - Update message TTL when using cached RRSETs. It could result\n      in non-expired messages with expired RRSETs (non-usable\n      messages by Unbound).\n    - Merge #999: Search for protobuf-c with pkg-config.\n    - Fix #1006: Can\u0027t find protobuf-c package since #999.\n    - Fix documentation for access-control in the unbound.conf man\n      page.\n    - Merge #1010: Mention REFUSED has the TC bit set with\n      unmatched allow_cookie acl in the manpage. It also fixes the\n      code to match the documentation about clients with a valid\n      cookie that bypass the ratelimit regardless of the\n      allow_cookie acl.\n    - Document the suspend argument for process_ds_response().\n    - Move github workflows to use checkoutv4.\n    - Fix edns subnet replies for scope zero answers to not get\n      stored in the global cache, and in cachedb, when the upstream\n      replies without an EDNS record.\n    - Fix for #1022: Fix ede prohibited in access control refused\n      answers.\n    - Fix unbound-control-setup.cmd to use 3072 bits so that\n      certificates are long enough for newer OpenSSL versions.\n    - Fix TTL of synthesized CNAME when a DNAME is used from cache.\n    - Fix unbound-control-setup.cmd to have CA v3 basicConstraints,\n      like unbound-control-setup.sh has.\n\n- Update to 1.19.2:\n  * Bug Fixes:\n    - Fix CVE-2024-1931, Denial of service when trimming EDE text\n      on positive replies.\n      [bsc#1221164]\n\n- Update to 1.19.1:\n  * Bug Fixes: [bsc#1219823, CVE-2023-50387][bsc#1219826, CVE-2023-50868]\n    - Fix CVE-2023-50387, DNSSEC verification complexity can be\n      exploited to exhaust CPU resources and stall DNS resolvers.\n    - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.\n\n- as we use --disable-explicit-port-randomisation, also disable\n  outgoing-port-permit and outgoing-port-avoid in config file to\n  suppress the related unbound-checkconf warnings on every start\n\n- Use prefixes instead of sudo in unbound.service (bsc#1215628)\n\n- Update to 1.19.0:\n  * Features:\n    - Fix #850: [FR] Ability to use specific database in Redis, with\n      new redis-logical-db configuration option.\n    - Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream\n      requests. This can be helpful for devices that cannot handle\n      DNSSEC information. But it should not be enabled otherwise, because\n      that would stop DNSSEC validation. The DNSSEC validation would not\n      work for Unbound itself, and also not for downstream users. Default\n      is no. The option is disable-edns-do: no\n    - Expose the script filename in the Python module environment \u0027mod_env\u0027\n      instead of the config_file structure which includes the linked list\n      of scripts in a multi Python module setup; fixes #79.\n    - Expose the configured listening and outgoing interfaces, if any, as\n      a list of strings in the Python \u0027config_file\u0027 class instead of the\n      current Swig object proxy; fixes #79.\n    - Mailing list patches from Daniel Gr\u00f6ber for DNS64 fallback to plain\n      AAAA when no A record exists for synthesis, and minor DNS64 code\n      refactoring for better readability.\n    - Merge #951: Cachedb no store. The cachedb-no-store: yes option is\n      used to stop cachedb from writing messages to the backend storage.\n      It reads messages when data is available from the backend.\n      The default is no.\n  * Bug Fixes:\n    - Fix for version generation race condition that ignored changes.\n    - Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL.\n    - Fix for WKS call to getservbyname that creates allocation on exit in\n      unit test by testing numbers first and testing from the services list later.\n    - Fix autoconf 2.69 warnings in configure.\n    - Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1.\n    - Merge #931: Prevent warnings from -Wmissing-prototypes.\n    - Fix to scrub resource records of type A and AAAA that have an\n      inappropriate size. They are removed from responses.\n    - Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.\n    - Fix to add EDE text when RRs have been removed due to length.\n    - Fix to set ede match in unit test for rr length removal.\n    - Fix to print EDE text in readable form in output logs.\n    - Fix send of udp retries when ENOBUFS is returned. It stops looping\n      and also waits for the condition to go away. Reported by Florian Obser.\n    - Fix authority zone answers for obscured DNAMEs and delegations.\n    - Merge #936: Check for c99 with autoconf versions prior to 2.70.\n    - Fix to remove two c99 notations.\n    - Fix rpz tcp-only action with rpz triggers nsdname and nsip.\n    - Fix misplaced comment.\n    - Merge #881: Generalise the proxy protocol code.\n    - Fix #946: Forwarder returns servfail on upstream response noerror no data.\n    - Fix edns subnet so that queries with a source prefix of zero cause the\n      recursor send no edns subnet option to the upstream.\n    - Fix that printout of EDNS options shows the EDNS cookie option by name.\n    - Fix infinite loop when reading multiple lines of input on a broken remote\n      control socket. Addesses #947 and #948.\n    - Fix #949: \"could not create control compt\".\n    - Fix that cachedb does not warn when serve-expired is disabled about use\n      of serve-expired-reply-ttl and serve-expired-client-timeout.\n    - Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.\n    - Better fix for infinite loop when reading multiple lines of input on a\n      broken remote control socket, by treating a zero byte line the same as\n      transmission end. Addesses #947 and #948.\n    - For multi Python module setups, clean previously parsed module functions\n      in __main__\u0027s dictionary, if any, so that only current module functions\n      are registered.\n    - Fix #954: Inconsistent RPZ handling for A record returned along with CNAME.\n    - Fixes for the DNS64 patches.\n    - Update the dns64_lookup.rpl test for the DNS64 fallback patch.\n    - Merge #955 from buevsan: fix ipset wrong behavior.\n    - Update testdata/ipset.tdir test for ipset fix.\n    - Fix to print detailed errors when an SSL IO routine fails via SSL_get_error.\n    - Clearer configure text for missing protobuf-c development libraries.\n    - autoconf.\n    - Merge #930 from Stuart Henderson: add void to log_ident_revert_to_default\n      declaration.\n    - Fix #941: dnscrypt doesn\u0027t work after upgrade to 1.18 with suggestion by\n      dukeartem to also fix the udp_ancil with dnscrypt.\n    - Fix SSL compile failure for definition in log_crypto_err_io_code_arg.\n    - Fix SSL compile failure for other missing definitions in log_crypto_err_io_code_arg.\n    - Fix compilation without openssl, remove unused function warning.\n    - Mention flex and bison in README.md when building from repository source.\n\n- Update to 1.18.0:\n  * Features:\n    - \u0410dd a metric about the maximum number of collisions in lrushah.\n    - Set max-udp-size default to 1232. This is the same default value\n      as the default value for edns-buffer-size. It restricts client\n      edns buffer size choices, and makes unbound behave similar to\n      other DNS resolvers.\n    - Add harden-unknown-additional option. It removes unknown records\n      from the authority section and additional section.\n    - Added new static zone type block_a to suppress all A queries for\n      specific zones.\n    - [FR] Ability to use Redis unix sockets.\n    - [FR] Ability to set the Redis password.\n    - Features/dropqueuedpackets, with sock-queue-timeout option that\n      drops packets that have been in the socket queue for too long.\n      Added statistics num.queries_timed_out and query.queue_time_us.max\n      that track the socket queue timeouts.\n    - \u0027eqvinox\u0027 Lamparter: NAT64 support.\n    - [FR] Use kernel timestamps for dnstap.\n    - Add cachedb hit stat. Introduces \u0027num.query.cachedb\u0027 as a new\n      statistical counter.\n    - Add SVCB dohpath support.\n    - Add validation EDEs to queries where the CD bit is set.\n    - Add prefetch support for subnet cache entries.\n    - Add EDE (RFC8914) caching.\n    - Add support for EDE caching in cachedb and subnetcache.\n    - Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server\n      cookies for clients that send client cookies. This needs to be explicitly\n      turned on in the config file with: `answer-cookie: yes`.\n  * Bug Fixes\n    - Response change to NODATA for some ANY queries since 1.12.\n    - Fix not following cleared RD flags potentially enables\n      amplification DDoS attacks.\n    - Set default for harden-unknown-additional to no. So that it\n      does not hamper future protocol developments.\n    - Fix to ignore entirely empty responses, and try at another authority.\n      This turns completely empty responses, a type of noerror/nodata into\n      a servfail, but they do not conform to RFC2308, and the retry can fetch\n      improved content.\n    - Allow TTL refresh of expired error responses.\n    - Fix: Unexpected behavior with client-subnet-always-forward and serve-expired\n    - Fix unbound-dnstap-socket test program to reply the finish frame over\n      a TLS connection correctly.\n    - Fix: reserved identifier violation\n    - Fix: Unencrypted query is sent when forward-tls-upstream: yes is used\n      without tls-cert-bundle\n    - Extra consistency check to make sure that when TLS is requested,\n      either we set up a TLS connection or we return an error.\n    - Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record.\n    - Fix: Bad interaction with 0 TTL records and serve-expired\n    - Fix RPZ IP responses with trigger rpz-drop on cache entries.\n    - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.\n    - Fix dereference of NULL variable warning in mesh_do_callback.\n    - Fix ip_ratelimit test to work with dig that enables DNS cookies.\n    - Fix for iter_dec_attempts that could cause a hang, part of capsforid\n      and qname minimisation, depending on the settings.\n    - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.\n    - Fix stat_values test to work with dig that enables DNS cookies.\n    - unbound.service: Main process exited, code=killed, status=11/SEGV.\n      Fixes cachedb configuration handling.\n    - Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply.\n\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-SLE-Micro-6.0-31",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_20024-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:20024-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520024-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:20024-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021370.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1215628",
        "url": "https://bugzilla.suse.com/1215628"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1219823",
        "url": "https://bugzilla.suse.com/1219823"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1219826",
        "url": "https://bugzilla.suse.com/1219826"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1221164",
        "url": "https://bugzilla.suse.com/1221164"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-50387 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-50387/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-50868 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-50868/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-1931 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-1931/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-33655 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-33655/"
      }
    ],
    "title": "Security update for unbound",
    "tracking": {
      "current_release_date": "2025-02-03T08:50:28Z",
      "generator": {
        "date": "2025-02-03T08:50:28Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:20024-1",
      "initial_release_date": "2025-02-03T08:50:28Z",
      "revision_history": [
        {
          "date": "2025-02-03T08:50:28Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libunbound8-1.21.0-1.1.aarch64",
                "product": {
                  "name": "libunbound8-1.21.0-1.1.aarch64",
                  "product_id": "libunbound8-1.21.0-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-anchor-1.21.0-1.1.aarch64",
                "product": {
                  "name": "unbound-anchor-1.21.0-1.1.aarch64",
                  "product_id": "unbound-anchor-1.21.0-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libunbound8-1.21.0-1.1.s390x",
                "product": {
                  "name": "libunbound8-1.21.0-1.1.s390x",
                  "product_id": "libunbound8-1.21.0-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-anchor-1.21.0-1.1.s390x",
                "product": {
                  "name": "unbound-anchor-1.21.0-1.1.s390x",
                  "product_id": "unbound-anchor-1.21.0-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libunbound8-1.21.0-1.1.x86_64",
                "product": {
                  "name": "libunbound8-1.21.0-1.1.x86_64",
                  "product_id": "libunbound8-1.21.0-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "unbound-anchor-1.21.0-1.1.x86_64",
                "product": {
                  "name": "unbound-anchor-1.21.0-1.1.x86_64",
                  "product_id": "unbound-anchor-1.21.0-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Micro 6.0",
                "product": {
                  "name": "SUSE Linux Micro 6.0",
                  "product_id": "SUSE Linux Micro 6.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sl-micro:6.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libunbound8-1.21.0-1.1.aarch64 as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.aarch64"
        },
        "product_reference": "libunbound8-1.21.0-1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libunbound8-1.21.0-1.1.s390x as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.s390x"
        },
        "product_reference": "libunbound8-1.21.0-1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libunbound8-1.21.0-1.1.x86_64 as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.x86_64"
        },
        "product_reference": "libunbound8-1.21.0-1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-anchor-1.21.0-1.1.aarch64 as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.aarch64"
        },
        "product_reference": "unbound-anchor-1.21.0-1.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-anchor-1.21.0-1.1.s390x as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.s390x"
        },
        "product_reference": "unbound-anchor-1.21.0-1.1.s390x",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-anchor-1.21.0-1.1.x86_64 as component of SUSE Linux Micro 6.0",
          "product_id": "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.x86_64"
        },
        "product_reference": "unbound-anchor-1.21.0-1.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Micro 6.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-50387",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-50387"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.aarch64",
          "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.s390x",
          "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.x86_64",
          "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.aarch64",
          "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.s390x",
          "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-50387",
          "url": "https://www.suse.com/security/cve/CVE-2023-50387"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1219823 for CVE-2023-50387",
          "url": "https://bugzilla.suse.com/1219823"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1220717 for CVE-2023-50387",
          "url": "https://bugzilla.suse.com/1220717"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1221586 for CVE-2023-50387",
          "url": "https://bugzilla.suse.com/1221586"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.aarch64",
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.s390x",
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.x86_64",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.aarch64",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.s390x",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.aarch64",
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.s390x",
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.x86_64",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.aarch64",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.s390x",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-03T08:50:28Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-50387"
    },
    {
      "cve": "CVE-2023-50868",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-50868"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.aarch64",
          "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.s390x",
          "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.x86_64",
          "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.aarch64",
          "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.s390x",
          "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-50868",
          "url": "https://www.suse.com/security/cve/CVE-2023-50868"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1219823 for CVE-2023-50868",
          "url": "https://bugzilla.suse.com/1219823"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1219826 for CVE-2023-50868",
          "url": "https://bugzilla.suse.com/1219826"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1221586 for CVE-2023-50868",
          "url": "https://bugzilla.suse.com/1221586"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.aarch64",
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.s390x",
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.x86_64",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.aarch64",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.s390x",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.aarch64",
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.s390x",
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.x86_64",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.aarch64",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.s390x",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-03T08:50:28Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-50868"
    },
    {
      "cve": "CVE-2024-1931",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-1931"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop. Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client\u0027s advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client\u0027s buffer size is smaller than the needed space to include EDE records. The vulnerability can only be triggered when the \u0027ede: yes\u0027 option is used; non default configuration. From version 1.19.2 on, the code is fixed to avoid looping indefinitely.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.aarch64",
          "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.s390x",
          "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.x86_64",
          "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.aarch64",
          "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.s390x",
          "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-1931",
          "url": "https://www.suse.com/security/cve/CVE-2024-1931"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1221164 for CVE-2024-1931",
          "url": "https://bugzilla.suse.com/1221164"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.aarch64",
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.s390x",
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.x86_64",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.aarch64",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.s390x",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.aarch64",
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.s390x",
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.x86_64",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.aarch64",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.s390x",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-03T08:50:28Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-1931"
    },
    {
      "cve": "CVE-2024-33655",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-33655"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the \"DNSBomb\" issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.aarch64",
          "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.s390x",
          "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.x86_64",
          "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.aarch64",
          "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.s390x",
          "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-33655",
          "url": "https://www.suse.com/security/cve/CVE-2024-33655"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1224102 for CVE-2024-33655",
          "url": "https://bugzilla.suse.com/1224102"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.aarch64",
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.s390x",
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.x86_64",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.aarch64",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.s390x",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.aarch64",
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.s390x",
            "SUSE Linux Micro 6.0:libunbound8-1.21.0-1.1.x86_64",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.aarch64",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.s390x",
            "SUSE Linux Micro 6.0:unbound-anchor-1.21.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-02-03T08:50:28Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-33655"
    }
  ]
}

fkie_cve-2024-33655

Vulnerability from fkie_nvd

Published

2024-06-06 17:15

Modified

2024-11-21 09:17

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

▶	URL	Tags
	cve@mitre.org	https://alas.aws.amazon.com/ALAS-2024-1934.html
	cve@mitre.org	https://datatracker.ietf.org/doc/html/rfc1035
	cve@mitre.org	https://github.com/NLnetLabs/unbound/commit/c3206f4568f60c486be6d165b1f2b5b254fea3de
	cve@mitre.org	https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#version-120
	cve@mitre.org	https://gitlab.isc.org/isc-projects/bind9/-/issues/4398
	cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TBXPRJ2Q235YUZKYDRWOSYNDFBJQWJ3/
	cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QITY2QBX2OCBTZIXD2A5ES62STFIA4AL/
	cve@mitre.org	https://meterpreter.org/researchers-uncover-dnsbomb-a-new-pdos-attack-exploiting-legitimate-dns-features/
	cve@mitre.org	https://nlnetlabs.nl/downloads/unbound/CVE-2024-33655.txt
	cve@mitre.org	https://nlnetlabs.nl/projects/unbound/security-advisories/
	cve@mitre.org	https://sp2024.ieee-security.org/accepted-papers.html
	cve@mitre.org	https://www.isc.org/blogs/2024-dnsbomb/
	af854a3a-2127-422b-91ae-364da2661108	https://alas.aws.amazon.com/ALAS-2024-1934.html
	af854a3a-2127-422b-91ae-364da2661108	https://datatracker.ietf.org/doc/html/rfc1035
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/NLnetLabs/unbound/commit/c3206f4568f60c486be6d165b1f2b5b254fea3de
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#version-120
	af854a3a-2127-422b-91ae-364da2661108	https://gitlab.isc.org/isc-projects/bind9/-/issues/4398
	af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TBXPRJ2Q235YUZKYDRWOSYNDFBJQWJ3/
	af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QITY2QBX2OCBTZIXD2A5ES62STFIA4AL/
	af854a3a-2127-422b-91ae-364da2661108	https://meterpreter.org/researchers-uncover-dnsbomb-a-new-pdos-attack-exploiting-legitimate-dns-features/
	af854a3a-2127-422b-91ae-364da2661108	https://nlnetlabs.nl/downloads/unbound/CVE-2024-33655.txt
	af854a3a-2127-422b-91ae-364da2661108	https://nlnetlabs.nl/projects/unbound/security-advisories/
	af854a3a-2127-422b-91ae-364da2661108	https://sp2024.ieee-security.org/accepted-papers.html
	af854a3a-2127-422b-91ae-364da2661108	https://www.isc.org/blogs/2024-dnsbomb/

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the \"DNSBomb\" issue."
    },
    {
      "lang": "es",
      "value": "El protocolo DNS en RFC 1035 y sus actualizaciones permite a atacantes remotos provocar una denegaci\u00f3n de servicio (consumo de recursos) organizando que las consultas DNS se acumulen durante segundos, de modo que las respuestas se env\u00eden posteriormente en una r\u00e1faga pulsante (que puede considerarse amplificaci\u00f3n del tr\u00e1fico en algunos casos), tambi\u00e9n conocido como el problema \"DNSBomb\"."
    }
  ],
  "id": "CVE-2024-33655",
  "lastModified": "2024-11-21T09:17:19.950",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-06-06T17:15:51.040",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://alas.aws.amazon.com/ALAS-2024-1934.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://datatracker.ietf.org/doc/html/rfc1035"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/NLnetLabs/unbound/commit/c3206f4568f60c486be6d165b1f2b5b254fea3de"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#version-120"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://gitlab.isc.org/isc-projects/bind9/-/issues/4398"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TBXPRJ2Q235YUZKYDRWOSYNDFBJQWJ3/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QITY2QBX2OCBTZIXD2A5ES62STFIA4AL/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://meterpreter.org/researchers-uncover-dnsbomb-a-new-pdos-attack-exploiting-legitimate-dns-features/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://nlnetlabs.nl/downloads/unbound/CVE-2024-33655.txt"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://nlnetlabs.nl/projects/unbound/security-advisories/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://sp2024.ieee-security.org/accepted-papers.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.isc.org/blogs/2024-dnsbomb/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://alas.aws.amazon.com/ALAS-2024-1934.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://datatracker.ietf.org/doc/html/rfc1035"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/NLnetLabs/unbound/commit/c3206f4568f60c486be6d165b1f2b5b254fea3de"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#version-120"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://gitlab.isc.org/isc-projects/bind9/-/issues/4398"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TBXPRJ2Q235YUZKYDRWOSYNDFBJQWJ3/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QITY2QBX2OCBTZIXD2A5ES62STFIA4AL/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://meterpreter.org/researchers-uncover-dnsbomb-a-new-pdos-attack-exploiting-legitimate-dns-features/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://nlnetlabs.nl/downloads/unbound/CVE-2024-33655.txt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://nlnetlabs.nl/projects/unbound/security-advisories/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://sp2024.ieee-security.org/accepted-papers.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.isc.org/blogs/2024-dnsbomb/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-33655 (GCVE-0-2024-33655)

Vulnerability from cvelistv5

gsd-2024-33655

Vulnerability from gsd

opensuse-su-2024:13944-1

Vulnerability from csaf_opensuse

ghsa-2xh4-pf7v-vh6h

Vulnerability from github

suse-su-2025:20024-1

Vulnerability from csaf_suse

fkie_cve-2024-33655

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature