Unbound 1.9.4 released

Wouter Wijngaards wouter at nlnetlabs.nl
Thu Oct 3 09:35:42 UTC 2019


Unbound 1.9.4 is available:
sha256 3d3e25fb224025f0e732c7970e5676f53fd1764c16d6a01be073a13e42954bb0
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.9.4.tar.gz.asc

This release is a fix for vulnerability CVE-2019-16866 that causes a 
failure when a specially crafted query is received.

Bug Fixes:
- Fix for the reported vulnerability.

The CVE number for this vulnerability is CVE-2019-16866

== Summary
Recent versions of Unbound contain a problem that may cause Unbound to
crash after receiving a specially crafted query. This issue can only be
triggered by queries received from addresses allowed by Unbound's ACL.

== Affected products
Unbound 1.7.1 up to and including 1.9.3.

== Description
Due to an error in parsing NOTIFY queries, it is possible for Unbound to
continue processing malformed queries and may ultimately result in a
pointer dereference in uninitialized memory. This results in a crash of
the Unbound daemon.

Whether this issue leads to a crash depends on the content of the
uninitialized memory space and cannot be predicted. This issue can only
be triggered by queries received from addresses that are allowed to send
queries according to Unbound's ACL (access-control in the Unbound

== Solution
Download patched version of Unbound, or apply the patch manually.

+ Downloading patched version
Unbound 1.9.4 is released with the patch

+ Applying the Patch manually
For Unbound 1.7.1 up to and including 1.9.3 the patch is:

Apply the patch on Unbound source directory with:
'patch -p0 < patch_cve_2019-16866.diff'
then run 'make install' to install Unbound.

== Acknowledgments
We would like to thank X41 D-Sec for notifying us about this
vulnerability and OSTIF for sponsoring the Unbound security audit.

Best regards, Wouter

More information about the Unbound-users mailing list