Unbound 1.21.1 released
Yorgos Thessalonikefs
yorgos at nlnetlabs.nl
Fri Oct 4 07:39:22 UTC 2024
Hi Petr,
The canonical place for our keys is https://nlnetlabs.nl/people/.
Wouter has a link to that key server, I have the key on the webserver.
I went ahead and uploaded my key also to https://keys.openpgp.org.
This release was exceptional because Wouter is unavailable at this time.
In the future we are thinking of having a dedicated key for signing
releases, but this is something that will be properly communicated when
time comes.
I may do more releases in the future with the Yorgos key, if you want to
store that.
Best regards,
-- Yorgos
On 03/10/2024 21:26, Petr Menšík wrote:
> Hi!
>
> I have tried to update to this key. When searched for it on the same
> source as Wouter Wijngaards has link, it has found expired key only.
>
> Perhaps could the GPG key be refreshed also on link
>
> https://keys.openpgp.org/pks/lookup?
> op=get&search=948EB42322C5D00B79340F5DCFF3344D9087A490
>
> ?
>
> It would be better, if the older Wouter's key signed 948E B423 22C5 D00B
> 7934 0F5D CFF3 344D 9087 A490 key.
>
> Would be all releases from now signed by this Yorgos key or is this
> exceptional case?
>
> Regards,
> Petr
>
> On 03. 10. 24 18:00, Yorgos Thessalonikefs via Unbound-users wrote:
>> Hi,
>>
>> Unbound 1.21.1 is available:
>> https://nlnetlabs.nl/downloads/unbound/unbound-1.21.1.tar.gz
>> sha256 3036d23c23622b36d3c87e943117bdec1ac8f819636eb978d806416b0fa9ea46
>> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.21.1.tar.gz.asc
>>
>> ** This release is signed by yorgos at nlnetlabs.nl. Please find the
>> relevant key at https://nlnetlabs.nl/people/ **
>>
>> This security release fixes CVE-2024-8508.
>>
>> A vulnerability has been discovered in Unbound when handling replies
>> with very large RRsets that Unbound needs to perform name compression
>> for.
>>
>> Malicious upstreams responses with very large RRsets can cause Unbound
>> to spend a considerable time applying name compression to downstream
>> replies. This can lead to degraded performance and eventually denial of
>> service in well orchestrated attacks.
>>
>> The vulnerability can be exploited by a malicious actor querying Unbound
>> for the specially crafted contents of a malicious zone with very large
>> RRsets.
>> Before Unbound replies to the query it will try to apply name
>> compression which was an unbounded operation that could lock the CPU
>> until the whole packet was complete.
>>
>> Unbound version 1.21.1 introduces a hard limit on the number of name
>> compression calculations it is willing to do per packet.
>> Packets that need more compression will result in semi-compressed
>> packets or truncated packets, even on TCP for huge messages, to avoid
>> locking the CPU for long.
>>
>> This change should not affect normal DNS traffic.
>>
>> We would like to thank Toshifumi Sakaguchi for discovering and
>> responsibly disclosing the vulnerability.
>>
>>
>> Bug Fixes:
>> - Fix CVE-2024-8508, unbounded name compression could lead to denial of
>> service.
>>
>> Best regards,
>> -- Yorgos
>>
More information about the Unbound-users
mailing list