Unbound 1.21.1 released

Yorgos Thessalonikefs yorgos at nlnetlabs.nl
Fri Oct 4 11:21:15 UTC 2024 

Hi all,

There was a mishap when tagging the release on git.
It was automatically created (and not signed) by GitHub when doing the 
release there.

I have since corrected the issue and *replaced* the old tag with the 
correct new one.

If you are relying on git and git tags you can remove the local one with:

	git tag -d release-1.21.1

and fetch the new one with:

	git fetch -u origin tag release-1.21.1

(replace "origin" in case you are using a different remote name for the 
NLnetLabs repository)

Both the old and the updated tag should be pointing to the same commit:
b7c61d7cc256d6a174e6179622c7fa968272c259

You can test which tag you have by doing

	git rev-parse refs/tags/release-1.21.1

which should return 2428fe1e4ca6abebfd9ab5f25c7ddcf3f919a257 if you have 
the updated one.

Sorry for any inconvenience.

Best regards,
-- Yorgos

On 03/10/2024 18:00, Yorgos Thessalonikefs via Unbound-users wrote:
> Hi,
> 
> Unbound 1.21.1 is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.21.1.tar.gz
> sha256 3036d23c23622b36d3c87e943117bdec1ac8f819636eb978d806416b0fa9ea46
> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.21.1.tar.gz.asc
> 
> ** This release is signed by yorgos at nlnetlabs.nl. Please find the 
> relevant key at https://nlnetlabs.nl/people/ **
> 
> This security release fixes CVE-2024-8508.
> 
> A vulnerability has been discovered in Unbound when handling replies
> with very large RRsets that Unbound needs to perform name compression
> for.
> 
> Malicious upstreams responses with very large RRsets can cause Unbound
> to spend a considerable time applying name compression to downstream
> replies. This can lead to degraded performance and eventually denial of
> service in well orchestrated attacks.
> 
> The vulnerability can be exploited by a malicious actor querying Unbound
> for the specially crafted contents of a malicious zone with very large
> RRsets.
> Before Unbound replies to the query it will try to apply name
> compression which was an unbounded operation that could lock the CPU
> until the whole packet was complete.
> 
> Unbound version 1.21.1 introduces a hard limit on the number of name
> compression calculations it is willing to do per packet.
> Packets that need more compression will result in semi-compressed
> packets or truncated packets, even on TCP for huge messages, to avoid
> locking the CPU for long.
> 
> This change should not affect normal DNS traffic.
> 
> We would like to thank Toshifumi Sakaguchi for discovering and
> responsibly disclosing the vulnerability.
> 
> 
> Bug Fixes:
> - Fix CVE-2024-8508, unbounded name compression could lead to denial of
>    service.
> 
> Best regards,
> -- Yorgos

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20241004/333930b2/attachment-0001.bin>

More information about the Unbound-users mailing list