Skip to content
Jump to bottom

Update Unbound from 1.6.3 to 1.6.8 #603

Merged
merged 1 commit into from
Feb 7, 2018
Merged

Update Unbound from 1.6.3 to 1.6.8 #603

merged 1 commit into from
Feb 7, 2018

Conversation

pmenzel
Copy link
Collaborator

@pmenzel pmenzel commented Feb 5, 2018
edited
Loading

This fixes a security issue related to DANE.

After the update, the service needs to be restarted with systemctl restart unbound.service.

Tested on keineahnung.

@pmenzel
unbound: Update version from 1.6.3 to 1.6.8
973171b 
Am 05.02.2018 um 17:29 schrieb Viktor Dukhovni:
>
> If you're using unbound as your local DNSSEC-validating
> resolver and have enabled DANE, an issue is resolved in
> unbound 1.6.8 where NSEC records for wildcards could be
> misused for invalid denial-of-existence proofs.  See:
>
>    https://medium.com/nlnetlabs/the-peculiar-case-of-nsec-processing-using-expanded-wildcard-records-ae8285f236be
>    https://unbound.net/downloads/CVE-2017-15105.txt
>
> The first article mentions that the same issue affected
> PowerDNS and Dnsmasq.  So if you're using one of those,
> you might also need to update.  While Google's public
> DNS was also affected, this is out of scope for DANE,
> as you get little security from relying on the AD bit
> from remote resolvers.
@pmenzel pmenzel changed the title Update unbound from 1.6.3 to 1.6.8 Update Unbound from 1.6.3 to 1.6.8 Feb 5, 2018
@donald donald merged commit c12e144 into master Feb 7, 2018
@donald donald deleted the update-unbound-from-1.6.3-to-1.6.8 branch February 14, 2018 15:05
Sign in to join this conversation on GitHub.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@pmenzel @donald