{"schema_version": "1.7.0", "id": "RLSA-2024:1750", "modified": "2024-05-10T14:34:20.482416Z", "published": "2024-05-10T14:32:38.114770Z", "upstream": ["CVE-2024-1488"], "summary": "Important: unbound security update", "details": "The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.\n\nSecurity Fix(es):\n\n* A vulnerability was found in Unbound due to incorrect default permissions,\nallowing any process outside the unbound group to modify the unbound runtime\nconfiguration. The default combination of the \"control-use-cert: no\" option with\neither explicit or implicit use of an IP address in the \"control-interface\"\noption could allow improper access. If a process can connect over localhost to\nport 8953, it can alter the configuration of unbound.service. This flaw allows\nan unprivileged local process to manipulate a running instance, potentially\naltering forwarders, allowing them to track all queries forwarded by the local\nresolver, and, in some cases, disrupting resolving altogether.\n\nTo mitigate the vulnerability, a new file\n\"/etc/unbound/conf.d/remote-control.conf\" has been added and included in the\nmain unbound configuration file, \"unbound.conf\". The file contains two\ndirectives that should limit access to unbound.conf:\n\n    control-interface: \"/run/unbound/control\"\n    control-use-cert: \"yes\"\n\nFor details about these directives, run \"man unbound.conf\".\n\nUpdating to the version of unbound provided by this advisory should, in most\ncases, address the vulnerability. To verify that your configuration is not\nvulnerable, use the \"unbound-control status | grep control\" command. If the\noutput contains \"control(ssl)\" or \"control(namedpipe)\", your configuration is\nnot vulnerable. If the command output returns only \"control\", the configuration\nis vulnerable because it does not enforce access only to the unbound group\nmembers. To fix your configuration, add the line \"include:\n/etc/unbound/conf.d/remote-control.conf\" to the end of the file\n\"/etc/unbound/unbound.conf\". If you use a custom\n\"/etc/unbound/conf.d/remote-control.conf\" file, add the new directives to this\nfile. (CVE-2024-1488)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s)\nlisted in the References section.", "affected": [{"package": {"ecosystem": "Rocky Linux:9", "name": "unbound", "purl": "pkg:rpm/rocky-linux/unbound?distro=rocky-linux-9&epoch=0"}, "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "0"}, {"fixed": "0:1.16.2-3.el9_3.5"}], "database_specific": {"yum_repository": "CRB"}}]}], "references": [{"type": "ADVISORY", "url": "https://errata.rockylinux.org/RLSA-2024:1750"}, {"type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264183"}], "credits": [{"name": "Rocky Enterprise Software Foundation"}, {"name": "Red Hat"}]}