Security Information / 2011 / Security Information -- DSA-2370-1 unbound

Debian Security Advisory

DSA-2370-1 unbound -- several vulnerabilities

Date Reported:

22 Dec 2011

Affected Packages:

unbound

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2011-4528, CVE-2011-4869.

More information:

It was discovered that Unbound, a recursive DNS resolver, would crash when processing certain malformed DNS responses from authoritative DNS servers, leading to denial of service.

• CVE-2011-4528

  Unbound attempts to free unallocated memory during processing of duplicate CNAME records in a signed zone.

• CVE-2011-4869

  Unbound does not properly process malformed responses which lack expected NSEC3 records.

For the oldstable distribution (lenny), these problems have been fixed in version 1.4.6-1~lenny2.

For the stable distribution (squeeze), these problems have been fixed in version 1.4.6-1+squeeze2.

For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 1.4.14-1.

We recommend that you upgrade your unbound packages.