From nobody Thu May 9 12:48:59 2024 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VZsJr3fctz5JbCy for ; Thu, 09 May 2024 12:49:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VZsJr0c2zz543b for ; Thu, 9 May 2024 12:49:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1715258940; a=rsa-sha256; cv=none; b=SzW4sDRpdZ0IuckwcsqwKU2VcPUcAgHClUcWLxvd+8UIYJZaaY1GB5AZaaKiFo8wLCFDA+ yJQmn7mHZpPMPE2nbHTzY74NHeWJnwlFpEdz8IYbJIyE2f9YuNLQVaZERqDCuw3UOm6AEH x2ZH4r4fsDmcLaMzizEYCo6QCnqDOOtmwRvtsTeOkAWJvdkYlp2PH9Q3AFA32P/DJA1JCa gxUQXF2E1iZJxxRcs5FeJx2u7kMqXVj8b3A1xhD+jhXUb580gQ4qCDrdNAIAwQCkU/M7cv JkjsNzs6XfFNTyZZifaZK9nhw84c6esldakSKNM+f7qo9IyXwe97ole0VOZnGQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1715258940; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=r9PEs8V1iUrfh2M0S42ayCg4JmlKxAChQeu4vu4tgf0=; b=tBH4dC3krjgvStUaxvUsXcZoNQo6+hTDO7LmZmE1az0Z5fQsYL2/hPHqYY/ecZVgYKPHnW zMjdJMyV4Ovnakiqm1grGSgLbSbDMzavd7zdp1rMlxJqhTDtzhDn0jlsv8KIcG9iOAScV4 yze+n3cf0tZ+OSvhE0Tdo3B9JS8IgSWS3sZuPaloFpvW6OOTsEJG/t0Ub7Dp6cPsyAmE2h Iwm4iMGfP/iJ4jJzjDAmNBjFxyvZ3c+qrK/I0wuN0WHEhqWZt1+U+Vbkbrgr22miAfOaqe A49JoeTcXSk4HW/ZCyTuUwqbRFfMB789nY9rfMEpLhGHkIi2QNgPukjPyOc4SA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VZsJr00WWz18cv for ; Thu, 9 May 2024 12:49:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 449CmxfR027906 for ; Thu, 9 May 2024 12:48:59 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 449CmxKU027905 for ports-bugs@FreeBSD.org; Thu, 9 May 2024 12:48:59 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 278870] dns/unbound: Uodate to 1.20.0 Date: Thu, 09 May 2024 12:48:59 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: jaap@NLnetLabs.nl X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ports-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform bug_file_loc op_sys bug_status bug_severity priority component assigned_to reporter flagtypes.name attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-ports-bugs@freebsd.org Sender: owner-freebsd-ports-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D278870 Bug ID: 278870 Summary: dns/unbound: Uodate to 1.20.0 Product: Ports & Packages Version: Latest Hardware: Any URL: https://nlnetlabs.nl/news/2024/May/08/unbound-1.20.0-r eleased/ OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: jaap@NLnetLabs.nl Attachment #250545 maintainer-approval+ Flags: Created attachment 250545 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D250545&action= =3Dedit Patch to update This release has a fix for the DNSBomb issue CVE-2024-33655. This has a low severity for Unbound, since it makes Unbound complicit in targeting others,= but does not affect Unbound so much. To mitigate the issue new configuration options are introduced. The options discard-timeout: 1900, wait-limit: 1000 and wait-limit-cookie: 10000 are enabled by default. They limit the number of outstanding queries that a que= rier can have. This limits the reply pulse, and make Unbound less favorable for = the issue. With the config wait-limit-netblock and wait-limit-cookie-netblock t= he parameters can be fine tuned for specific destinations. More information on= the attack and Unbound's mitigations are presented further down. Other fixes in this release are that Unbound no longer follows symlinks when truncating the pidfile. Unbound also does not chown the pidfile, this is for safety reasons. There are also a number of fixes for RPZ, in handling CNAME= s. There is a memory leak fix for the edns client subnet cache. For DNSSEC validation a case is fixed when the query is of type DNAME. The unbound-anc= hor program is fixed to first write to a temporary file, before replacing the original. This handles disk full situations, and because of it unbound-anch= or needs permission to create that file, in the same directory as the original file. There is also a fix for IP_DONTFRAG, to disable fragmentation instead= of the opposite. The option cache-min-negative-ttl can be used to set the minimum TTL for negative responses in the cache. It complements existing options to set the maximum ttl for negative responses and to set the minimum and maximum ttl b= ut not specifically for negative responses. The option cachedb-check-when-serve-expired option makes Unbound use cached= b to check for expired responses, when serve-expired is enabled, and cachedb is used. It is enabled by default. The -q option for unbound-checkconf can be added to silence it when there a= re no errors. Summary of the DNSBomb vulnerability CVE-2024-33655. The DNSBomb attack, via specially timed DNS queries and answers, can cause a Denial of Service on resolvers and spoofed targets. Unbound itself is not vulnerable for DoS, rather it can be used to take par= t in a pulsing DoS amplification attack. Unbound 1.20.0 includes fixes so the impact of the DoS from Unbound is significantly lower than it used to be and making the attack, and Unbound's participation, less tempting for attackers. Affected products Unbound up to and including 1.19.3. Description of CVE-2024-33655 The DNSBomb attack works by sending low-rate spoofed queries for a malicious zone to Unbound. By controlling the delay of the malicious authoritative answers, Unbound slowly accumulates pending answers for the spoofed address= es. When the authoritative answers become available to Unbound at the same time, Unbound starts serving all the accumulated queries. This results into large-sized, concentrated response bursts to the spoofed addresses. >From version 1.20.0 on, Unbound introduces a couple of configuration option= s to help mitigate the impact. Their complete description can be found in the included manpages but they are also briefly listed here together with their default values for convenience: * discard-timeout: 1900 After 1900 ms a reply to the client will be dropped. Unbound would still work on the query but refrain from replying in order to= not accumulate a huge number of "old" replies. Legitimate clients retry on timeouts. * wait-limit: 1000 wait-limit-cookie: 10000 Limits the amount of client que= ries that require recursion (cache-hits are not counted) per IP address. More recursive queries than the allowed limit are dropped. Clients with a valid = EDNS Cookie can have a different limit, higher by default. wait-limit: 0 disables all wait limits. * wait-limit-netblock wait-limit-cookie-netblock These do not have a default value but they can fine grain configuration for specific netblocks. With or without EDNS Cookies. The options above are trying to shrink the DNSBomb window so that the impac= t of the DoS from Unbound is significantly lower than it used to be and making t= he attack, and Unbound's participation, less tempting for attackers. Acknowledgements We would like to thank Xiang Li from the Network and Information Security L= ab of Tsinghua University for discovering and disclosing the attack. For a full list of changes, binary and source packages, see the https://nlnetlabs.nl/projects/unbound/download/#unbound-1-20-0. --=20 You are receiving this mail because: You are the assignee for the bug.=