1.176.0
·
24 commits
to main
since this release
Notably, this release addresses:
USN-7080-1 Unbound vulnerability:
- CVE-2024-8508:
NLnet Labs Unbound up to and including version 1.21.0 contains a
vulnerability when handling replies with very large RRsets that it needs to
perform name compression for. Malicious upstreams responses with very large
RRsets can cause Unbound to spend a considerable time applying name
compression to downstream replies. This can lead to degraded performance
and eventually denial of service in well orchestrated attacks. The
vulnerability can be exploited by a malicious actor querying Unbound for
the specially crafted contents of a malicious zone with very large RRsets.
Before Unbound replies to the query it will try to apply name compression
which was an unbounded operation that could lock the CPU until the whole
packet was complete. Unbound version 1.21.1 introduces a hard limit on the
number of name compression calculations it is willing to do per packet.
Packets that need more compression will result in semi-compressed packets
or truncated packets, even on TCP for huge messages, to avoid locking the
CPU for long. This change should not affect normal DNS traffic.