Unbound 1.9.5 released

Published: Tue 19 November 2019

We are pleased to announce the release of version 1.9.5 of the Unbound recursive DNS resolver.

This release is a fix for vulnerability CVE-2019-18934 that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered when all of the below conditions are met:

  • unbound was compiled with --enable-ipsecmod support, and
  • ipsecmod is enabled and used in the configuration (either in the configuration file or using unbound-control), and
  • a domain is part of the ipsecmod-whitelist (if ipsecmod-whitelist is used), and
  • unbound receives an A/AAAA query for a domain that has an A/AAAA record(s) and an IPSECKEY record(s) available.

The shell code execution can then happen if either the qname or the gateway field of the IPSECKEY (when gateway type == 3) contain a specially crafted domain name.

We would like to thank X41 D-Sec for notifying us about this vulnerability and OSTIF for sponsoring the Unbound security audit.

For a full list of changes and binary and source packages, see the download page.

Related links:

software update