We are pleased to announce the release of version 1.9.5 of the Unbound recursive DNS resolver.
This release is a fix for vulnerability CVE-2019-18934 that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered when all of the below conditions are met:
- unbound was compiled with --enable-ipsecmod support, and
- ipsecmod is enabled and used in the configuration (either in the configuration file or using unbound-control), and
- a domain is part of the ipsecmod-whitelist (if ipsecmod-whitelist is used), and
- unbound receives an A/AAAA query for a domain that has an A/AAAA record(s) and an IPSECKEY record(s) available.
The shell code execution can then happen if either the qname or the gateway field of the IPSECKEY (when gateway type == 3) contain a specially crafted domain name.
We would like to thank X41 D-Sec for notifying us about this vulnerability and OSTIF for sponsoring the Unbound security audit.
For a full list of changes and binary and source packages, see the download page.