StarlingX

[Debian] Medium CVE: CVE-2023-50387/CVE-2023-50868 unbound : multiple CVEs

Bug #2054276 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Peng Zhang

Bug Description

CVE-2023-50387: https://nvd.nist.gov/vuln/detail/CVE-2023-50387

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

CVE-2023-50868: https://nvd.nist.gov/vuln/detail/CVE-2023-50868

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

Base Score: Medium

Reference:

['libunbound8_1.13.1-1+deb11u1_amd64.deb===>libunbound8_1.13.1-1+deb11u2_amd64.deb', 'libunbound-dev_1.13.1-1+deb11u1_amd64.deb===>libunbound-dev_1.13.1-1+deb11u2_amd64.deb']
https://security-tracker.debian.org/tracker/DSA-5620-1

CVE References

Peng Zhang (pzhang2)
Changed in starlingx:
assignee: nobody → Peng Zhang (pzhang2)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/910140

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/910140
Committed: https://opendev.org/starlingx/tools/commit/24d8e4e82cb91a3a18fad701765b9299b96359b2
Submitter: "Zuul (22348)"
Branch: master

commit 24d8e4e82cb91a3a18fad701765b9299b96359b2
Author: Peng Zhang <email address hidden>
Date: Wed Feb 21 07:15:41 2024 +0000

    libunbound: Upgrade to 1.13.1-1+deb11u2

    Upgrade package libunbound8 and libunbound-dev from 1.13.1-1+deb11u1
    to 1.13.1-1+deb11u2 in order to fixing the CVE issue CVE-2023-50387
    and CVE-2023-50868.

    Refer to:
    https://nvd.nist.gov/vuln/detail/CVE-2023-50387
    https://nvd.nist.gov/vuln/detail/CVE-2023-50868
    https://security-tracker.debian.org/tracker/DSA-5620-1

    TestPlan:
    PASS: downloader; build-pkgs; build-image
    PASS: Jenkins Installation

    Closes-Bug: 2054276

    Change-Id: I646be1b0d6c0f8be2108a68d1ac1c9ad78eee519
    Signed-off-by: Peng Zhang <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.