USN-6665-1: Unbound vulnerabilities
24836
25 July 2024
25 July 2024
CLOSED
MEDIUM
CVE-2023-50387;CVE-2023-50868
Severity
medium
Vendor
VMware Tanzu
Versions Affected
- Canonical Ubuntu 22.04
Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discovered that Unbound incorrectly handled validating DNSSEC messages. A remote attacker could possibly use this issue to cause Unbound to consume resources, leading to a denial of service. (CVE-2023-50387) It was discovered that Unbound incorrectly handled preparing an NSEC3 closest encloser proof. A remote attacker could possibly use this issue to cause Unbound to consume resources, leading to a denial of service. (CVE-2023-50868) Update Instructions: Run `sudo pro fix USN-6665-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: unbound - 1.9.4-2ubuntu1.5 python3-unbound - 1.9.4-2ubuntu1.5 libunbound8 - 1.9.4-2ubuntu1.5 python-unbound - 1.9.4-2ubuntu1.5 unbound-anchor - 1.9.4-2ubuntu1.5 unbound-host - 1.9.4-2ubuntu1.5 libunbound-dev - 1.9.4-2ubuntu1.5 No subscription required.
Fixed and Unaffected VMware Products and Versions
- Cflinixfs4
- 1.70.0 or greater
- CF Deployment
- 39.3.0 or greater
- Isolation Segment
- 4.0.19+LTS-T or greater
- 5.0.9 or greater
- 6.0.x unaffected
- VMware Tanzu Applications Service for VMs
- 4.0.19+LTS-T or greater
- 5.0.9 or greater
- 6.0.x unaffected
References
https://ubuntu.com/security/notices/USN-6665-1
https://www.cloudfoundry.org/blog/usn-6665-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6665-1
History
2024-02-28: Initial vulnerability report published.