Headline
RHSA-2022:7622: Red Hat Security Advisory: unbound security, bug fix, and enhancement update
An update for unbound is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-30698: unbound: the novel ghost domain where malicious users to trigger continued resolvability of malicious domain names
- CVE-2022-30699: unbound: novel ghost domain attack where malicious users to trigger continued resolvability of malicious domain names
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-11-08
Updated:
2022-11-08
RHSA-2022:7622 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: unbound security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for unbound is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.
The following packages have been upgraded to a later upstream version: unbound (1.16.2). (BZ#2027735)
Security Fix(es):
- unbound: the novel ghost domain where malicious users to trigger continued resolvability of malicious domain names (CVE-2022-30698)
- unbound: novel ghost domain attack where malicious users to trigger continued resolvability of malicious domain names (CVE-2022-30699)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.7 Release Notes linked from the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux for ARM 64 8 aarch64
Fixes
- BZ - 1959468 - unbound-keygen needs to be stoped
- BZ - 2018806 - unbound-keygen requires openssl [rhel8]
- BZ - 2023549 - unbound support for RFC 8767
- BZ - 2027735 - [RFE] Rebase unbound to latest stable release
- BZ - 2038251 - AVC denials recorded for fsetid while running unbound with local socket, though it (unbound-control) still works!
- BZ - 2081958 - chroot functionality isn’t available in unbound-1.7.3 in RHEL8
- BZ - 2116725 - CVE-2022-30698 unbound: the novel ghost domain where malicious users to trigger continued resolvability of malicious domain names
- BZ - 2116729 - CVE-2022-30699 unbound: novel ghost domain attack where malicious users to trigger continued resolvability of malicious domain names
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index
Red Hat Enterprise Linux for x86_64 8
SRPM
unbound-1.16.2-2.el8.src.rpm
SHA-256: b11d1b450a924867e3cf61318b9b897abf167f93183cd58aa85cf514bd9614d1
x86_64
python3-unbound-1.16.2-2.el8.x86_64.rpm
SHA-256: 07225cc5242e12c7bd8f30bf19131d11d749006d8dcd5e2fa02844e1e27720f5
python3-unbound-debuginfo-1.16.2-2.el8.i686.rpm
SHA-256: 8a3ac16c53d1bb9e087cf4698ce6049858e7720ee36619db54a25579f8fd5537
python3-unbound-debuginfo-1.16.2-2.el8.x86_64.rpm
SHA-256: 2e0a2fdc116c81e4f3120a0cc0a1eca1df5e8919b0ac2cab67703baa54cc74f8
unbound-1.16.2-2.el8.x86_64.rpm
SHA-256: 8d0147b12923091d1500ce9b7f28ed4a3d528b1bcb8a4b5ffb5e956c0ac4c30f
unbound-debuginfo-1.16.2-2.el8.i686.rpm
SHA-256: 0cabc0b42289a6e201c5c9392df626ac5630b6aecd4ab4e2b2a8b76d48423d27
unbound-debuginfo-1.16.2-2.el8.x86_64.rpm
SHA-256: bcdb1ce1dd5731c1fd88e3eab414efcf7a9f7cf0daef4118321d47d9281f6528
unbound-debugsource-1.16.2-2.el8.i686.rpm
SHA-256: 06066a85f2d2d2bfb43511a20e3ea8fc3fcdb2fde0dc40f816149d2a44ded9ca
unbound-debugsource-1.16.2-2.el8.x86_64.rpm
SHA-256: 47d774887b8f0bc68ce8df8d2a5e972c582cce50b0426d8b9a876a33c25ccecd
unbound-devel-1.16.2-2.el8.i686.rpm
SHA-256: 76e43eec46c478d405162da64ce15ef7a4373d80a356882639d18af348b36225
unbound-devel-1.16.2-2.el8.x86_64.rpm
SHA-256: 9e6e39ee1cbb3766785071761c8a669093a35b286c113690536736c8389dfe34
unbound-libs-1.16.2-2.el8.i686.rpm
SHA-256: 4bda3691217650ed8e5e6bee210ca9b086b0f8fa64a23f779ff5f11b55934cdf
unbound-libs-1.16.2-2.el8.x86_64.rpm
SHA-256: 95b90e970f76a3ef6581c9e789fc9976ef8921f6ba58844f56c7e42e6c1786e3
unbound-libs-debuginfo-1.16.2-2.el8.i686.rpm
SHA-256: 0fba9511f500a440d8bdeb65187182229a3c2f0c22cb212e9bd7cb8d0277a0a3
unbound-libs-debuginfo-1.16.2-2.el8.x86_64.rpm
SHA-256: 43ebf15b88789d5ee2bae5c60112bbb94b44669b0a6d85f4d5319fc3ce988e07
Red Hat Enterprise Linux for IBM z Systems 8
SRPM
unbound-1.16.2-2.el8.src.rpm
SHA-256: b11d1b450a924867e3cf61318b9b897abf167f93183cd58aa85cf514bd9614d1
s390x
python3-unbound-1.16.2-2.el8.s390x.rpm
SHA-256: d2c8bbf10ae53c9501d7d91e6ccb69628f7981c03458017f10569689cb477071
python3-unbound-debuginfo-1.16.2-2.el8.s390x.rpm
SHA-256: f2ccd58c549ce85057e8916e715db7dc925285a9ff7016dc5e6539bc2e24221b
unbound-1.16.2-2.el8.s390x.rpm
SHA-256: d9eabe6a87c535d66f42f32f1d210573a70fdee154d35da5651288785a280eca
unbound-debuginfo-1.16.2-2.el8.s390x.rpm
SHA-256: 20073df2b6f38d1f7dee223e92513251869eb8303ca99381ba2f98d35c82732a
unbound-debugsource-1.16.2-2.el8.s390x.rpm
SHA-256: 589292b35f7bce3b59685975ae2ee391cc2461dff35460343d50b8e2f66c19a5
unbound-devel-1.16.2-2.el8.s390x.rpm
SHA-256: fca1c9b11b2e2ec1ef01bf4aed9990f7de6474d90a0b30a277d46a43faed64e7
unbound-libs-1.16.2-2.el8.s390x.rpm
SHA-256: 5f7eaeb043d7e70d0d61cef96ee9c47820ff4408864ea930e300d0903ec0b0d3
unbound-libs-debuginfo-1.16.2-2.el8.s390x.rpm
SHA-256: 1503871e328f7eceb54ac2996de7bbc9a0af73252b10437786ceb95902e2eb4a
Red Hat Enterprise Linux for Power, little endian 8
SRPM
unbound-1.16.2-2.el8.src.rpm
SHA-256: b11d1b450a924867e3cf61318b9b897abf167f93183cd58aa85cf514bd9614d1
ppc64le
python3-unbound-1.16.2-2.el8.ppc64le.rpm
SHA-256: 27ec36c7fc299779eb5645b242df881f350b51451f73d69ba23a6c3fc8f56139
python3-unbound-debuginfo-1.16.2-2.el8.ppc64le.rpm
SHA-256: 672c9806f517525d7bd78e3bb20d23cb14ee23aef8ca3fdb437210260464eef4
unbound-1.16.2-2.el8.ppc64le.rpm
SHA-256: 49cb0ef8b20d4ca5a4e6cd230d8644c1da28e602bc9a50c6068e033f23aa4602
unbound-debuginfo-1.16.2-2.el8.ppc64le.rpm
SHA-256: 087e4a963cd113d0d1a1d5e794fd5a0ff92fbfcff569c0e67e23b37e43aa34c9
unbound-debugsource-1.16.2-2.el8.ppc64le.rpm
SHA-256: 009b234d3768e2b25ff80ed158090c214fdb23ee7e5aa3342b014cdde2ed72c2
unbound-devel-1.16.2-2.el8.ppc64le.rpm
SHA-256: b0bd1548b28190a8021b59ed072326b8b81fbe09b904365e5ccf08b1ea5ab131
unbound-libs-1.16.2-2.el8.ppc64le.rpm
SHA-256: 42ac9f15c620994cad59990c0f79aec2dd2b681c7228752d2460181e851f7a7f
unbound-libs-debuginfo-1.16.2-2.el8.ppc64le.rpm
SHA-256: f9fb3955765baa4887fc2ea001fb3f999b6335f0f91e84b096be03eec8b6e1d3
Red Hat Enterprise Linux for ARM 64 8
SRPM
unbound-1.16.2-2.el8.src.rpm
SHA-256: b11d1b450a924867e3cf61318b9b897abf167f93183cd58aa85cf514bd9614d1
aarch64
python3-unbound-1.16.2-2.el8.aarch64.rpm
SHA-256: af66bf2a5fb6127432df7d1ec52317186a6fd9895824a49df7c7f444628d29de
python3-unbound-debuginfo-1.16.2-2.el8.aarch64.rpm
SHA-256: 70787f4141be456b04eb8c2b5a4d0572533a77c0fa3877436e3fffa44bfd8cc2
unbound-1.16.2-2.el8.aarch64.rpm
SHA-256: 6d8810a91a19943c64a906a6d658635df5dcb8edcdea9aa73584c495a9d9405e
unbound-debuginfo-1.16.2-2.el8.aarch64.rpm
SHA-256: fe72a75996ea18e37c6bdc4827360ca632fef03728d41fbcfa1bdd7faeadef07
unbound-debugsource-1.16.2-2.el8.aarch64.rpm
SHA-256: b295a0e05f174c381d960482d4d3f01e4a63a5e1421a5dbd22d472b63f447994
unbound-devel-1.16.2-2.el8.aarch64.rpm
SHA-256: 29a798bf4173136e212545d39eadb9eb66eaa74f3120734e058971ae19cd9303
unbound-libs-1.16.2-2.el8.aarch64.rpm
SHA-256: 8a884932e82faaf20d1214ca6b7bfed8cb7df91b99c926f5149066ab89f9cb93
unbound-libs-debuginfo-1.16.2-2.el8.aarch64.rpm
SHA-256: 402e525d569e4b996e39b72a564a0575bb6c349b67db370c7980b623129fd381
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2024-2045-03 - An update for unbound is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
Red Hat Security Advisory 2023-0795-01 - Submariner 0.13.3 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.6.
Submariner 0.13.3 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.6 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32149: A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of service, and can impact availability.
Submariner 0.14 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go ...
Red Hat Security Advisory 2023-0408-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat OpenShift Virtualization release 4.12 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2021-44716: golang: net/http: limit growth of header canonicalization cache * CVE-2021-44717: golang: syscall: don't close fd 0 on ForkExec error * CVE-2022-1705: golang: net/http: improper sanitizat...
Gentoo Linux Security Advisory 202212-2 - Multiple vulnerabilities have been discovered in Unbound, the worst of which could result in denial of service. Versions less than 1.16.3 are affected.
Red Hat Security Advisory 2022-8750-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat OpenShift Virtualization release 4.11.1 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24921: golang: regexp: stack exhaustion via a deeply nested expression * CVE-2022-28327: golang: crypto/elliptic: panic caus...
Red Hat Security Advisory 2022-8062-01 - The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.
An update for unbound is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30698: unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names * CVE-2022-30699: unbound: novel ghost domain attack that allows attackers to trigger continued resolvability of malicious domain names
Red Hat Security Advisory 2022-7622-01 - The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.
Ubuntu Security Notice 5569-1 - Xiang Li discovered that Unbound incorrectly handled delegation caching. A remote attacker could use this issue to keep rogue domain names resolvable long after they have been revoked.
Ubuntu Security Notice 5569-1 - Xiang Li discovered that Unbound incorrectly handled delegation caching. A remote attacker could use this issue to keep rogue domain names resolvable long after they have been revoked.
NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten.
NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From version 1.16.2 on, Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten.