Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1707832406243900"
MIME-Version: 1.0
Date: Tue, 13 Feb 2024 13:53:26 +0000
From: "Havard Eidnes" <he@netbsd.org>
Subject: CVS commit: pkgsrc/net/unbound
To: pkgsrc-changes@NetBSD.org
Reply-To: he@netbsd.org
Message-Id: <20240213135327.0312AF9E9@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_1707832406243900
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	he
Date:		Tue Feb 13 13:53:26 UTC 2024

Modified Files:
	pkgsrc/net/unbound: Makefile distinfo

Log Message:
Update net/unbound to version 1.19.1.

Pkgsrc changes:
 * none, other than checksums.

Upstream changes:
This security release fixes two DNSSEC validation vulnerabilities:
CVE-2023-50387 (referred here as the KeyTrap vulnerability) and
CVE-2023-50868 (referred here as the NSEC3 vulnerability).

The KeyTrap vulnerability works by using a combination of Keys
(also colliding Keys), Signatures and number of RRSETs on a malicious
zone.  Answers from that zone can force a DNSSEC validator down a
very CPU intensive and time costly validation path.

The NSEC3 vulnerability uses specially crafted responses on a
malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator
down a very CPU intensive and time costly NSEC3 hash calculation path.

Both can force Unbound to spend an enormous time (comparative to
regular traffic) validating a single specially crafted DNSSEC
response while everything else is on hold for that thread. A
trivially orchestrated attack could render all threads busy with
such responses leading to denial of service.

From version 1.19.1 on, Unbound introduces suspension on DNSSEC
response validations that seem to require more attempts than Unbound
is willing to make per response validation run. Suspension means
that Unbound will continue with other work before resuming a
suspended validation offering CPU time between validation resumptions
to other tasks. There is a backoff timer when suspending which is
further influenced by the number of suspends already used and the
amount of work currently in Unbound.

The introduced builtin limits in Unbound are:

- Max 4 DNSSEC key collissions are allowed when building chain of trust.
  More than that without a secure key treats the delegation as bogus.
- 8 validation attempts per RRSET (combination of keys + signatures).
  If more are needed and Unbound has yet to find a valid signature
  the RRSET is treated as bogus.
- More than 8 validation attempts per answer will suspend validation.
- 8 NSEC3 hash calculations are allowed before suspension. More than
  that will suspend validation.
- The limit of total suspensions is 16 after which the query will error
  out. Any completed RRSET validations populate the cache for use in
  future queries.

While under attack Unbound could show higher CPU load because of the
needed validations but the suspend strategy would guarantee the CPU is
not locked on any particular validation task.

We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel,
and Michael Waidner from the German National Research Center for
Applied Cybersecurity ATHENE for discovering and responsibly
disclosing the KeyTrap vulnerability.

We would like to thank Petr Spacek from ISC for discovering and
responsibly disclosing the NSEC3 vulnerability.

Bug Fixes
- Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to
  exhaust CPU resources and stall DNS resolvers.
- Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.


To generate a diff of this commit:
cvs rdiff -u -r1.104 -r1.105 pkgsrc/net/unbound/Makefile
cvs rdiff -u -r1.76 -r1.77 pkgsrc/net/unbound/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1707832406243900
Content-Disposition: inline
Content-Length: 1569
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/net/unbound/Makefile
diff -u pkgsrc/net/unbound/Makefile:1.104 pkgsrc/net/unbound/Makefile:1.105
--- pkgsrc/net/unbound/Makefile:1.104	Tue Jan 30 18:29:20 2024
+++ pkgsrc/net/unbound/Makefile	Tue Feb 13 13:53:26 2024
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.104 2024/01/30 18:29:20 adam Exp $
+# $NetBSD: Makefile,v 1.105 2024/02/13 13:53:26 he Exp $
 
-DISTNAME=	unbound-1.19.0
-PKGREVISION=	2
+DISTNAME=	unbound-1.19.1
 CATEGORIES=	net
 MASTER_SITES=	https://nlnetlabs.nl/downloads/unbound/
 

Index: pkgsrc/net/unbound/distinfo
diff -u pkgsrc/net/unbound/distinfo:1.76 pkgsrc/net/unbound/distinfo:1.77
--- pkgsrc/net/unbound/distinfo:1.76	Thu Nov  9 14:20:53 2023
+++ pkgsrc/net/unbound/distinfo	Tue Feb 13 13:53:26 2024
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.76 2023/11/09 14:20:53 he Exp $
+$NetBSD: distinfo,v 1.77 2024/02/13 13:53:26 he Exp $
 
-BLAKE2s (unbound-1.19.0.tar.gz) = c43ad21e86e224c4fe8fc7590d9edcc5eb42e583876cb15bb6240d9d5ee71f82
-SHA512 (unbound-1.19.0.tar.gz) = c7df997ab003d098f53ac97ffb4c8428ab28e24573ff21e21782cbeadca42edadeb5b0db53ce954c9ff3106a5edb36eb47109240c554a44d9aac75727b66aeb4
-Size (unbound-1.19.0.tar.gz) = 6336113 bytes
+BLAKE2s (unbound-1.19.1.tar.gz) = 99c678716a6e80197f0dd5a51145aaeb39f15e46585f151eed364fd6eb8de89d
+SHA512 (unbound-1.19.1.tar.gz) = c81192b70f14a4e289cf738bf6b647cf25b58b1ab11076dee306ff25a530b6a1bbeca71cfa8820d80f48fd843019beb29a68796a1b1fcec6e561dfeccd62d96a
+Size (unbound-1.19.1.tar.gz) = 6340435 bytes
 SHA1 (patch-configure) = fe43ed9fdcfe12897e30f03833aec631d473529d


--_----------=_1707832406243900--