This may not effect IPFire.
Versions affected:
BIND * 9.0.0 -> 9.16.46
newest Core 183 has 9.16.45
I can confirm Shaun’s statement because already a year ago Unbound would give you a foam finger for doing that
[SERVFAIL exceeded the maximum number of sends
1 Like
@cuphi
you might be onto something
Unbound might need an update to 1.19+
Two DNSSEC validation vulnerabilities have been discovered in Unbound:
CVE-2023-50387 (referred here as the KeyTrap vulnerability) and
CVE-2023-50868 (referred here as the NSEC3 vulnerability).
== Summary
=== CVE-2023-50387
Unbound prior to 1.19.1, could be lead down a very CPU intensive and time
costly DNSSEC validation path. This could lead to Denial of Service in
trivially orchestrated attacks while validating DNSSEC responses.
=== CVE-2023-50868
Unbound prior to 1.19.1, could be lead down a very CPU intensive and time
costly NSEC3 hash calculation path. This could lead to Denial of Service in
trivially orchestrated attacks while validating DNSSEC responses.
== Affected products
Unbound up to and including 1.19.0
https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt
unbound-1.19.1 is currently in testing for core184
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=4fb7b188434b69a7dc6c5e40e827f6a8f389a86f
5 Likes