I have a quick question regarding Debian + PIhole + Unbound
What is your current version of unbound if you are running Debian +pihole + unbound ?
My Unbound version is 1.13.1.-1
This might be a Debian issue and not Pihole, just thought it was odd
I noticed that there was a high severity advisory CVE for Unbound <1.19
so I checked my version of unbound and it is few years behind the Github releases, currently 1.19.3
root@pihole:# apt install unbound
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
unbound is already the newest version (1.13.1-1+deb11u2).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
My system is Intel PC running Debian 11
pihole 5.17.3 +unbound
lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 11 (bullseye)
Release: 11
Codename: bullseye
unbound (1.13.1-1+deb11u2) bullseye-security; urgency=high
* Non-maintainer upload by the Security Team.
* Address DNSSEC protocol vulnerabilities (Closes: #1063845)
- Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to
exhaust CPU resources and stall DNS resolvers.
- Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
-- Salvatore Bonaccorso <carnil@debian.org> Tue, 13 Feb 2024 21:15:34 +0100
Edit: The linked CVE:
The CVE number for this vulnerability is CVE-2024-1931.
== Summary
Recent versions of Unbound contain a vulnerability that can cause denial
of service by a certain code path that can lead to an infinite loop.
This issue can only be triggered if the non-default option 'ede: yes' is
used, Unbound would reply with attached EDE information on a positive
reply, and the client's buffer size is relatively smaller than the
needed space to include EDE records.
== Affected products
Unbound 1.18.0 up to and including 1.19.1.
== Description
Unbound 1.18.0 introduced a feature that removes EDE records from
responses with size higher than the client's advertised buffer size.
Before removing all the EDE records however, it would try to see if
trimming the extra text fields on those records would result in an
acceptable size while still retaining the EDE codes.
Due to an unchecked condition, the code that trims the text of the EDE
records could loop indefinitely.
This happens when Unbound would reply with attached EDE information on a
positive reply and the client's buffer size is smaller than the needed
space to include EDE records.
This issue can only be triggered when the below condition is met:
* Unbound is configured with 'ede: yes' (non-default).
== Solution
Either disable ede support with 'ede: no' (default configuration), or
download a patched version of Unbound, or apply the patch manually.
+ Downloading patched version
Unbound 1.19.2 is released with the patch
https://nlnetlabs.nl/downloads/unbound/unbound-1.19.2.tar.gz
+ Applying the patch manually
For Unbound 1.18.0 up to and including 1.19.1 the patch is:
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2024-1931.diff
Apply the patch on the Unbound source directory with:
'patch -p1 < patch_CVE-2024-1931.diff'
then run 'make install' to install Unbound.
== Acknowledgments
We would like to thank Fredrik Pettai and Patrik Lundin from SUNET for
notifying us about the issue and working with us to identify the
vulnerability.
When Bullseye was released, the unbound version was 1.13.
Debian never updates to a new versions (only security updates are applied), so Bullseye will always use 1.13.
In this case, the code causing the security issue was introduced only in 1.18, so there was no need to release a security update for Bullseye, because version 1.13 wasn't affected by the issue.
Note:
Version 1.19.1-1 was affected by the issue and it was updated to 1.19.2-1 (but this version is not used in your OS version).
You have to expand further than just Version 1.13.1. It is that version but it has patches applied by Debian that contain fixes that were written by unbounds developers for later versions. That +deb11u2 is shorthand for the number of times that patches have been applied.
So it is version 1.13.1 but not exactly version 1.13.1.