I have a quick question regarding Debian + PIhole + Unbound

What is your current version of unbound if you are running Debian +pihole + unbound ?

My Unbound version is 1.13.1.-1

This might be a Debian issue and not Pihole, just thought it was odd

I noticed that there was a high severity advisory CVE for Unbound <1.19

so I checked my version of unbound and it is few years behind the Github releases, currently 1.19.3

root@pihole:# apt install unbound
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
unbound is already the newest version (1.13.1-1+deb11u2).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

My system is Intel PC running Debian 11
pihole 5.17.3 +unbound

lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye

This could be the latest version available ?

Package: unbound (1.13.1-1+deb11u2) [security]

unbound (1.13.1-1+deb11u2) bullseye-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Address DNSSEC protocol vulnerabilities (Closes: #1063845)
    - Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to
      exhaust CPU resources and stall DNS resolvers.
    - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.

 -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 13 Feb 2024 21:15:34 +0100

Edit: The linked CVE:

The CVE number for this vulnerability is CVE-2024-1931.

== Summary
Recent versions of Unbound contain a vulnerability that can cause denial
of service by a certain code path that can lead to an infinite loop.
This issue can only be triggered if the non-default option 'ede: yes' is
used, Unbound would reply with attached EDE information on a positive
reply, and the client's buffer size is relatively smaller than the
needed space to include EDE records.

== Affected products
Unbound 1.18.0 up to and including 1.19.1.

== Description
Unbound 1.18.0 introduced a feature that removes EDE records from
responses with size higher than the client's advertised buffer size.
Before removing all the EDE records however, it would try to see if
trimming the extra text fields on those records would result in an
acceptable size while still retaining the EDE codes.
Due to an unchecked condition, the code that trims the text of the EDE
records could loop indefinitely.
This happens when Unbound would reply with attached EDE information on a
positive reply and the client's buffer size is smaller than the needed
space to include EDE records.

This issue can only be triggered when the below condition is met:
* Unbound is configured with 'ede: yes' (non-default).

== Solution
Either disable ede support with 'ede: no' (default configuration), or
download a patched version of Unbound, or apply the patch manually.

+ Downloading patched version
Unbound 1.19.2 is released with the patch
https://nlnetlabs.nl/downloads/unbound/unbound-1.19.2.tar.gz

+ Applying the patch manually
For Unbound 1.18.0 up to and including 1.19.1 the patch is:
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2024-1931.diff

Apply the patch on the Unbound source directory with:
'patch -p1 < patch_CVE-2024-1931.diff'
then run 'make install' to install Unbound.

== Acknowledgments
We would like to thank Fredrik Pettai and Patrik Lundin from SUNET for
notifying us about the issue and working with us to identify the
vulnerability.

Just to make it clear:

Version 1.13.1-1+deb11u2 also fixed the security issue (see here).

Details can be found at
https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt

For the oldstable distribution (bullseye), these problems have been fixed
in version 1.13.1-1+deb11u2.

For the stable distribution (bookworm), these problems have been fixed in
version 1.17.1-2+deb12u2.

Reference: [SECURITY] [DSA 5620-1] unbound security update

Those fixed the DNSSEC CVEs, the OP linked to a CVE involving EDE information.

I think this CVE is also fixed:
https://security-tracker.debian.org/tracker/CVE-2024-1931

Ah, because none of the released versions were affected by CVE-2024-1931

NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service

If I got it right, Version 1.13.1 is pretty much the version everyone is using and the affected versions 1.18+ are just an unstable version.

Apparently you are using Debian Bullseye.

When Bullseye was released, the unbound version was 1.13.
Debian never updates to a new versions (only security updates are applied), so Bullseye will always use 1.13.

In this case, the code causing the security issue was introduced only in 1.18, so there was no need to release a security update for Bullseye, because version 1.13 wasn't affected by the issue.

Note:
Version 1.19.1-1 was affected by the issue and it was updated to 1.19.2-1 (but this version is not used in your OS version).

You have to expand further than just Version 1.13.1. It is that version but it has patches applied by Debian that contain fixes that were written by unbounds developers for later versions. That +deb11u2 is shorthand for the number of times that patches have been applied.

So it is version 1.13.1 but not exactly version 1.13.1.

Thank you for the detailed explanation.

Isn't Bullseye the most current stable release?

My understanding was Bookworm came out last summer and wasn't widely supported until recently.

Thank you for explaining that in detail

Isn't Bullseye the most current stable release?

No.
The most recent stable version is Debian 12 - Bookworm (released on June 10, 2023) and I think it's widely supported.

https://www.debian.org/releases/

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.