CVE-2017-15105

NameCVE-2017-15105
DescriptionA flaw was found in the way unbound before 1.6.8 validated wildcard-synthesized NSEC records. An improperly validated wildcard NSEC record could be used to prove the non-existence (NXDOMAIN answer) of an existing wildcard record, or trick unbound into accepting a NODATA proof.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1264-1
NVD severitymedium (attack range: remote)
Debian Bugs887733

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
unbound (PTS)jessie1.4.22-3+deb8u3vulnerable
stretch1.6.0-3+deb9u1vulnerable
buster, sid1.7.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
unboundsource(unstable)1.7.1-1medium887733
unboundsourcewheezy1.4.17-3+deb7u3mediumDLA-1264-1

Notes

[stretch] - unbound <no-dsa> (Minor issue, can be fixed via point release)
[jessie] - unbound <no-dsa> (Minor issue, can be fixed via point release)
https://unbound.net/downloads/CVE-2017-15105.txt
https://unbound.net/downloads/patch_cve_2017_15105.diff

Search for package or bug name: Reporting problems