SUSE-SU-2025:20126-1: moderate: Security update for unbound

SLE-UPDATES null at suse.de
Wed Jun 4 08:48:09 UTC 2025 


# Security update for unbound

Announcement ID: SUSE-SU-2025:20126-1  
Release Date: 2025-02-13T12:29:03Z  
Rating: moderate  
References:

  * bsc#1231284

  
Cross-References:

  * CVE-2024-8508

  
CVSS scores:

  * CVE-2024-8508 ( SUSE ):  6.9
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
  * CVE-2024-8508 ( SUSE ):  5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
  * CVE-2024-8508 ( NVD ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  * CVE-2024-8508 ( NVD ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

  
Affected Products:

  * SUSE Linux Micro 6.0

  
  
An update that solves one vulnerability can now be installed.

## Description:

This update for unbound fixes the following issues:

  * Update to 1.22.0: Features:
  * Add iter-scrub-ns, iter-scrub-cname and max-global-quota configuration
    options.
  * Merge patch to fix for glue that is outside of zone, with `harden-
    unverified-glue`, from Karthik Umashankar (Microsoft). Enabling this option
    protects the Unbound resolver against bad glue, that is unverified out of
    zone glue, by resolving them. It uses the records as last resort if there is
    no other working glue.
  * Add redis-command-timeout: 20 and redis-connect-timeout: 200, that can set
    the timeout separately for commands and the connection set up to the redis
    server. If they are not specified, the redis-timeout value is used.
  * Log timestamps in ISO8601 format with timezone. This adds the option `log-
    time-iso: yes` that logs in ISO8601 format.
  * DNS over QUIC. This adds `quic-port: 853` and `quic-size: 8m` that enable
    dnsoverquic, and the counters `num.query.quic` and `mem.quic` in the
    statistics output. The feature needs to be enabled by compiling with
    libngtcp2, with `--with-libngtcp2=path` and libngtcp2 needs openssl+quic,
    pass that with `--with-ssl=path` to compile unbound as well.

Bug Fixes: * unbound-control-setup hangs while testing for openssl presence
starting from version 1.21.0. * Fix error: "memory exhausted" when defining more
than 9994 local-zones. * Fix documentation for cache_fill_missing function. *
Fix Loads of logs: "validation failure: key for validation <domain>. is marked
as invalid because of a previous" for non-DNSSEC signed zone. * Fix that when
rpz is applied the message does not get picked up by the validator. That stops
validation failures for the message. * Fix that stub-zone and forward-zone
clauses do not exhaust memory for long content. * Fix to print port number in
logs for auth zone transfer activities. * b.root renumbering. * Add new IANA
trust anchor. * Fix config file read for dnstap-sample-rate. * Fix alloc-size
and calloc-transposed-args compiler warnings. * Fix to limit NSEC and NSEC3 TTL
when aggressive nsec is enabled (RFC9077). * Fix dns64 with prefetch that the
prefetch is stored in cache. * Attempt to further fix
doh_downstream_buffer_size.tdir flakiness. * More clear text for prefetch and
minimal-responses in the unbound.conf man page. * Fix cache update when serve
expired is used. Expired records are favored over resolution and validation
failures when serve-expired is used. * Fix negative cache NSEC3 parameter
compares for zero length NSEC3 salt. * Fix unbound-control-setup hangs sometimes
depending on the openssl version. * Fix Cannot override tcp-upstream and tls-
upstream with forward-tcp-upstream and forward-tls-upstream. * Fix to limit NSEC
TTL for messages from cachedb. Fix to limit the prefetch ttl for messages after
a CNAME with short TTL. * Fix to disable detection of quic configured ports when
quic is not compiled in. * Fix harden-unverified-glue for AAAA
cache_fill_missing lookups. * Fix contrib/aaaa-filter-iterator for change in
call signature for cache_fill_missing. * Fix to display warning if quic-port is
set but dnsoverquic is not enabled when compiled. * Fix dnsoverquic to extend
the number of streams when one is closed. * Fix for dnstap with dnscrypt and
dnstap without dnsoverquic. * Fix for dnsoverquic and dnstap to use the correct
dnstap environment.

  * Update to 1.21.1: Security Fixes:
  * CVE-2024-8508: unbounded name compression could lead to denial of service.
    (bsc#1231284)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro 6.0  
    zypper in -t patch SUSE-SLE-Micro-6.0-213=1

## Package List:

  * SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
    * unbound-anchor-debuginfo-1.22.0-1.1
    * unbound-debugsource-1.22.0-1.1
    * libunbound8-debuginfo-1.22.0-1.1
    * libunbound8-1.22.0-1.1
    * unbound-anchor-1.22.0-1.1

## References:

  * https://www.suse.com/security/cve/CVE-2024-8508.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1231284

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250604/0ef94963/attachment.htm>

More information about the sle-updates mailing list