Unbound 1.9.5 released

We are pleased to announce the release of version 1.9.5 of the Unbound recursive DNS resolver.

This release is a fix for vulnerability CVE-2019-18934 that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered when all of the below conditions are met:

• unbound was compiled with --enable-ipsecmod support, and
• ipsecmod is enabled and used in the configuration (either in the configuration file or using unbound-control), and
• a domain is part of the ipsecmod-whitelist (if ipsecmod-whitelist is used), and
• unbound receives an A/AAAA query for a domain that has an A/AAAA record(s) and an IPSECKEY record(s) available.

The shell code execution can then happen if either the qname or the gateway field of the IPSECKEY (when gateway type == 3) contain a specially crafted domain name.

We would like to thank X41 D-Sec for notifying us about this vulnerability and OSTIF for sponsoring the Unbound security audit.

For a full list of changes and binary and source packages, see the download page.

Related links:

• Unbound project page
• Directly download the source package
• X41 D-Sec blog post

software update