ALINUX2-SA-2025:0007: unbound security update (Important)

Package updates are available for Alibaba Cloud Linux 2.1903 that fix the following vulnerabilities:

CVE-2023-50387:
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

CVE-2023-50868:
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

aarch64
- unbound-1.6.6-5.1.al7.1.aarch64.rpm → (download)
- unbound-debuginfo-1.6.6-5.1.al7.1.aarch64.rpm → (download)
- unbound-devel-1.6.6-5.1.al7.1.aarch64.rpm → (download)
- unbound-libs-1.6.6-5.1.al7.1.aarch64.rpm → (download)
- unbound-python-1.6.6-5.1.al7.1.aarch64.rpm → (download)
i686
- unbound-1.6.6-5.1.al7.1.i686.rpm → (download)
- unbound-debuginfo-1.6.6-5.1.al7.1.i686.rpm → (download)
- unbound-devel-1.6.6-5.1.al7.1.i686.rpm → (download)
- unbound-libs-1.6.6-5.1.al7.1.i686.rpm → (download)
- unbound-python-1.6.6-5.1.al7.1.i686.rpm → (download)
src
- unbound-1.6.6-5.1.al7.1.src.rpm → (download)
x86_64
- unbound-1.6.6-5.1.al7.1.x86_64.rpm → (download)
- unbound-debuginfo-1.6.6-5.1.al7.1.x86_64.rpm → (download)
- unbound-devel-1.6.6-5.1.al7.1.x86_64.rpm → (download)
- unbound-libs-1.6.6-5.1.al7.1.x86_64.rpm → (download)
- unbound-python-1.6.6-5.1.al7.1.x86_64.rpm → (download)

Alibaba Cloud Linux 2.1903 Security Advisory: ALINUX2-SA-2025:0007

Summary

Severity

Description

References

Updated Packages