Unbound before 1.9.5 allows configuration injection in create_unbound_ad_servers.sh upon a successful man-in-the-middle attack against a cleartext HTTP session. Reference: https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/
what is the point of creating these old issues?
External References: https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/
In reply to comment #1: > what is the point of creating these old issues? As said elsewhere, these are about the flaws in general, so not really specific to Fedora. That said... I agree these were probably not necessary because all these issues were part of an audit report that is very old and together with the author of the audit (x41) and NLNet Labs (CNA for Unbound) we chose to not consider these CVE-worthy. Reason for that was that most of these old issues could not really be triggered during regular usage and were more of an hardening than real vulnerabilities. Apparently someone assigned CVEs to these issues anyway, one year later. NLNet Labs has been notified of these CVEs and we'll see what they want to do with these.
Upstream patch: https://github.com/NLnetLabs/unbound/commit/f887552763477a606a9608b0f6b498685e0f6587
Statement: This issue did not affect the versions of unbound as shipped with Red Hat Enterprise Linux 7, and 8 as they did not include the vulnerable script create_unbound_ad_servers.sh.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-25031