Two vulnerabilities have been reported in Unbound, which can be exploited by malicious people to cause a DoS (Denial of Service).
1) A memory allocation error when processing certain RRs (Resource Records) can be exploited to cause a crash by sending signed duplicate redirecting RRs.
2) An error when processing certain responses for NSEC3-signed zones can be exploited to e.g. cause an assertion error or crash by sending specially crafted responses.
The vulnerabilities are reported in versions prior to 1.4.14.
Update to version 1.4.13p2 and 1.4.14 or apply patches.
Further details available in Customer Area
Provided and/or discovered by
Reported by the vendor.
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4869 to
the following vulnerability:
validator/val_nsec3.c in Unbound before 1.4.13p2 does not properly
perform proof processing for NSEC3-signed zones, which allows remote
DNS servers to cause a denial of service (daemon crash) via a
malformed response that lacks expected NSEC3 records, a different
vulnerability than CVE-2011-4528.
Also note that unbound 1.4.14 is pending in Fedora and EPEL: https://admin.fedoraproject.org/updates/search/CVE-2011-4528
unbound-1.4.14-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
unbound-1.4.14-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
unbound-1.4.14-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
unbound-1.4.14-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.