Professional OVAL Repository
[Eng]
[Rus]
[Sign-In]
OVAL
Search
Categories
RedCheck
About
OVAL Definitions
OVAL Items
FSTEC Data Bank Information Security Threats
NKCKI
EOL (End Of Life)
Linux Security Advisories
Mozilla Foundation Security Advisory
IBM
VMware
Cisco
Check Point Software Technologies
Apache
Solaris
FreeBSD
Development
GitHub Enterprise
Google Chrome Security Advisories
Oracle Security Advisories
Adobe Security Advisories
OpenSSL Security Advisories
Microsoft
CVE
CWE
CPE
Latest Updates
OS ROSA
ALT Linux
Astra Linux
RED OS
DSA (Debian Security Advisory) Patсh Statistics
DSA (Debian Security Advisory) Patсh Feed
DSA (Debian Security Advisory) Vulnerability Feed
DLA (Debian Security Advisory) Patсh Statistics
DLA (Debian Security Advisory) Patсh Feed
DLA (Debian Security Advisory) Vulnerability Feed
ALT Linux (Security Bulletins) Patсh Statistics
ALT Linux (Security Bulletins) Patсh Feed
ALT Linux (Security Bulletins) Vulnerability Feed
RED OS (Security Bulletins) Patсh Statistics
RED OS (Security Bulletins) Patсh Feed
RED OS (Security Bulletins) Vulnerability Feed
USN (Ubuntu Security Notice) Patсh Statistics
USN (Ubuntu Security Notice) Patсh Feed
USN (Ubuntu Security Notice) Vulnerability Feed
RHSA (RedHat Security Advisory) Patсh Statistics
RHSA (RedHat Security Advisory) Patсh Feed
RHSA (RedHat Security Advisory) Vulnerability Feed
ELSA (Oracle Linux Security Advisory) Patсh Statistics
ELSA (Oracle Linux Security Advisory) Patсh Feed
ELSA (Oracle Linux Security Advisory) Vulnerability Feed
SUSE (SUSE Security Advisories) Patсh Statistics
SUSE (SUSE Security Advisories) Patсh Feed
SUSE (SUSE Security Advisories) Vulnerability Feed
openSUSE (openSUSE Security Advisories) Patсh Statistics
openSUSE (openSUSE Security Advisories) Patсh Feed
openSUSE (openSUSE Security Advisories) Vulnerability Feed
Amazon Linux AMI (Security Bulletins) Patсh Statistics
Amazon Linux AMI (Security Bulletins) Patсh Feed
Amazon Linux AMI (Security Bulletins) Vulnerability Feed
Mageia Linux (Security Bulletins) Patсh Statistics
Mageia Linux (Security Bulletins) Patсh Feed
Mageia Linux (Security Bulletins) Vulnerability Feed
OS ROSA SX COBALT 1.0
OS ROSA DX COBALT 1.0
ROSA 7.3 (Security Advisories) Patсh Statistics
ROSA 7.3 (Security Advisories) Patсh Feed
ROSA 7.3 (Security Advisories) Vulnerability Feed
ALT Linux SPT 6.0
ALT Linux SPT 7.0
ALT 8 SP
ALT 9
Astra Linux SE 1.5
Astra Linux SE 1.6
Astra Linux SE 1.7
Astra Linux SE 1.8
RED OS Murom 7.1
RED OS Murom 7.2
IBM DB2
VMware Vulnerabilities Advisory (VMSA)
VMware vCenter Patch Advisories
VMware ESXi Patch Advisories
VMware NSX Patches
VMware NSX Vulnerabilities
VMware Photon OS 1.0 Patches
VMware Photon OS 1.0 Vulnerabilities
VMware Photon OS 2.0 Patches
VMware Photon OS 2.0 Vulnerabilities
Cisco ASA
Cisco IOS/NX-OS Advisory
Cisco NX-OS Vulnerabilities
Check Point Gaia
Apache Tomcat Advisories
Apache Tomcat Server
Apache HTTP Server
Python
Node.js
RubyGems
Qt
Microsoft Security Bulletin
Microsoft Knowledge Base Article
Microsoft SharePoint
Microsoft SharePoint Foundation 2013
Microsoft SharePoint Server 2013
Microsoft SharePoint Server 2016
About OVALdb
User manual
Pricing
Contact us
OVAL Definitions
>
OVAL Definition Details
Id
oval:com.altx-soft.nix:def:152928
[Rus]
Version
2
Class
patch
ALTXid
355355
Language
English
Severity
Critical
Title
DLA-2652-1 -- unbound1.9 security update
Description
Several security vulnerabilities have been discovered in Unbound, a validating, recursive, caching DNS resolver, by security researchers of X41 D-SEC located in Aachen, Germany. Integer overflows, assertion failures, an out-of-bound write and an infinite loop vulnerability may lead to a denial-of-service or have a negative impact on data confidentiality.
Family
unix
Platform
Debian 9
Product
unbound1.9
Reference
VENDOR: DLA-2652-1
VENDOR: DLA-2652-1
Id:
DLA-2652-1
Reference:
https://lists.debian.org/debian-lts-announce/2021/debian-lts-announce-202105/msg00007.html
CVE: CVE-2019-25031
CVE: CVE-2019-25031
Id:
CVE-2019-25031
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25031
Comment
: Unbound before 1.9.5 allows configuration injection in create_unbound_ad_servers.sh upon a successful man-in-the-middle attack against a cleartext HTTP session. NOTE: The vendor does not consider this a vulnerability of the Unbound software. create_unbound_ad_servers.sh is a contributed script from the community that facilitates automatic configuration creation. It is not part of the Unbound installation
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
PARTIAL
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSSv3 Score:
5.9
Attack vector:
NETWORK
Attack complexity:
HIGH
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
HIGH
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE:
74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'))
References:
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/ (MISC)
[debian-lts-announce] 20210506 [SECURITY] [DLA 2652-1] unbound1.9 security update (MLIST)
https://security.netapp.com/advisory/ntap-20210507-0007/ (CONFIRM)
CVE: CVE-2019-25032
CVE: CVE-2019-25032
Id:
CVE-2019-25032
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25032
Comment
: Unbound before 1.9.5 allows an integer overflow in the regional allocator via regional_alloc. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited
CVSSv2 Score:
7.5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3 Score:
9.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE:
190 (Integer Overflow or Wraparound)
References:
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/ (MISC)
[debian-lts-announce] 20210506 [SECURITY] [DLA 2652-1] unbound1.9 security update (MLIST)
https://security.netapp.com/advisory/ntap-20210507-0007/ (CONFIRM)
CVE: CVE-2019-25033
CVE: CVE-2019-25033
Id:
CVE-2019-25033
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25033
Comment
: Unbound before 1.9.5 allows an integer overflow in the regional allocator via the ALIGN_UP macro. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited
CVSSv2 Score:
7.5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3 Score:
9.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE:
190 (Integer Overflow or Wraparound)
References:
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/ (MISC)
[debian-lts-announce] 20210506 [SECURITY] [DLA 2652-1] unbound1.9 security update (MLIST)
https://security.netapp.com/advisory/ntap-20210507-0007/ (CONFIRM)
CVE: CVE-2019-25034
CVE: CVE-2019-25034
Id:
CVE-2019-25034
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25034
Comment
: Unbound before 1.9.5 allows an integer overflow in sldns_str2wire_dname_buf_origin, leading to an out-of-bounds write. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited
CVSSv2 Score:
7.5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3 Score:
9.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE:
190 (Integer Overflow or Wraparound)
References:
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/ (MISC)
[debian-lts-announce] 20210506 [SECURITY] [DLA 2652-1] unbound1.9 security update (MLIST)
https://security.netapp.com/advisory/ntap-20210507-0007/ (CONFIRM)
CVE: CVE-2019-25035
CVE: CVE-2019-25035
Id:
CVE-2019-25035
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25035
Comment
: Unbound before 1.9.5 allows an out-of-bounds write in sldns_bget_token_par. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited
CVSSv2 Score:
7.5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3 Score:
9.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE:
787 (Out-of-bounds Write)
References:
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/ (MISC)
[debian-lts-announce] 20210506 [SECURITY] [DLA 2652-1] unbound1.9 security update (MLIST)
https://security.netapp.com/advisory/ntap-20210507-0007/ (CONFIRM)
CVE: CVE-2019-25036
CVE: CVE-2019-25036
Id:
CVE-2019-25036
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25036
Comment
: Unbound before 1.9.5 allows an assertion failure and denial of service in synth_cname. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3 Score:
7.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE:
617 (Reachable Assertion)
References:
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/ (MISC)
[debian-lts-announce] 20210506 [SECURITY] [DLA 2652-1] unbound1.9 security update (MLIST)
https://security.netapp.com/advisory/ntap-20210507-0007/ (CONFIRM)
CVE: CVE-2019-25037
CVE: CVE-2019-25037
Id:
CVE-2019-25037
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25037
Comment
: Unbound before 1.9.5 allows an assertion failure and denial of service in dname_pkt_copy via an invalid packet. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3 Score:
7.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE:
617 (Reachable Assertion)
References:
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/ (MISC)
[debian-lts-announce] 20210506 [SECURITY] [DLA 2652-1] unbound1.9 security update (MLIST)
https://security.netapp.com/advisory/ntap-20210507-0007/ (CONFIRM)
CVE: CVE-2019-25038
CVE: CVE-2019-25038
Id:
CVE-2019-25038
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25038
Comment
: Unbound before 1.9.5 allows an integer overflow in a size calculation in dnscrypt/dnscrypt.c. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited
CVSSv2 Score:
7.5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3 Score:
9.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE:
190 (Integer Overflow or Wraparound)
References:
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/ (MISC)
[debian-lts-announce] 20210506 [SECURITY] [DLA 2652-1] unbound1.9 security update (MLIST)
https://security.netapp.com/advisory/ntap-20210507-0007/ (CONFIRM)
CVE: CVE-2019-25039
CVE: CVE-2019-25039
Id:
CVE-2019-25039
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25039
Comment
: Unbound before 1.9.5 allows an integer overflow in a size calculation in respip/respip.c. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited
CVSSv2 Score:
7.5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3 Score:
9.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE:
190 (Integer Overflow or Wraparound)
References:
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/ (MISC)
[debian-lts-announce] 20210506 [SECURITY] [DLA 2652-1] unbound1.9 security update (MLIST)
https://security.netapp.com/advisory/ntap-20210507-0007/ (CONFIRM)
CVE: CVE-2019-25040
CVE: CVE-2019-25040
Id:
CVE-2019-25040
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25040
Comment
: Unbound before 1.9.5 allows an infinite loop via a compressed name in dname_pkt_copy. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3 Score:
7.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE:
835 (Loop with Unreachable Exit Condition ('Infinite Loop'))
References:
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/ (MISC)
[debian-lts-announce] 20210506 [SECURITY] [DLA 2652-1] unbound1.9 security update (MLIST)
https://security.netapp.com/advisory/ntap-20210507-0007/ (CONFIRM)
CVE: CVE-2019-25041
CVE: CVE-2019-25041
Id:
CVE-2019-25041
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25041
Comment
: Unbound before 1.9.5 allows an assertion failure via a compressed name in dname_pkt_copy. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3 Score:
7.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE:
617 (Reachable Assertion)
References:
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/ (MISC)
[debian-lts-announce] 20210506 [SECURITY] [DLA 2652-1] unbound1.9 security update (MLIST)
https://security.netapp.com/advisory/ntap-20210507-0007/ (CONFIRM)
CVE: CVE-2019-25042
CVE: CVE-2019-25042
Id:
CVE-2019-25042
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25042
Comment
: Unbound before 1.9.5 allows an out-of-bounds write via a compressed name in rdata_copy. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation cannot be remotely or locally exploited
CVSSv2 Score:
7.5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3 Score:
9.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE:
787 (Out-of-bounds Write)
References:
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/ (MISC)
[debian-lts-announce] 20210506 [SECURITY] [DLA 2652-1] unbound1.9 security update (MLIST)
https://security.netapp.com/advisory/ntap-20210507-0007/ (CONFIRM)
Content available only for registered users!
ovaldb@altx-soft.com