Ubuntu
unbound package

Assertion failure when unbound generates an empty error reply in response to a query

Bug #788818 reported by Scott Kitterman on 2011-05-26

260

This bug affects 1 person

	Status	Importance	Assigned to
Hardy Backports	Invalid	Undecided	Unassigned
unbound (Ubuntu)	Fix Released	Undecided	Unassigned
Hardy	Invalid	Undecided	Unassigned
Lucid	Fix Released	Medium	Unassigned
Maverick	Fix Released	Medium	Unassigned
Natty	Fix Released	Undecided	Unassigned

Bug Description

Binary package hint: unbound

New upstream release fixes CVE-2011-1922

25 March 2011: Wouter
       - Fix assertion failure when unbound generates an empty error reply
         in response to a query, CVE-2011-1922 VU#531342.
       - release 1.4.10.

Related branches

lp:ubuntu/natty-security/unbound

lp:ubuntu/maverick-security/unbound

lp:ubuntu/lucid-security/unbound

CVE References

2011-1922

Revision history for this message

Scott Kitterman (kitterman) wrote on 2011-05-26:

Hardy is just backports.

security vulnerability:	no → yes
summary:	- +25 March 20Assertion failure when unbound generates an empty error - reply in response to a query + Assertion failure when unbound generates an empty error reply in + response to a query
Changed in unbound (Ubuntu Hardy):
status:	New → Invalid

Revision history for this message

Scott Kitterman (kitterman) wrote on 2011-05-26:

Fixed in oneiric.

unbound (1.4.10-1ubuntu1) oneiric; urgency=low

  * Merge from debian unstable. Remaining changes:
    - Fix build to work with default python other than python2.6
      - Generalize install rule in debian/python-unbound.install
      - Use pyversions -d to determine where to install .so files instead of
        hard coding python2.6
      - Remove hard coded XB-Python-Version: 2.6 from debian/control

-- Scott Kitterman <email address hidden> Thu, 26 May 2011 15:44:54 -0400

unbound (1.4.10-1) unstable; urgency=low

* New upstream release:
- CVE-2011-1922.

-- Robert S. Edmonds <email address hidden> Wed, 25 May 2011 15:48:34 -0700

Changed in unbound (Ubuntu):
status:	New → Fix Committed

Revision history for this message

Scott Kitterman (kitterman) wrote on 2011-05-26:

Upstream patch Edit (556 bytes, text/plain)

The actual upstream change once you filter through all the tool cruft between 1.4.9 and 1.4.10. Also confirmed by looking at the upstream svn. See svn diff -c2419 in http://unbound.nlnetlabs.nl/svn/trunk/ . I may get time for debdiffs later, but here's the basic patch in case someone wants to run with it. It definitely applies to natty and needs investigation for lucid/maverick.

Changed in unbound (Ubuntu Natty):
status:	New → Triaged
Changed in unbound (Ubuntu):
status:	Fix Committed → Fix Released

Revision history for this message

Scott Kitterman (kitterman) wrote on 2011-05-27:

debdiff for Natty.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2011-05-27:

Natty debdiff again Edit (1.5 KiB, text/plain)

Remembered to add the bug number to debian/changelog

Changed in unbound (Ubuntu Natty):
status:	Triaged → Confirmed

Revision history for this message

Scott Kitterman (kitterman) wrote on 2011-05-27:

Testing done for Natty: None - This is the same change to 1.4.9 that upstream made for 1.4.10.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2011-05-27:

Thanks for the Natty debdiff. Update is building now and will be released today.

Changed in unbound (Ubuntu Natty):
status:	Confirmed → Fix Committed

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2011-05-27:

Unsubscribing ubuntu-security-sponsors for now. Please re-subscribe when another debdiff is attached. Thanks!

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-05-27:

This bug was fixed in the package unbound - 1.4.9-0ubuntu1.1

---------------
unbound (1.4.9-0ubuntu1.1) natty-security; urgency=high

  * SECURITY UPDATE:
  * References: CVE 2011-1922 (LP: #788818)
  * Add debian/patches/30_cve2011-1922 backported from 1.4.10
-- Scott Kitterman <email address hidden> Fri, 27 May 2011 00:23:21 -0400

Changed in unbound (Ubuntu Natty):
status:	Fix Committed → Fix Released

Revision history for this message

Scott Kitterman (kitterman) wrote on 2011-05-28:

#10

Maverick Debdiff Edit (1.5 KiB, text/plain)

Debdiff for maverick. Untested, but based on code inspection the relevant code is unchanged from the current release so direct backport should do it.

Changed in unbound (Ubuntu Maverick):
status:	New → Confirmed

Revision history for this message

Scott Kitterman (kitterman) wrote on 2011-05-28:

#11

Lucid Debdiff Edit (1.5 KiB, text/plain)

Debdiff for Lucid. Testing: None. Code inspection indicates the relevant code is unchanged and that backporting the upstream fix from 1.4.10 should be OK.

Changed in unbound (Ubuntu Lucid):
status:	New → Confirmed

Revision history for this message

Scott Kitterman (kitterman) wrote on 2011-05-28:

#12

Based on looking at the diff, I don't think this issue is relevant to the version in hardy-backports.

Changed in hardy-backports:
status:	New → Invalid

Micah Gersten (micahg) on 2011-06-01

Changed in unbound (Ubuntu Lucid):
importance:	Undecided → Medium
Changed in unbound (Ubuntu Maverick):
importance:	Undecided → Medium

Revision history for this message

Micah Gersten (micahg) wrote on 2011-06-01:

#13

Debdiffs look good, thanks

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-06-08:

#14

Uploaded lucid and maverick to the security ppa. Thanks for the debdiffs!

Changed in unbound (Ubuntu Lucid):
status:	Confirmed → Fix Committed
Changed in unbound (Ubuntu Maverick):
status:	Confirmed → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-06-10:

#15

This bug was fixed in the package unbound - 1.4.5-1ubuntu1.1

---------------
unbound (1.4.5-1ubuntu1.1) maverick-security; urgency=low

  * SECURITY UPDATE:
  * References: CVE 2011-1922 (LP: #788818)
  * Add debian/patches/30_cve2011-1922 backported from 1.4.10
-- Scott Kitterman <email address hidden> Sat, 28 May 2011 00:09:20 -0400

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-06-10:

#16

This bug was fixed in the package unbound - 1.4.1-2ubuntu0.1

---------------
unbound (1.4.1-2ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE:
  * References: CVE 2011-1922 (LP: #788818)
  * Add debian/patches/30_cve2011-1922 backported from 1.4.10
-- Scott Kitterman <email address hidden> Sat, 28 May 2011 08:46:36 -0400

Changed in unbound (Ubuntu Lucid):
status:	Fix Committed → Fix Released
Changed in unbound (Ubuntu Maverick):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuunbound package

Assertion failure when unbound generates an empty error reply in response to a query

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
unbound package