Upgraded to 17.7.12 and it says unbound-1.6.7_1 is vulnerable

[comet]

After doing the upgrade an audit shows this:

***GOT REQUEST TO AUDIT SECURITY***
Fetching vuln.xml.bz2: .......... done
unbound-1.6.7_1 is vulnerable:
unbound -- vulnerability in the processing of wildcard synthesized NSEC records
CVE: CVE-2017-15105
WWW: https://vuxml.FreeBSD.org/freebsd/8d3bae09-fd28-11e7-95f2-005056925db4.html

1 problem(s) in the installed packages found.
***DONE***

Near the bottom of the page at https://unbound.net/downloads/CVE-2017-15105.txt it says that the solution is to download a patched version of Unbound, or apply the patch manually.  But I don't know how to do that, or if it's even possible to do that in OPNsense, without causing serious breakage.  What would be the best way to fix this without breaking anything, or should I just wait for an upgrade fix?

[franco]

Seems to have gone into FreeBSD yesterday, a day after the release of 17.7.12.

We haven't had time to review the next version of Unbound yet, but the ports have been updated this morning, so it's possible to update to the latest version.

# opnsense-code tools ports
# cd /usr/ports/dns/unbound
# make
# make deinstall
# make install

Though it's probably worth checking if you use Unbound at all. It's the default since 17.7 only, and reasons for switching to Dnsmasq are still there. It's also possible to switch to Dnsmasq if that works in your case to side-step the issue.

Without further analysis of the issue, it's not even clear whether it can be triggered on OPNsense. If somebody else can shed more light on it that would be nice.

Long story short: the security audit is a difficult tool.


Cheers,
Franco

[dcol]

Received the same Audit Unbound problem.

Installed Unbound 1.6.8 as per your instructions.

All issues resolved. Thanks

[comet]

# opnsense-code tools ports
# cd /usr/ports/dns/unbound
# make
# make deinstall
# make install

Thanks.  But one question, if I do it that way, will that mean that I will need to upgrade unbound manually from now on?  Or if a newer version of unbound is available as part of the normal OPNsense version update, will it still install automatically after I do this?

[franco]

Hi there,

I made sure 18.1 has the latest package. On major upgrades all packages are reinstalled to provide a consistent ABI experience, which worst case would have meant a downgrade of the Unbound package if it wasn't the latest version even if it was manually installed.

In general, though, the method mentioned above is fully compatible with the update mechanism as FreeBSD's package manager does not downgrade packages by default and will only reinstall if options of the package changed or a newer version is available.

Since 18.1 has a delivery window of a week from build to ship, we cannot guarantee that in this particular week we won't have new security patches for its used components.


Cheers,
Franco

[PCServices]

I have tried installing 1.6.8 via the terminal but I'm getting an error.

"<SNIP>
:/usr/ports/dns/unbound % make
/!\ ERROR: /!\

Ports Collection support for your FreeBSD version has ended, and no ports are
guaranteed to build on this system. Please upgrade to a supported release.

No support will be provided if you silence this message by defining
ALLOW_UNSUPPORTED_SYSTEM.

*** Error code 1

Stop.
make: stopped in /usr/ports/dns/unbound
<SNIP>"

Please help

Thanks

[franco]

First of all you need root via su / sudo ... "%" -> "#".

Second of all, I was a little too eager in tools to switch over to 18.1 by default.

Just do this again and it should be fixed:

# opnsense-code tools

For reference:

https://github.com/opnsense/tools/commit/f7ff6eac


Cheers,
Franco

[PCServices]

Thanks. 

I just tried again and, although it said " 1 file changed, 1 insertion(+), 1 deletion(-)", I got the same error.

I am starting from the root directory.

The commands I'm running are:
sudo opnsense-code tools ports
(entering password)
cd /usr/ports/dns/unbound
make

At that point I get the same error as before error.

[PCServices]

Ah, I got it working...

I thought that, once I had used the first sudo command that I had elevated the privilege for subsequent commands. I prefixed all of the commands with sudo & it worked.

Thank you.