Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
Upgraded to 17.7.12 and it says unbound-1.6.7_1 is vulnerable
« previous
next »
Print
Pages: [
1
]
Author
Topic: Upgraded to 17.7.12 and it says unbound-1.6.7_1 is vulnerable (Read 6895 times)
comet
Full Member
Posts: 117
Karma: 4
Upgraded to 17.7.12 and it says unbound-1.6.7_1 is vulnerable
«
on:
January 20, 2018, 06:23:14 am »
After doing the upgrade an audit shows this:
***GOT REQUEST TO AUDIT SECURITY***
Fetching vuln.xml.bz2: .......... done
unbound-1.6.7_1 is vulnerable:
unbound -- vulnerability in the processing of wildcard synthesized NSEC records
CVE: CVE-2017-15105
WWW:
https://vuxml.FreeBSD.org/freebsd/8d3bae09-fd28-11e7-95f2-005056925db4.html
1 problem(s) in the installed packages found.
***DONE***
Near the bottom of the page at
https://unbound.net/downloads/CVE-2017-15105.txt
it says that the solution is to download a patched version of Unbound, or apply the patch manually. But I don't know how to do that, or if it's even possible to do that in OPNsense, without causing serious breakage. What would be the best way to fix this without breaking anything, or should I just wait for an upgrade fix?
«
Last Edit: January 20, 2018, 06:32:02 am by comet
»
Logged
I'm a home user of OPNsense, not a networking expert. I'd much appreciate it if you'd keep that in mind if replying to something I posted. Many thanks!
franco
Administrator
Hero Member
Posts: 17672
Karma: 1613
Re: Upgraded to 17.7.12 and it says unbound-1.6.7_1 is vulnerable
«
Reply #1 on:
January 20, 2018, 08:43:05 pm »
Seems to have gone into FreeBSD yesterday, a day after the release of 17.7.12.
We haven't had time to review the next version of Unbound yet, but the ports have been updated this morning, so it's possible to update to the latest version.
# opnsense-code tools ports
# cd /usr/ports/dns/unbound
# make
# make deinstall
# make install
Though it's probably worth checking if you use Unbound at all. It's the default since 17.7 only, and reasons for switching to Dnsmasq are still there. It's also possible to switch to Dnsmasq if that works in your case to side-step the issue.
Without further analysis of the issue, it's not even clear whether it can be triggered on OPNsense. If somebody else can shed more light on it that would be nice.
Long story short: the security audit is a difficult tool.
Cheers,
Franco
Logged
dcol
Hero Member
Posts: 635
Karma: 51
Re: Upgraded to 17.7.12 and it says unbound-1.6.7_1 is vulnerable
«
Reply #2 on:
January 21, 2018, 10:21:35 pm »
Received the same Audit Unbound problem.
Installed Unbound 1.6.8 as per your instructions.
All issues resolved. Thanks
Logged
comet
Full Member
Posts: 117
Karma: 4
Re: Upgraded to 17.7.12 and it says unbound-1.6.7_1 is vulnerable
«
Reply #3 on:
January 22, 2018, 12:17:34 am »
Quote from: franco on January 20, 2018, 08:43:05 pm
# opnsense-code tools ports
# cd /usr/ports/dns/unbound
# make
# make deinstall
# make install
Thanks. But one question, if I do it that way, will that mean that I will need to upgrade unbound manually from now on? Or if a newer version of unbound is available as part of the normal OPNsense version update, will it still install automatically after I do this?
Logged
I'm a home user of OPNsense, not a networking expert. I'd much appreciate it if you'd keep that in mind if replying to something I posted. Many thanks!
franco
Administrator
Hero Member
Posts: 17672
Karma: 1613
Re: Upgraded to 17.7.12 and it says unbound-1.6.7_1 is vulnerable
«
Reply #4 on:
January 22, 2018, 07:16:12 am »
Hi there,
I made sure 18.1 has the latest package. On major upgrades all packages are reinstalled to provide a consistent ABI experience, which worst case would have meant a downgrade of the Unbound package if it wasn't the latest version even if it was manually installed.
In general, though, the method mentioned above is fully compatible with the update mechanism as FreeBSD's package manager does not downgrade packages by default and will only reinstall if options of the package changed or a newer version is available.
Since 18.1 has a delivery window of a week from build to ship, we cannot guarantee that in this particular week we won't have new security patches for its used components.
Cheers,
Franco
Logged
PCServices
Newbie
Posts: 18
Karma: 2
Re: Upgraded to 17.7.12 and it says unbound-1.6.7_1 is vulnerable
«
Reply #5 on:
January 22, 2018, 06:32:52 pm »
I have tried installing 1.6.8 via the terminal but I'm getting an error.
"<SNIP>
:/usr/ports/dns/unbound % make
/!\ ERROR: /!\
Ports Collection support for your FreeBSD version has ended, and no ports are
guaranteed to build on this system. Please upgrade to a supported release.
No support will be provided if you silence this message by defining
ALLOW_UNSUPPORTED_SYSTEM.
*** Error code 1
Stop.
make: stopped in /usr/ports/dns/unbound
<SNIP>"
Please help
Thanks
«
Last Edit: January 22, 2018, 06:40:24 pm by PCServices
»
Logged
franco
Administrator
Hero Member
Posts: 17672
Karma: 1613
Re: Upgraded to 17.7.12 and it says unbound-1.6.7_1 is vulnerable
«
Reply #6 on:
January 22, 2018, 06:57:41 pm »
First of all you need root via su / sudo ... "%" -> "#".
Second of all, I was a little too eager in tools to switch over to 18.1 by default.
Just do this again and it should be fixed:
# opnsense-code tools
For reference:
https://github.com/opnsense/tools/commit/f7ff6eac
Cheers,
Franco
Logged
PCServices
Newbie
Posts: 18
Karma: 2
Re: Upgraded to 17.7.12 and it says unbound-1.6.7_1 is vulnerable
«
Reply #7 on:
January 22, 2018, 07:19:34 pm »
Thanks.
I just tried again and, although it said " 1 file changed, 1 insertion(+), 1 deletion(-)", I got the same error.
I am starting from the root directory.
The commands I'm running are:
sudo opnsense-code tools ports
(entering password)
cd /usr/ports/dns/unbound
make
At that point I get the same error as before error.
Logged
PCServices
Newbie
Posts: 18
Karma: 2
Re: Upgraded to 17.7.12 and it says unbound-1.6.7_1 is vulnerable
«
Reply #8 on:
January 22, 2018, 07:33:55 pm »
Ah, I got it working...
I thought that, once I had used the first sudo command that I had elevated the privilege for subsequent commands. I prefixed all of the commands with sudo & it worked.
Thank you.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
Upgraded to 17.7.12 and it says unbound-1.6.7_1 is vulnerable