HCE2-SA-2024-0294 Important HCE 2.0 Security Fix(es): The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the "DNSBomb" issue. (CVE-2024-33655) DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the expected functionality and security controls of the application. Red Hat has made a claim that there is a security risk within Red Hat products. NLnet Labs has no further information about the claim, and suggests that affected Red Hat customers refer to available Red Hat documentation or support channels. ORIGINAL DESCRIPTION: A heap-buffer-overflow flaw was found in the cfg_mark_ports function within Unbound_x27;s config_file.c, which can lead to memory corruption. This issue could allow an attacker with local access to provide specially crafted input, potentially causing the application to crash or allowing arbitrary code execution. This could result in a denial of service or unauthorized actions on the system. (CVE-2024-43168) NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. Unbound version 1.21.1 introduces a hard limit on the number of name compression calculations it is willing to do per packet. Packets that need more compression will result in semi-compressed packets or truncated packets, even on TCP for huge messages, to avoid locking the CPU for long. This change should not affect normal DNS traffic. (CVE-2024-8508) HCE 2.0 python3-unbound-1.13.2-3.r9.hce2.aarch64.rpm unbound-1.13.2-3.r9.hce2.aarch64.rpm unbound-devel-1.13.2-3.r9.hce2.aarch64.rpm unbound-help-1.13.2-3.r9.hce2.aarch64.rpm unbound-libs-1.13.2-3.r9.hce2.aarch64.rpm python3-unbound-1.13.2-3.r9.hce2.x86_64.rpm unbound-1.13.2-3.r9.hce2.x86_64.rpm unbound-devel-1.13.2-3.r9.hce2.x86_64.rpm unbound-help-1.13.2-3.r9.hce2.x86_64.rpm unbound-libs-1.13.2-3.r9.hce2.x86_64.rpm