Patch your Unbound DNS servers. CVE-2019-16866
-
You can craft a query to crash any Unbound server prior to version 1.9.4.
This impacts not only Unbound servers, but a huge amount of downstream services that use Unbound as a dependency for secure services. (Think Let's Encrypt)
This bug was found as a result of the ongoing audit of Unbound by us (OSTIF) and X41 D-sec. A more detailed report on the audit and the fixes will be available soon as we wrap things up.
More Info:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241033
https://nlnetlabs.nl/pipermail/unbound-users/2019-October/011832.html -
@necrevistonnezr Thanks, good to know. Will keep an eye for the ubuntu update. Cloudron is not at risk because we only use it internally (it is not exposed via public port). We also don't use NOTIFY query (this is a zone change notification across dns servers) as we use unbound as a recursive resolver and nothing more.