This script is Copyright (C) 2015 Tenable Network Security, Inc.
The remote Scientific Linux host is missing one or more security
A denial of service flaw was found in unbound that an attacker could
use to trick the unbound resolver into following an endless loop of
delegations, consuming an excessive amount of resources.
This update also fixes the following bugs :
- Prior to this update, there was a mistake in the time
configuration in the cron job invoking unbound-anchor to
update the root zone key. Consequently, unbound-anchor
was invoked once a month instead of every day, thus not
complying with RFC 5011. The cron job has been replaced
with a systemd timer unit that is invoked on a daily
basis. Now, the root zone key validity is checked daily
at a random time within a 24-hour window, and compliance
with RFC 5011 is ensured.
- Previously, the unbound packages were installing their
configuration file for the systemd-tmpfiles utility into
the /etc/tmpfiles.d/ directory. As a consequence,
changes to unbound made by the administrator in
/etc/tmpfiles.d/ could be overwritten on package
reinstallation or update. To fix this bug, unbound has
been amended to install the configuration file into the
/usr/lib/tmpfiles.d/ directory. As a result, the system
administrator's configuration in /etc/tmpfiles.d/ is
preserved, including any changes, on package
reinstallation or update.
- The unbound server default configuration included
validation of DNS records using the DNSSEC Look-aside
Validation (DLV) registry. The Internet Systems
Consortium (ISC) plans to deprecate the DLV registry
service as no longer needed, and unbound could execute
unnecessary steps. Therefore, the use of the DLV
registry has been removed from the unbound server
default configuration. Now, unbound does not try to
perform DNS records validation using the DLV registry.
See also :
Update the affected packages.
Risk factor :
Medium / CVSS Base Score : 4.3