CVE-2020-10772

NameCVE-2020-10772
DescriptionAn incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020:2414. Vulnerable versions of Unbound could still amplify an incoming query into a large number of queries directed to a target, even with a lower amplification ratio compared to versions of Unbound that shipped before the mentioned erratum. This issue is about the incomplete fix for CVE-2020-12662, and it does not affect upstream versions of Unbound.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
unbound (PTS)jessie, jessie (lts)1.4.22-3+deb8u4fixed
stretch1.6.0-3+deb9u2fixed
buster, buster (lts)1.9.0-2+deb10u5fixed
buster (security)1.9.0-2+deb10u4fixed
bullseye1.13.1-1+deb11u2fixed
bullseye (security)1.13.1-1+deb11u4fixed
bookworm (security), bookworm1.17.1-2+deb12u2fixed
sid, trixie1.22.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
unboundsource(unstable)(not affected)

Notes

- unbound <not-affected> (Red Hat specific regression in backport)
Search for package or bug name: Reporting problems