-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNSSEC vulnerabilities #40
Comments
@aleksanderbl29 please update Unbound and PiHole. Looks like there is a new version of Unbound and PiHole FTL v5.25 |
Thank you for bringing this to my attention. A new release is on the way - will be on dockerhub shortly |
Please let me know if you experience any issues |
Thanks! Upgraded and so far so good. |
Unbound is still on 1.17.1
…On Wed, Feb 14, 2024, 10:32 PM Aleksander Bang-Larsen < ***@***.***> wrote:
A new release is on the way - will be on dockerhub shortly
Please let me know if you experience any issues
—
Reply to this email directly, view it on GitHub
<#40 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AN4VVNFCMPY6H5SSRQRITOLYTWTYFAVCNFSM6AAAAABDHR5CRGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNBVGQ2DSNRYGU>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
The Dockerfile is installing Unbound using the command below: And the unbound Debian bullseye-backport package hasn't been updated yet. Here's the tracking page for unbound |
I will change the install method so that the image uses the bookworm-repo and then I will update this image when 1.19.1 is pushed to this tag. It seems to currently be in the unstable sid channel which I will not base the image on |
I have now published dev-pr-45-2024-02-18 that has unbound version 1.19.1 installed. You are all free to use it until it ships with the latest version of the image |
Awesome, thanks for the update!
…On Sun, Feb 18, 2024, 2:10 PM Aleksander Bang-Larsen < ***@***.***> wrote:
I have now published dev-pr-45-2024-02-18
<https://hub.docker.com/layers/aleksanderbl/pihole-unbound/dev-pr-45-2024-02-18/images/sha256-a1dffb4cc7208d2868f7efc6afa36dcca4bfa93daf277a673f517549775f2b37?context=explore>
that has unbound version 1.19.1 installed. You are all free to use it until
it ships with the *latest* version of the image
—
Reply to this email directly, view it on GitHub
<#40 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AN4VVNEB2CPNHB23JZQV2ODYUJ34PAVCNFSM6AAAAABDHR5CRGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJRGQ3DANRXGE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
I have now updated the underlying image to pihole:2024.02.2. The appropriate image is now dev-45-2024-02-28. |
Thanks for all of your efforts! I deployed dev-45 shortly after you posted it yesterday. No issues to report. |
I have now updated the base image to 2024.03.02. You can pull the new version of tag dev-45 or use tag dev-45-2024-04-04 |
Got an error with version dev-45-2024-04-04:
No problems with the previous version dev-45-2024-02-28 or the latest 2024.03.02. |
I can't seem to reproduce the error. |
Sorry, I was a bit hurried earlier in posting the log. That is the complete log:
Note that my configuration is quite customized, but aside from the workaround to avoid the "attempt to write a readonly database" error that affects every one of my pihole installations on Raspberry Pi 5 and the fact that I use Pi-Hole as a DHCP server for my LAN (so I'm forced to use dhcphelper as a dhcp relay), the rest is pretty standard. The strange thing is that it is only the latest dev-45 version that does not work and returns the error given above.
|
I have tried multiple times with different images and can't get this error to show. Can you try building the image locally from the dockerfile? |
I think that the problem does not depend on your Unbound implementation, but on something introduced in Sid that clashes with my configuration. I ran a few tests: Host: Raspberry Pi 5 (arm64) with Raspberry OS Lite (Bookworm).
No errors are reported during the build other than the ones below, which are present in all versions (eg. from image based on Debian Sid):
Then I realized that with the Debian Sid-based image, I had this warning when starting the container:
while normally it should appear similar to the following:
A little search led me to pi-hole/docker-pi-hole#963 and a number of similar comments in the Pi-Hole GitHub repo. I wasn't able to solve it 100%, but I made some progress by playing with the DNSMASQ_USER, PIHOLE_UID/GID and WEB_UID/GID envs values. Waiting to find a final fix I am using the local build with Debian testing. |
Looks like you're on the right track. Now that unbound 1.19.1 is in the trixie distribution i will let the image use that instead. I figure that it would be marginally more stable than the absolute cutting edge. The new image will be published tonight |
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! Please read this blog post to see the reasons why I mark issues as stale. |
Is there any update to updating to the latest version of unbound? I just tried |
Hi @aqtoo |
Thanks for replying, I'll try when home, is Lemme know if you can! I'm just double checking. |
I have just updated the image to use Thanks for noticing |
No problem, thanks for updating! |
@aleksanderbl29 any update on the new |
Oh sorry. Looks like the build with the updated image failed. I will take a look at it tomorrow before lunch. |
Much thanks, just thought I'd let you know. |
Quick update. Here is the errors if anyone has any ideas.
|
The security cases which refer to this are CVE-2023-50387 and CVE-2023-50868. Both vulnerabilities are remote exploitable and rated “high” severity. But Ubound 1.19.1 fixes these
The text was updated successfully, but these errors were encountered: