CentOS 7 Unbound CVE False Positive

apkg · July 17, 2024, 11:51am

Hi,

I believe there is a false positive being reported for the Unbound package in CentOS 7.

[Unbound DNS Resolver < 1.10.1 Multiple Vulnerabilities OID: 1.3.6.1.4.1.25623.1.0.143940]

Detection Result
Installed version: 1.6.6
Fixed version: 1.10.1

References

[CVE-2020-12662]
[CVE-2020-12663]

$ rpm -qi --changelog unbound | grep CVE-2020-1266
- Resolves: rhbz#1839172 (CVE-2020-12662), rhbz#1840258 (CVE-2020-12663)
$ rpm -qa | grep unbound
unbound-libs-1.6.6-5.el7_8.x86_64
unbound-1.6.6-5.el7_8.x86_64

It looks like the vulnerabilities were resolved before CentOS7 went EOL.

Could you kindly update the detection method for this package/OS please?

Many thanks,
APKG

ckuerste · July 18, 2024, 4:35am

Hi apkg,

Looks like the VT in question has a too high Quality of Detection (QoD) as there are backports from various Linux distros as you mentioned.
I will lower the QoD to “remote_banner_unreliable” which should arrive in the feed in the coming days.

Thanks for the report!

Best regards,
Christian