In the Unbound DNS server (), which can cause attacker code to be executed when specially crafted responses are received. Systems are only affected when building Unbound with the ipsec module ("--enable-ipsecmod") and enabling ipsecmod in the configuration. The vulnerability manifests itself starting from version 1.6.4 and is fixed in the release .
The vulnerability is caused by the transmission of unescaped characters when calling the ipsecmod-hook shell command, if a request is received for a domain for which there are A/AAAA and IPSECKEY records. Code substitution is carried out by specifying a specially designed domain name in the qname and gateway fields associated with the IPSECKEY record.
Source: opennet.ru