From nobody Wed Nov 26 20:09:21 2025 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dGrHk2gS2z6JZP1 for ; Wed, 26 Nov 2025 20:09:22 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dGrHk0JDJz3FJL; Wed, 26 Nov 2025 20:09:22 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1764187762; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=k4ZPgj7uTMk/8Pd31FQdRew0doMu+8DOBOQeGDDwE6U=; b=tis9Rn1C4eocII3KIJfm4NVsQ5G25RP11iOBDIIxMcuHgANFtKVIfYdyfX8JwAtSsrbP41 JtjlD930BaA2Ip/v+5Bj1Upe+Ef44oi5lIYfpCLwZHv4cGJjl4xGwUk3x3qPoSps2hUfG+ wIoWzxVjgOvCtLi1aOxvYZFE2VNAzaf4kFQoGw5iZJmITohy8LmgI3NVlFn2Qu50ZHQMks 09W5hBmQViCTIJFhURyWtvxy6raQaYzo4qHfo9EisW11h9ASP+ELjnE/v4MIXJcRce7GiT Z2b4/ir0EhdKJVZ2C/VKBGsGjzzWctjf3ig7gBAvKGSFUNtigOpMWu3KJJx01Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1764187762; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=k4ZPgj7uTMk/8Pd31FQdRew0doMu+8DOBOQeGDDwE6U=; b=W9mzPg3iuigjq7OZkxYuriQNZDoN86y+6uhxGTXt9uZedQRQGMdkkRe3ErVWbionLUVEDy BvBVuWZ3Ye5IJxsMbdBNZcAEKk+QczoKSCT9+08AQ9Xe2qlDhUjb7rWGFVm54Cw/HCpCUc uPCg+UdxyfrAusC+jEyonSYacvIGLvhQLTZJVfQ/IYSqcx020T8xRb2CIK4JSTnqavkUZc ZCs5T1ZReNXliHtNPI+KFcLr47ACCBeX7oAn/sJctsETjwLCL/tNWZXHEsImw+TLQcpkEZ s9GlIvuL+XfDPDqWNsJxe3BpklYFBaKj3MleaZikw0o+aRKTMiUEcgRcLN89vg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1764187762; a=rsa-sha256; cv=none; b=mKOCev5GZazarmJWRYJvtUQt2oGx/M2y0vPv0IgQTKMJQ0oQZKEiSxxgc0O3TICfWCJWe1 z7uoEEAyiMmaeKzP32Pf9xNGgLOKRhxRIeCqPzsccDPXJ8RhdkiEEGZQV3A2/euGzHSAI9 KICHGTcep6uBnou44rHKcpmMNFWYVTfAxVN5sNWdwiJs0iN1w3F/0tf2DEvtGcqNKmBvqt NVp1NDgePu1Y5v7ddPIl8lCZ58oLZC+PJwTtzhZNozT+JxIZ5AryWLSjlyH/Ncmuy47PKM PfbDp3LJsLlljiDKl7HLpaFWCzQGNerQiaXnX1hWdHR+qgx8BKwHYsDG4Sd1xQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: by freefall.freebsd.org (Postfix, from userid 945) id DF7EA18E06; Wed, 26 Nov 2025 20:09:21 +0000 (-00) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-25:10.unbound Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20251126200921.DF7EA18E06@freefall.freebsd.org> Date: Wed, 26 Nov 2025 20:09:21 +0000 (-00) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-25:10.unbound Security Advisory The FreeBSD Project Topic: Cache poison in local-unbound service Category: contrib Module: unbound Announced: 2025-11-26 Credits: Yuxiao Wu, Yunyi Zhang, Baojun Liu, Haixin Duan Yang Luo, and JianJun Chen from Tsinghua University along with TaoFei Guo from Peking University. Affects: All supported versions of FreeBSD. Corrected: 2025-11-26 16:00:04 UTC (stable/15, 15.0-STABLE) 2025-11-26 16:13:20 UTC (releng/15.0, 15.0-RC4-p1) 2025-11-26 16:01:01 UTC (stable/14, 14.3-STABLE) 2025-11-26 16:13:30 UTC (releng/14.3, 14.3-RELEASE-p6) 2025-11-26 16:02:40 UTC (stable/13, 13.5-STABLE) 2025-11-26 16:13:41 UTC (releng/13.5, 13.5-RELEASE-p7) CVE Name: CVE-2025-11411 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Unbound is a validating, recursive, and caching DNS resolver included in the FreeBSD base system as an optional service called 'local_unbound'. II. Problem Description Promiscuous NS RRSets that complement DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. If a malicious actor is able to attach such records in a reply they would be able to poison Unbound's cache for the delegation point. III. Impact A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done, for example, by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. FreeBSD 15.0 release candidates previously included a fix to mitigate the poison attempt. This advisory includes an additional fix to mitigate a poison attempt through YXDOMAIN and nodata non-referral answers. This advisory includes patches for FreeBSD 14.3-RELEASE and 13.5-RELEASE that cover both the original fix and the additional fix. IV. Workaround No workaround is available. Systems not leveraging the local-unbound service are unaffected. Check 'sysrc local_unbound_enable' and 'ps ax | grep local-unbound' to see if it is enabled and running. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # service local_unbound restart 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-25:10/unbound-15.patch # fetch https://security.FreeBSD.org/patches/SA-25.10/unbound-15.patch.asc # gpg --verify unbound-15.patch.asc [FreeBSD 14.3, FreeBSD 13.5] # fetch https://security.FreeBSD.org/patches/SA-25:10/unbound-13and14.patch # fetch https://security.FreeBSD.org/patches/SA-25.10/unbound-13and14.patch.asc # gpg --verify unbound-13and14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ b01f35a4e19d stable/15-n281339 releng/15.0/ dabd406d99a9 releng/15.0-n280990 stable/14/ cd40a23fb249 stable/14-n272947 releng/14.3/ 18c4eb2cc642 releng/14.3-n271451 stable/13/ 2aed524b2329 stable/13-n259573 releng/13.5/ 9b0808259a8a releng/13.5-n259183 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmknL1AACgkQbljekB8A Gu+RNg/7Bc6vJo+NxKwMhwRO5kp0zzWLEPTgsHZXfzhNfoxg1Yie7tIeYPbYLS0E ZQ677a8Th1QhmkdvBDG83sNqPJXYpvai3s8SZxhie8sLPZQA1JFINOEgXo3Wvfyl 9hZ+QdN8DtgZVA4yWFKVm018RefqUAsyd7e5Mw9ci6CHrTbzbjjxcGLEhatwfn/q ALfI17WT9wPeYyP1HnC6yT0eGzyPlg+2aZCQsEdfJOjnH3ycWK54Ucy4TF2prQss +XOLXOHQ17HJFYymQshwPbME3O9jDRPnRuszTY+W51Yqq4XH/Vc+4pAXuLaJeFVj g0krR3aamoRO4fM/X/k+tH49dN6wEduE6lf3PzQIqxeudmK8f7rsTmI8kHUPl+EU 6alEWN0kCC/g1LYPFX48LQ++ZH80I5PaodsUHanTVz2j19uMfqxLwmAjeOhtY1JW bqE12KmHArRQnOIfod1qWOEx1Bm9vAXCuMH7Wh5VjQf71MaNcZdbTtmuEC5g1+yO mcBZ2KoGUJvyN5Q7+RyLakcq0Ma+4/MbDcHMxSLoEYAWgivdH99svvDb4s4AGqmD VE7j2HiU1vOfLn/q8y4ZQYT5iXyIIXYEuTbM2Gs/C3bIy4Ke9DDt7m/JBM8rW0Fo hEomWA9nhage5U/10/YaIWwsre63gvCTMi2B5v6RlNR/Efkq3OY= =QjfE -----END PGP SIGNATURE-----