Date: Wed, 26 Nov 2025 23:58:23 +0000 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Gordon Tetlow <gordon@tetlows.org> Cc: Gordon Tetlow <gordon@freebsd.org>, src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: 2a3a6a177114 - main - Mitigate YXDOMAIN and nodata non-referral answer poisoning. Message-ID: <6bss565r2ljsoywbow4am2qo76t2iqwvwvf4vmvyctofsuiwdc@3omwjejpuxzo> In-Reply-To: <5AC69869-F66B-42E6-A184-4FB2D846F521@tetlows.org> References: <69272395.3426e.56ff4912@gitrepo.freebsd.org> <vkvj4ijewblmfnzzwqv64fkzkfpvdl4rxos2i27b5r6fmstefr@wf5wqc4t5awb> <5AC69869-F66B-42E6-A184-4FB2D846F521@tetlows.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Wed, Nov 26, 2025 at 03:49:33PM -0800, Gordon Tetlow wrote: > On 26 Nov 2025, at 14:47, Shawn Webb wrote: > > > On Wed, Nov 26, 2025 at 03:58:13PM +0000, Gordon Tetlow wrote: > >> The branch main has been updated by gordon: > >> > >> URL: https://cgit.FreeBSD.org/src/commit/?id=2a3a6a1771148a709c2d9694c1d66c41ce8dee79 > >> > >> commit 2a3a6a1771148a709c2d9694c1d66c41ce8dee79 > >> Author: Gordon Tetlow <gordon@FreeBSD.org> > >> AuthorDate: 2025-11-21 21:24:58 +0000 > >> Commit: Gordon Tetlow <gordon@FreeBSD.org> > >> CommitDate: 2025-11-26 15:57:33 +0000 > >> > >> Mitigate YXDOMAIN and nodata non-referral answer poisoning. > >> > >> Add a fix to apply scrubbing of unsolicited NS RRSets (and their > >> respective address records) for YXDOMAIN and nodata non-referral > >> answers. This prevents a malicious actor from exploiting a possible > >> cache poison attack. > >> > >> Obtained from: NLnet Labs > >> Security: CVE-2025-11411 > > > > Hey Gordon, > > > > Do you know if this fix was the incomplete one from Unbound 1.24.1? Or > > does this include the additional fix that landed in 1.24.2 earlier > > today? > > FreeBSD main, stable/15, and releng/15.0 already had 1.24.1. Those branches received the supplemental patch from 1.24.2 that was released today (which is what this commit is). > > FreeBSD stable/14, releng/14.3, stable/13, and releng/13.5 all received the minimal patch provided by the vendor that contained both the original 1.24.1 fix and today’s 1.24.2 fix. That's what I was thinking. Thank you for confirming! -- Shawn Webb Cofounder / Security Engineer HardenedBSD Signal Username: shawn_webb.74 Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmknlBMACgkQ/y5nonf4 4frcAg/8C/R615pt+vPJ+CUICF7KZ4XctrjAqNfiAEgYai4ffhfM25ywh3PlGKlm ylY3s+brcrEHqQnwJ6y0nIOKO6YMnEse0r0OSYsK6unh41RVUUGCyfj1GoKaC4vj QpweXq0o6zz8s7qBCia33JKNYywqQDN8kJtQv3mvs54STMpX431qdIwpS2whPhvH LgZOVDlnmO/SN2SiGtZ8gbfcNtlS042G9/Lz9HwWk0V0+1B8Apc/v28rH9B09X9L Fw6TJ5OjO3jqd3gCemRIlXRM0jy+CGEtEhR1ffPzEUf5dOo8DBBY4fegI4mPhZ06 yYq7zUd+WOFNAqR6lXBwt8cXV3fVCM1VGoguaFR+apld7xtAmCGeribIBphtR2bD jT5TAk42Vkk2vOVlzvo1wi308ssgKVJaW78qTSAANy7SAOTl2JPOyrx/zCw3S85W gECTEe+uXKx0Ep6I32k6Ob+f8pCEBR6RkS4cYbZmzcVh5vSnL+yIphfwYviShdve G8F7zx7bovtcZbN2b85U1BMRBm3VNYB0rUDCvg3ygN2MurWEJO4UwIdywMmSu+WA SHjBdreR+SkpyU/dLvoHM+qxUaNr8kikvGFeMf9yYKrN0BRrjCGgaRFwVNzuPZrf s8kIogu3CT/gXPBL2D046X9rpShfuHWl1qzNoxCzAe71nG9GzZU= =fIr1 -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6bss565r2ljsoywbow4am2qo76t2iqwvwvf4vmvyctofsuiwdc>