From nobody Wed Nov 26 23:58:23 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dGxN74gdLz6Hpsd for ; Wed, 26 Nov 2025 23:58:31 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dGxN72nZYz3xjt for ; Wed, 26 Nov 2025 23:58:31 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Authentication-Results: mx1.freebsd.org; none Received: by mail-il1-x12f.google.com with SMTP id e9e14a558f8ab-4331d3eea61so1738395ab.2 for ; Wed, 26 Nov 2025 15:58:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; t=1764201505; x=1764806305; darn=freebsd.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=pr0TSUrZEMtVQqmDnXPL84kfAboYoabd5ERZl3859hY=; b=VYXnzBQ82GvemxcQ5k8T/EdoXygvSwPSlCfTCtxCQMfBc6R5Y5r6fyfnF0xXZ9blRZ EmoafVUBNyMayiihTM+VJablsIAbi8aUfpKFOYFYsJWicO6EZZEcoQ2q52SH5Q/GQGxv ln+tR88SzgQpKIWvNtVtzX8IFXSQDcuhCOhzkCPyT0jvhG9pQmNnzdYWtKsmxyFCVQP+ EpBcBjTPjPbJbfSYdS+swhnb15Jk23ss0gMrb/B2DrOfYsYtfGFfix29+kvpvwuGl1YX 59WWTTJfXuoum036OfidVBAjJBBOBx4PFVzPsegmQ3Jqt/Jjb7/flOXCA6qiU0ape5DS 8g3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764201505; x=1764806305; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pr0TSUrZEMtVQqmDnXPL84kfAboYoabd5ERZl3859hY=; b=piQvmZj4TxPpwGkMfXmNm4LyNs/3FHGy/+Cs2cn7VyL7KaFTg2Pjigj0unTJMCqnxm uS25gHDwaonr1yyw+HNcqlWICVD/OmZGB1Mp+6kZQsGYrek/+gQnAPISAU5/8mNkp0jq ygiTpqasxwcN/KUq9JQ4NDubu79t+S7xlXU8XA+8UXinOsXEQXQ0DV7Moe+B8y8TkrV6 +rfQwkOgoN19x2Rp0JNkDIg53C+oFnEcfYavRiK1yH3kY43DNPGTxYEBqBSLRdNyj0Jf mmud2762GqbePiP5r/Vobaj55vYVIJIgufqK0TbWB7lxG94nhYqV2EQxracayOzSUBsf 5eew== X-Forwarded-Encrypted: i=1; AJvYcCWvskWEzxVxraOUb+5HEd7y11ET0WWQ3HfklEixtyS1ZTglQolsy7KcvBltM6D6lo098fafGdgld4adCQ9koKwdKR76@freebsd.org X-Gm-Message-State: AOJu0Yx8JU893w730d8PHtf7NEnGF5e7WFlaMWfxmu/2LfCCu2PSoSzk 1oZWEIYq1Ml+f3aTQY322hyzvfAsf25klYg+aJjFuCzrAysEPgc4E7oDovei28xyrbrmmwqliEw Uxvu2 X-Gm-Gg: ASbGncsAkdPitjAW3Lpbitck1R81+llsS3F+1Fu2LcfdJ8QVa1tihaV+uCtAgUAYjaN FFGS81j3Yrs4Rp3d3ShmOosUa1oxE/XARohY6lS1gceD8dzc436HXo3Iqy7K8bX86XTw6xFVGhr YznHdKPK4p43VsQwfnR+wtqDEOjYrv+uVuJOC5pcsERw7vfNmv1TWGYl2a2VL0NorRn+sayCPtH HB48ETHB7RGSbAgaIJBGzxhfEk0s3T4SMS77ylzq5+b+Qwt9TBgv31WpdK3U5RZi4yzqLNgkrCy mUP4oOa66UvdHmnSe4vd8EAZ/GgWzL/vcFKJgJ5tBtQDNdrY4p4omKpjn0fCWKUfqTnTSmQYR25 c4pwvYeldQ6H6350P0tmmIcKpKV+wvVORlOHv3DlI/Bf6dV2U4yVRit5HR5Qx9YEcYpDv X-Google-Smtp-Source: AGHT+IE7BUqBv0iC5JGK+e0NWMgoTuGYvFz9LdhlzZypbOPOaU8z07wCyUJAV8hZrL1Slmeep1Gf2A== X-Received: by 2002:a05:6e02:1486:b0:433:79e4:7adb with SMTP id e9e14a558f8ab-435dd065264mr71661065ab.11.1764201505514; Wed, 26 Nov 2025 15:58:25 -0800 (PST) Received: from mutt-hbsd ([2001:470:4001:1::95]) by smtp.gmail.com with ESMTPSA id ca18e2360f4ac-949386d8f05sm783986239f.19.2025.11.26.15.58.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Nov 2025 15:58:24 -0800 (PST) Date: Wed, 26 Nov 2025 23:58:23 +0000 From: Shawn Webb To: Gordon Tetlow Cc: Gordon Tetlow , src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: 2a3a6a177114 - main - Mitigate YXDOMAIN and nodata non-referral answer poisoning. Message-ID: <6bss565r2ljsoywbow4am2qo76t2iqwvwvf4vmvyctofsuiwdc@3omwjejpuxzo> X-Operating-System: FreeBSD mutt-hbsd 14.3-STABLE-HBSD FreeBSD 14.3-STABLE-HBSD HARDENEDBSD-14-STABLE amd64 X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <69272395.3426e.56ff4912@gitrepo.freebsd.org> <5AC69869-F66B-42E6-A184-4FB2D846F521@tetlows.org> List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="vp62ioreif4fllrt" Content-Disposition: inline In-Reply-To: <5AC69869-F66B-42E6-A184-4FB2D846F521@tetlows.org> X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Queue-Id: 4dGxN72nZYz3xjt --vp62ioreif4fllrt Content-Type: text/plain; protected-headers=v1; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Subject: Re: git: 2a3a6a177114 - main - Mitigate YXDOMAIN and nodata non-referral answer poisoning. MIME-Version: 1.0 On Wed, Nov 26, 2025 at 03:49:33PM -0800, Gordon Tetlow wrote: > On 26 Nov 2025, at 14:47, Shawn Webb wrote: >=20 > > On Wed, Nov 26, 2025 at 03:58:13PM +0000, Gordon Tetlow wrote: > >> The branch main has been updated by gordon: > >> > >> URL: https://cgit.FreeBSD.org/src/commit/?id=3D2a3a6a1771148a709c2d969= 4c1d66c41ce8dee79 > >> > >> commit 2a3a6a1771148a709c2d9694c1d66c41ce8dee79 > >> Author: Gordon Tetlow > >> AuthorDate: 2025-11-21 21:24:58 +0000 > >> Commit: Gordon Tetlow > >> CommitDate: 2025-11-26 15:57:33 +0000 > >> > >> Mitigate YXDOMAIN and nodata non-referral answer poisoning. > >> > >> Add a fix to apply scrubbing of unsolicited NS RRSets (and their > >> respective address records) for YXDOMAIN and nodata non-referral > >> answers. This prevents a malicious actor from exploiting a possible > >> cache poison attack. > >> > >> Obtained from: NLnet Labs > >> Security: CVE-2025-11411 > > > > Hey Gordon, > > > > Do you know if this fix was the incomplete one from Unbound 1.24.1? Or > > does this include the additional fix that landed in 1.24.2 earlier > > today? >=20 > FreeBSD main, stable/15, and releng/15.0 already had 1.24.1. Those branch= es received the supplemental patch from 1.24.2 that was released today (whi= ch is what this commit is). >=20 > FreeBSD stable/14, releng/14.3, stable/13, and releng/13.5 all received t= he minimal patch provided by the vendor that contained both the original 1.= 24.1 fix and today=E2=80=99s 1.24.2 fix. That's what I was thinking. Thank you for confirming! --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Signal Username: shawn_webb.74 Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --vp62ioreif4fllrt Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmknlBMACgkQ/y5nonf4 4frcAg/8C/R615pt+vPJ+CUICF7KZ4XctrjAqNfiAEgYai4ffhfM25ywh3PlGKlm ylY3s+brcrEHqQnwJ6y0nIOKO6YMnEse0r0OSYsK6unh41RVUUGCyfj1GoKaC4vj QpweXq0o6zz8s7qBCia33JKNYywqQDN8kJtQv3mvs54STMpX431qdIwpS2whPhvH LgZOVDlnmO/SN2SiGtZ8gbfcNtlS042G9/Lz9HwWk0V0+1B8Apc/v28rH9B09X9L Fw6TJ5OjO3jqd3gCemRIlXRM0jy+CGEtEhR1ffPzEUf5dOo8DBBY4fegI4mPhZ06 yYq7zUd+WOFNAqR6lXBwt8cXV3fVCM1VGoguaFR+apld7xtAmCGeribIBphtR2bD jT5TAk42Vkk2vOVlzvo1wi308ssgKVJaW78qTSAANy7SAOTl2JPOyrx/zCw3S85W gECTEe+uXKx0Ep6I32k6Ob+f8pCEBR6RkS4cYbZmzcVh5vSnL+yIphfwYviShdve G8F7zx7bovtcZbN2b85U1BMRBm3VNYB0rUDCvg3ygN2MurWEJO4UwIdywMmSu+WA SHjBdreR+SkpyU/dLvoHM+qxUaNr8kikvGFeMf9yYKrN0BRrjCGgaRFwVNzuPZrf s8kIogu3CT/gXPBL2D046X9rpShfuHWl1qzNoxCzAe71nG9GzZU= =fIr1 -----END PGP SIGNATURE----- --vp62ioreif4fllrt--