Date: Sat, 29 Jun 2024 20:40:34 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org> To: "Wall, Stephen" <stephen.wall@redcom.com> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: CVE 2024 1931 - unbound Message-ID: <86jzi71tjx.fsf@ltc.des.dev> In-Reply-To: <MW4PR09MB92849E1CFE06CB46D2986DA9EED62@MW4PR09MB9284.namprd09.prod.outlook.com> (Stephen Wall's message of "Wed, 26 Jun 2024 17:49:36 %2B0000") References: <MW4PR09MB92849E1CFE06CB46D2986DA9EED62@MW4PR09MB9284.namprd09.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Wall, Stephen" <stephen.wall@redcom.com> writes: > This CVE lists unbound 1.19.1 as being vulnerable. This is the > version currently included in 14.0, but there is no Security Advisory > for it. Does this mean that the base system unbound can=E2=80=99t be use= d in > a way that makes it vulnerable, or is this something that needs to be > addressed? The base system unbound is meant to be used with a configuration generated by `local-unbound-setup`, which never enables the `ede` option which is a prerequisite for the DoS attack described in CVE-2024-1931. DES (speaking only for himself) --=20 Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86jzi71tjx.fsf>