Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 29 Jun 2024 20:40:34 +0200
From:      =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org>
To:        "Wall, Stephen" <stephen.wall@redcom.com>
Cc:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject:   Re: CVE 2024 1931 - unbound
Message-ID:  <86jzi71tjx.fsf@ltc.des.dev>
In-Reply-To: <MW4PR09MB92849E1CFE06CB46D2986DA9EED62@MW4PR09MB9284.namprd09.prod.outlook.com> (Stephen Wall's message of "Wed, 26 Jun 2024 17:49:36 %2B0000")
References:  <MW4PR09MB92849E1CFE06CB46D2986DA9EED62@MW4PR09MB9284.namprd09.prod.outlook.com>

next in thread | previous in thread | raw e-mail | index | archive | help
"Wall, Stephen" <stephen.wall@redcom.com> writes:
> This CVE lists unbound 1.19.1 as being vulnerable.  This is the
> version currently included in 14.0, but there is no Security Advisory
> for it.  Does this mean that the base system unbound can=E2=80=99t be use=
d in
> a way that makes it vulnerable, or is this something that needs to be
> addressed?

The base system unbound is meant to be used with a configuration
generated by `local-unbound-setup`, which never enables the `ede` option
which is a prerequisite for the DoS attack described in CVE-2024-1931.

DES (speaking only for himself)
--=20
Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86jzi71tjx.fsf>