Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 3 Jul 2024 16:40:32 -0700
From:      Cy Schubert <Cy.Schubert@cschubert.com>
To:        "Wall, Stephen" <stephen.wall@redcom.com>
Cc:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject:   Re: CVE 2024 1931 - unbound
Message-ID:  <20240703164032.4b61ef49@slippy>
In-Reply-To: <20240703162938.7459b610@slippy>
References:  <MW4PR09MB92849E1CFE06CB46D2986DA9EED62@MW4PR09MB9284.namprd09.prod.outlook.com> <86jzi71tjx.fsf@ltc.des.dev> <MW4PR09MB92843F5CB46E4B10DA4F726AEEDD2@MW4PR09MB9284.namprd09.prod.outlook.com> <20240703162938.7459b610@slippy>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 3 Jul 2024 16:29:38 -0700
Cy Schubert <Cy.Schubert@cschubert.com> wrote:

> On Wed, 3 Jul 2024 13:00:41 +0000
> "Wall, Stephen" <stephen.wall@redcom.com> wrote:
>=20
> > > From: Dag-Erling Sm=C3=B8rgrav <des@FreeBSD.org>
> > > The base system unbound is meant to be used with a configuration gene=
rated by
> > > `local-unbound-setup`, which never enables the `ede` option which is a
> > > prerequisite for the DoS attack described in CVE-2024-1931. =20
>=20
> Did you actually mean CVE-2024-33655 instead?

Looks like CVE-2024-1931 was also addressed in 1.20.0.

>  =20
> >=20
> > Thanks for your reply.
> >=20
> > Local_unbound_setup supports dropping additional config files in /var/u=
nbound/conf.d, which will be loaded by unbound.  Files in this directory ar=
e not altered by local_unbound_setup.  This implies, to me, that customizat=
ion of the base unbound is specifically supported, meaning any FreeBSD site=
 could potentially have ede enabled, and therefore by vulnerable to this CV=
E.
> > It's my opinion that this warrants at least an advisory cautioning user=
s of FreeBSD not to enable ede, if not a patch to address it. =20
>=20
> That would be an MFS of 335c7cda12138f2aefa41fb739707612cc12a9be from
> stable/14 to releng/14.0 (releng/14.1 already has it) and a
> corresponding MFS from stable/13 to releng/13.{2,3}.
>=20
> >=20
> > - Steve Wall =20
>=20



--=20
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e^(i*pi)+1=3D0

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20240703164032.4b61ef49>