From nobody Wed Jul 3 23:40:32 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WDx9J18CZz5Qb5P for ; Wed, 03 Jul 2024 23:40:36 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta002.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WDx9H0L7wz57P7 for ; Wed, 3 Jul 2024 23:40:35 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=quarantine) header.from=cschubert.com; spf=pass (mx1.freebsd.org: domain of cy.schubert@cschubert.com designates 3.97.99.33 as permitted sender) smtp.mailfrom=cy.schubert@cschubert.com Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTPS id Ozgts99Y2drxEP9aUsbtht; Wed, 03 Jul 2024 23:40:34 +0000 Received: from spqr.komquats.com ([70.66.152.170]) by cmsmtp with ESMTPSA id P9aTsRd7vByQrP9aUst0k9; Wed, 03 Jul 2024 23:40:34 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=UOF+Hzfy c=1 sm=1 tr=0 ts=6685e172 a=y8EK/9tc/U6QY+pUhnbtgQ==:117 a=y8EK/9tc/U6QY+pUhnbtgQ==:17 a=xqWC_Br6kY4A:10 a=IkcTkHD0fZMA:10 a=4kmOji7k6h8A:10 a=YxBL1-UpAAAA:8 a=pG-ruRFFAAAA:8 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=JZ4VUcig2Ds8C-VQWYUA:9 a=QEXdDO2ut3YA:10 a=Ia-lj3WSrqcvXOmTRaiG:22 a=kChDrUH9n7t_jgL0N8VH:22 a=IjZwj45LgO3ly-622nXo:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id A5FCC4B0; Wed, 03 Jul 2024 16:40:32 -0700 (PDT) Received: from slippy (localhost [IPv6:::1]) by slippy.cwsent.com (Postfix) with ESMTP id 5D65476; Wed, 03 Jul 2024 16:40:32 -0700 (PDT) Date: Wed, 3 Jul 2024 16:40:32 -0700 From: Cy Schubert To: "Wall, Stephen" Cc: "freebsd-security@freebsd.org" Subject: Re: CVE 2024 1931 - unbound Message-ID: <20240703164032.4b61ef49@slippy> In-Reply-To: <20240703162938.7459b610@slippy> References: <86jzi71tjx.fsf@ltc.des.dev> <20240703162938.7459b610@slippy> Organization: KOMQUATS X-Mailer: Claws Mail 3.20.0 (GTK+ 2.24.33; amd64-portbld-freebsd15.0) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-CMAE-Envelope: MS4xfL9DuMqBX0/Hpg1rJ4Edf43U6fn5y3AJuxBRzq3W8R/jXs4XFBW5GBM/eXFJWgPjiAVlvbd2KWqjBBYQXFvcibxz5JFxz5GjqQRc/wa4Pi+VHqs6BrO2 jlVbBWM7Hp/dOdvKxt7IriODxUXq9fm/9CScKry2PgZtJ+Eq+MVA7zw2UlocnH3hVagAvShvgMOuCPgJR41Pt3QngVVIH3PmkOhqU5Zii1N2ThVZw4MBfoMz 4KQnSWO8Ov8EzUte+bWaQw== X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.60 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.995]; MID_RHS_NOT_FQDN(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[cschubert.com,quarantine]; R_SPF_ALLOW(-0.20)[+ip4:3.97.99.32/31]; RWL_MAILSPIKE_VERYGOOD(-0.20)[3.97.99.33:from]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.33:from]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; HAS_ORG_HEADER(0.00)[]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; ARC_NA(0.00)[]; R_DKIM_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4WDx9H0L7wz57P7 On Wed, 3 Jul 2024 16:29:38 -0700 Cy Schubert wrote: > On Wed, 3 Jul 2024 13:00:41 +0000 > "Wall, Stephen" wrote: >=20 > > > From: Dag-Erling Sm=C3=B8rgrav > > > The base system unbound is meant to be used with a configuration gene= rated by > > > `local-unbound-setup`, which never enables the `ede` option which is a > > > prerequisite for the DoS attack described in CVE-2024-1931. =20 >=20 > Did you actually mean CVE-2024-33655 instead? Looks like CVE-2024-1931 was also addressed in 1.20.0. > =20 > >=20 > > Thanks for your reply. > >=20 > > Local_unbound_setup supports dropping additional config files in /var/u= nbound/conf.d, which will be loaded by unbound. Files in this directory ar= e not altered by local_unbound_setup. This implies, to me, that customizat= ion of the base unbound is specifically supported, meaning any FreeBSD site= could potentially have ede enabled, and therefore by vulnerable to this CV= E. > > It's my opinion that this warrants at least an advisory cautioning user= s of FreeBSD not to enable ede, if not a patch to address it. =20 >=20 > That would be an MFS of 335c7cda12138f2aefa41fb739707612cc12a9be from > stable/14 to releng/14.0 (releng/14.1 already has it) and a > corresponding MFS from stable/13 to releng/13.{2,3}. >=20 > >=20 > > - Steve Wall =20 >=20 --=20 Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=3D0