From nobody Wed Nov 26 23:49:33 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dGxBF4P7fz6HpKX
	for <dev-commits-src-main@mlmmj.nyi.freebsd.org>; Wed, 26 Nov 2025 23:49:57 +0000 (UTC)
	(envelope-from gordon@tetlows.org)
Received: from outbound.mr.icloud.com (p-west2-cluster1-host11-snip4-6.eps.apple.com [57.103.68.29])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dGxBD5mhhz3wtt
	for <dev-commits-src-main@freebsd.org>; Wed, 26 Nov 2025 23:49:51 +0000 (UTC)
	(envelope-from gordon@tetlows.org)
Authentication-Results: mx1.freebsd.org;
	none
Received: from outbound.mr.icloud.com (unknown [127.0.0.2])
	by p00-icloudmta-asmtp-us-west-2a-10-percent-2 (Postfix) with ESMTPS id 36A6A180010D;
	Wed, 26 Nov 2025 23:49:47 +0000 (UTC)
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=sig1; bh=sr8AtIvWZtaQu0lkDchtJyyzKnVeb7UgmxGYnG1JK9E=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type:x-icloud-hme; b=QUbuZPfSBfuhrXkKCoqEO4VUlyxoY1jxfq8hHUFKeFa2qMTZqtA3B9Bgb+i+f8l5L1wCc2VR430IP+xQO4ifeb6gAxInDYz1LGhEzS8hkZjaCcQPZ5RKlGiRWNRoCLExzWFKmk9gvV+ixS4er3Q9MP0Phrxccn94U0+wmS/AWotHMCScvSrif54Nsgb2PEyD0iX44c7RTavRAy5CrcfrYrXr3R52EK9K05ABzB8GcmHd3SoRP1DXBdZZNMGVGwUoOIfjgLFY3WpDchv/SZkbTC4x6m7ITsdITYOUULhpny8Mj4kLPkbyAaKdy6ZS8m6HTkweiZW3Q71PiRJVuIBqkQ==
mail-alias-created-date: 1644526483486
Received: from [192.168.64.1] (unknown [17.57.152.38])
	by p00-icloudmta-asmtp-us-west-2a-10-percent-2 (Postfix) with ESMTPSA id 807D81800105;
	Wed, 26 Nov 2025 23:49:46 +0000 (UTC)
From: Gordon Tetlow <gordon@tetlows.org>
To: Shawn Webb <shawn.webb@hardenedbsd.org>
Cc: Gordon Tetlow <gordon@freebsd.org>, src-committers@freebsd.org,
 dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org
Subject: Re: git: 2a3a6a177114 - main - Mitigate YXDOMAIN and nodata
 non-referral answer poisoning.
Date: Wed, 26 Nov 2025 15:49:33 -0800
X-Mailer: MailMate (2.0r6290)
Message-ID: <5AC69869-F66B-42E6-A184-4FB2D846F521@tetlows.org>
In-Reply-To: <vkvj4ijewblmfnzzwqv64fkzkfpvdl4rxos2i27b5r6fmstefr@wf5wqc4t5awb>
References: <69272395.3426e.56ff4912@gitrepo.freebsd.org>
 <vkvj4ijewblmfnzzwqv64fkzkfpvdl4rxos2i27b5r6fmstefr@wf5wqc4t5awb>
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: multipart/signed;
 boundary="=_MailMate_C1261378-1F14-4D1D-BBE3-8F9295C3FF9B_=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Authority-Info: v=2.4 cv=SrmdKfO0 c=1 sm=1 tr=0 ts=6927921c cx=c_apl:c_pps
 a=9OgfyREA4BUYbbCgc0Y0oA==:117 a=9OgfyREA4BUYbbCgc0Y0oA==:17
 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=8S_DFC9sn7tn5IQ8J0IA:9
 a=6I5d2MoRAAAA:8 a=oRwNZq7PmhNwhsH2JicA:9 a=QEXdDO2ut3YA:10
 a=crwTN7nqdM1ofK4LXMwA:9 a=JVhx7BB7VI6T4m7_:21 a=_W_S_7VecoQA:10
 a=lqcHg5cX4UMA:10 a=xiviEDyWbMfYgjJmyOAA:9
X-Proofpoint-ORIG-GUID: ytqMrpERbpHmKaQfXVsOjCSwJDJ2zoqm
X-Proofpoint-GUID: ytqMrpERbpHmKaQfXVsOjCSwJDJ2zoqm
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTI2MDE5MSBTYWx0ZWRfX+/ba6pB8mdwt
 f6mUBL+RkqjnlpfLt4xouwWDjGhKD3w9qPN710EagWFqiK/iMnTyY8foJy27Vje81NoShoxC39R
 CwNnsP3HoquoRDjBwfzTtNZaqtFBvuc8qjiKAE3kfWdyk+Tb1TiC/Tdexp3HuqqXId1fyFsUuKo
 Z0x/GOhlGs5Jc0tLRaBN7OVg/yRU3Ox48aMZVaVoj8tTXzC4PNvIQ5Ka5e9XR2VPXaawgIsmFBF
 4iwcMbsyGQAc6q4xA2xZHom/iyufGrcwpesoJ2ksuZRwIBJcufcYnywdo1mXKAfWyxGhVpA9Awu
 iY4eHrKvX6EEUfDGIw9
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49
 definitions=2025-11-25_02,2025-11-26_01,2025-10-01_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0
 mlxscore=0 bulkscore=0 spamscore=0 mlxlogscore=999 suspectscore=0
 malwarescore=0 clxscore=1030 phishscore=0 classifier=spam authscore=0
 adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001
 definitions=main-2511260191
X-JNJ: AAAAAAABMmf9e8SjGMZK0YbmPyIDgqQ4HUpjivgngBL8hCoD9yOp4+zOWHJQPVYv1IHg2sc4HG7G1rLfRbIRkM/fCex0A8bGiKgFuoxVPWoXzGblnt1PT9sOd8FDPAQN6vSDCx4XNUZT9DrBoHGz7Fau5SgZYN92I9T8wz62OMxGIMMGqIpGpiWVqTVGMRVl1+EzOPKuExRD+RqL7pClhgvZtrLfwnDZkjckarVePULMnt83retlYKcq8mUy/EIM9ioN0G7PsYv2Unqn9O2gfSCg80+T2RKLYE/khetlVvpkoyUCIQsRN0yhOjKtdu05QaZTzg41sLryepqDpTehoeutPimP69Kzc2hrGUguF696BHk53nH06N8YDQlCkTZ044Un9qNhv490S5EV+F9ENH/aZ7KS37OjIj/pct/no8MM3ENq63XXPSh6oHY4fGAsljetV3kfuYIDB5oLTJO4SrPiZspmfD5p0iXW08K8WeRU4oDn4qpnINhTaGjOdcc/etl9VrWu8XcXPZx7HW45XHp5YficYSsOMBozKUm7ZYZLfPpyLHmUVY0zyH+QAekMJoGLS7L4cbI8ZysMFL6VFzL+HIDDwW5VLtEUfvjOwr+xBdAS2g9eBvbB5lJh2kv+dU0denye8GGDd7AuaU8fspq/rgocZFwXs0mf9rSmYr1m3rKnidULMhwtBHywDTY/inAX1lwaiasu
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:714, ipnet:57.103.68.0/22, country:US]
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Rspamd-Queue-Id: 4dGxBD5mhhz3wtt

This is an OpenPGP/MIME signed message (RFC 3156 and 4880).

--=_MailMate_C1261378-1F14-4D1D-BBE3-8F9295C3FF9B_=
Content-Type: multipart/alternative;
 boundary="=_MailMate_377CB89C-118C-41C2-8E32-6CB927C54777_="


--=_MailMate_377CB89C-118C-41C2-8E32-6CB927C54777_=
Content-Type: text/plain; charset=UTF-8; markup=markdown
Content-Transfer-Encoding: quoted-printable

On 26 Nov 2025, at 14:47, Shawn Webb wrote:

> On Wed, Nov 26, 2025 at 03:58:13PM +0000, Gordon Tetlow wrote:
>> The branch main has been updated by gordon:
>>
>> URL: https://cgit.FreeBSD.org/src/commit/?id=3D2a3a6a1771148a709c2d969=
4c1d66c41ce8dee79
>>
>> commit 2a3a6a1771148a709c2d9694c1d66c41ce8dee79
>> Author:     Gordon Tetlow <gordon@FreeBSD.org>
>> AuthorDate: 2025-11-21 21:24:58 +0000
>> Commit:     Gordon Tetlow <gordon@FreeBSD.org>
>> CommitDate: 2025-11-26 15:57:33 +0000
>>
>>     Mitigate YXDOMAIN and nodata non-referral answer poisoning.
>>
>>     Add a fix to apply scrubbing of unsolicited NS RRSets (and their
>>     respective address records) for YXDOMAIN and nodata non-referral
>>     answers. This prevents a malicious actor from exploiting a possibl=
e
>>     cache poison attack.
>>
>>     Obtained from:  NLnet Labs
>>     Security:       CVE-2025-11411
>
> Hey Gordon,
>
> Do you know if this fix was the incomplete one from Unbound 1.24.1? Or
> does this include the additional fix that landed in 1.24.2 earlier
> today?

FreeBSD main, stable/15, and releng/15.0 already had 1.24.1. Those branch=
es received the supplemental patch from 1.24.2 that was released today (w=
hich is what this commit is).

FreeBSD stable/14, releng/14.3, stable/13, and releng/13.5 all received t=
he minimal patch provided by the vendor that contained both the original =
1.24.1 fix and today=E2=80=99s 1.24.2 fix.

Best,
Gordon
--=_MailMate_377CB89C-118C-41C2-8E32-6CB927C54777_=
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html>
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/xhtml; charset=3Dutf-8"=
>
</head>
<body><div style=3D"font-family: sans-serif;"><div class=3D"markdown" sty=
le=3D"white-space: normal;">
<p dir=3D"auto">On 26 Nov 2025, at 14:47, Shawn Webb wrote:</p>
<blockquote style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px=
 solid #777777; color: #777777;">
<p dir=3D"auto">On Wed, Nov 26, 2025 at 03:58:13PM +0000, Gordon Tetlow w=
rote:</p>
<blockquote style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px=
 solid #777777; border-left-color: #999999; color: #999999;">
<p dir=3D"auto">The branch main has been updated by gordon:</p>
<p dir=3D"auto">URL: <a href=3D"https://cgit.FreeBSD.org/src/commit/?id=3D=
2a3a6a1771148a709c2d9694c1d66c41ce8dee79" style=3D"color: #999999;">https=
://cgit.FreeBSD.org/src/commit/?id=3D2a3a6a1771148a709c2d9694c1d66c41ce8d=
ee79</a></p>
<p dir=3D"auto">commit 2a3a6a1771148a709c2d9694c1d66c41ce8dee79<br>
Author:     Gordon Tetlow <a href=3D"mailto:gordon@FreeBSD.org" style=3D"=
color: #999999;">gordon@FreeBSD.org</a><br>
AuthorDate: 2025-11-21 21:24:58 +0000<br>
Commit:     Gordon Tetlow <a href=3D"mailto:gordon@FreeBSD.org" style=3D"=
color: #999999;">gordon@FreeBSD.org</a><br>
CommitDate: 2025-11-26 15:57:33 +0000</p>
<pre style=3D"margin-left: 15px; margin-right: 15px; padding: 5px; backgr=
ound-color: #F7F7F7; border-radius: 5px 5px 5px 5px; overflow-x: auto; ma=
x-width: 90vw;"><code style=3D"margin: 0 0; border-radius: 3px; backgroun=
d-color: #F7F7F7; padding: 0px;">Mitigate YXDOMAIN and nodata non-referra=
l answer poisoning.

Add a fix to apply scrubbing of unsolicited NS RRSets (and their
respective address records) for YXDOMAIN and nodata non-referral
answers. This prevents a malicious actor from exploiting a possible
cache poison attack.

Obtained from:  NLnet Labs
Security:       CVE-2025-11411
</code></pre>
</blockquote>
<p dir=3D"auto">Hey Gordon,</p>
<p dir=3D"auto">Do you know if this fix was the incomplete one from Unbou=
nd 1.24.1? Or<br>
does this include the additional fix that landed in 1.24.2 earlier<br>
today?</p>
</blockquote>
<p dir=3D"auto">FreeBSD main, stable/15, and releng/15.0 already had 1.24=
=2E1. Those branches received the supplemental patch from 1.24.2 that was=
 released today (which is what this commit is).</p>
<p dir=3D"auto">FreeBSD stable/14, releng/14.3, stable/13, and releng/13.=
5 all received the minimal patch provided by the vendor that contained bo=
th the original 1.24.1 fix and today=E2=80=99s 1.24.2 fix.</p>
<p dir=3D"auto">Best,<br>
Gordon</p>

</div>
</div>
</body>

</html>

--=_MailMate_377CB89C-118C-41C2-8E32-6CB927C54777_=--

--=_MailMate_C1261378-1F14-4D1D-BBE3-8F9295C3FF9B_=
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename=signature.asc
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQFHBAEBCgAxFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmknkg4THGdvcmRvbkB0
ZXRsb3dzLm9yZwAKCRDl97zLo73d+BPyB/9Xqg+2QU3C3DK/sm24oUz2jrHLF2gX
q2+SCdB6gbYDsZ/eNEtq0fAm7NxIJR8EaYXeYmwvvnV7qr6NzVSfCV66LxEoBFGG
u8WawvfQbvU4BMASUXzG/ho4L6KjHMuPTXOBKRwkxkYRxSnmSXm33eMHPhJ81Xrz
E87Ro/Itsg4h3MH80qF7Nqm6KW7wKivBaA7fn1LhE8BlmmdopTbrEiNwvLes7Pub
JRCpXOcphZBkRql51QJc/lo+VgK2kaZpJHZgThhPTxj/tTuK60MvPoc5LTWNC//y
1czFY08oDjcR4lbGvwacE7VloS6cBZdMdl1TqgTFxTGq1dJfwc704TTY
=YD/A
-----END PGP SIGNATURE-----

--=_MailMate_C1261378-1F14-4D1D-BBE3-8F9295C3FF9B_=--