On Wed, Nov 26, 2025 at 03:49:33PM -0800, Gordon Tetlow wrote: > On 26 Nov 2025, at 14:47, Shawn Webb wrote: > > > On Wed, Nov 26, 2025 at 03:58:13PM +0000, Gordon Tetlow wrote: > >> The branch main has been updated by gordon: > >> > >> URL: > >> https://cgit.FreeBSD.org/src/commit/?id=2a3a6a1771148a709c2d9694c1d66c41ce8dee79 > >> > >> commit 2a3a6a1771148a709c2d9694c1d66c41ce8dee79 > >> Author: Gordon Tetlow <[email protected]> > >> AuthorDate: 2025-11-21 21:24:58 +0000 > >> Commit: Gordon Tetlow <[email protected]> > >> CommitDate: 2025-11-26 15:57:33 +0000 > >> > >> Mitigate YXDOMAIN and nodata non-referral answer poisoning. > >> > >> Add a fix to apply scrubbing of unsolicited NS RRSets (and their > >> respective address records) for YXDOMAIN and nodata non-referral > >> answers. This prevents a malicious actor from exploiting a possible > >> cache poison attack. > >> > >> Obtained from: NLnet Labs > >> Security: CVE-2025-11411 > > > > Hey Gordon, > > > > Do you know if this fix was the incomplete one from Unbound 1.24.1? Or > > does this include the additional fix that landed in 1.24.2 earlier > > today? > > FreeBSD main, stable/15, and releng/15.0 already had 1.24.1. Those branches > received the supplemental patch from 1.24.2 that was released today (which is > what this commit is). > > FreeBSD stable/14, releng/14.3, stable/13, and releng/13.5 all received the > minimal patch provided by the vendor that contained both the original 1.24.1 > fix and today’s 1.24.2 fix.
That's what I was thinking. Thank you for confirming! -- Shawn Webb Cofounder / Security Engineer HardenedBSD Signal Username: shawn_webb.74 Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
signature.asc
Description: PGP signature
