On Wed, 3 Jul 2024 16:29:38 -0700
Cy Schubert <cy.schub...@cschubert.com> wrote:
> On Wed, 3 Jul 2024 13:00:41 +0000
> "Wall, Stephen" <stephen.w...@redcom.com> wrote:
>
> > > From: Dag-Erling Smørgrav <d...@freebsd.org>
> > > The base system unbound is meant to be used with a configuration
> > > generated by
> > > `local-unbound-setup`, which never enables the `ede` option which is a
> > > prerequisite for the DoS attack described in CVE-2024-1931.
>
> Did you actually mean CVE-2024-33655 instead?
Looks like CVE-2024-1931 was also addressed in 1.20.0.
>
> >
> > Thanks for your reply.
> >
> > Local_unbound_setup supports dropping additional config files in
> > /var/unbound/conf.d, which will be loaded by unbound. Files in this
> > directory are not altered by local_unbound_setup. This implies, to me,
> > that customization of the base unbound is specifically supported, meaning
> > any FreeBSD site could potentially have ede enabled, and therefore by
> > vulnerable to this CVE.
> > It's my opinion that this warrants at least an advisory cautioning users of
> > FreeBSD not to enable ede, if not a patch to address it.
>
> That would be an MFS of 335c7cda12138f2aefa41fb739707612cc12a9be from
> stable/14 to releng/14.0 (releng/14.1 already has it) and a
> corresponding MFS from stable/13 to releng/13.{2,3}.
>
> >
> > - Steve Wall
>
--
Cheers,
Cy Schubert <cy.schub...@cschubert.com>
FreeBSD UNIX: <c...@freebsd.org> Web: https://FreeBSD.org
NTP: <c...@nwtime.org> Web: https://nwtime.org
e^(i*pi)+1=0
