> On Jul 3, 2024, at 9:00 PM, Wall, Stephen <stephen.w...@redcom.com> wrote: > >> From: Dag-Erling Smørgrav <d...@freebsd.org> >> The base system unbound is meant to be used with a configuration generated by >> `local-unbound-setup`, which never enables the `ede` option which is a >> prerequisite for the DoS attack described in CVE-2024-1931. > > Thanks for your reply. > > Local_unbound_setup supports dropping additional config files in > /var/unbound/conf.d, which will be loaded by unbound. Files in this > directory are not altered by local_unbound_setup. This implies, to me, that > customization of the base unbound is specifically supported, meaning any > FreeBSD site could potentially have ede enabled, and therefore by vulnerable > to this CVE. > It's my opinion that this warrants at least an advisory cautioning users of > FreeBSD not to enable ede, if not a patch to address it.
Local DoS’s do not get security advisories (logic here is a local user has a million ways to DoS a system). If the user has messed with the configuration of the local_unbound resolver to open it up to the network and get DoS’d from the remote network, I don’t feel this is something secteam is responsible for responding to. Unbound exists as a port/pkg for the purposes of someone setting up a non-local resolver. Best regards, Gordon Hat: security-officer
signature.asc
Description: Message signed with OpenPGP
