> If the user has messed with the configuration
> of the local_unbound resolver to open it up to the network and get DoS’d from
> the remote network, I don’t feel this is something secteam is responsible for
> responding to.
Thanks, Gordon.
That's a fair point. Security scanners will still find
> > > a prerequisite for the DoS attack described in CVE-2024-1931.
> Did you actually mean CVE-2024-33655 instead?
I mean CVE-2024-1931, in which unbound is vulnerable to a DoS if 'ede: yes' is
configured.
This is fixed in unbound 1.19.2, but 14.0 uses 1.19.1.
> On Jul 3, 2024, at 9:00 PM, Wall, Stephen wrote:
>
>> From: Dag-Erling Smørgrav
>> The base system unbound is meant to be used with a configuration generated by
>> `local-unbound-setup`, which never enables the `ede` option which is a
>> prerequisite for the DoS attack described in CVE-2024-1
On Wed, 3 Jul 2024 16:29:38 -0700
Cy Schubert wrote:
> On Wed, 3 Jul 2024 13:00:41 +
> "Wall, Stephen" wrote:
>
> > > From: Dag-Erling Smørgrav
> > > The base system unbound is meant to be used with a configuration
> > > generated by
> > > `local-unbound-setup`, which never enables the `e
On Wed, 3 Jul 2024 13:00:41 +
"Wall, Stephen" wrote:
> > From: Dag-Erling Smørgrav
> > The base system unbound is meant to be used with a configuration generated
> > by
> > `local-unbound-setup`, which never enables the `ede` option which is a
> > prerequisite for the DoS attack described i
> From: Dag-Erling Smørgrav
> The base system unbound is meant to be used with a configuration generated by
> `local-unbound-setup`, which never enables the `ede` option which is a
> prerequisite for the DoS attack described in CVE-2024-1931.
Thanks for your reply.
Local_unbound_setup supports d
"Wall, Stephen" writes:
> This CVE lists unbound 1.19.1 as being vulnerable. This is the
> version currently included in 14.0, but there is no Security Advisory
> for it. Does this mean that the base system unbound can’t be used in
> a way that makes it vulnerable, or is this something that need
> This CVE lists unbound 1.19.1 as being vulnerable. This is the version
> currently included in 14.0, but there is no Security Advisory for it. Does
> this mean that the base system unbound can’t be used in a way that makes it
> vulnerable, or is this something that needs to be addressed?
So
This CVE lists unbound 1.19.1 as being vulnerable. This is the version
currently included in 14.0, but there is no Security Advisory for it. Does
this mean that the base system unbound can’t be used in a way that makes it
vulnerable, or is this something that needs to be addressed?
Thank you.
