> If the user has messed with the configuration
> of the local_unbound resolver to open it up to the network and get DoS’d from
> the remote network, I don’t feel this is something secteam is responsible for
> responding to.
Thanks, Gordon.
That's a fair point. Security scanners will still find
> > > a prerequisite for the DoS attack described in CVE-2024-1931.
> Did you actually mean CVE-2024-33655 instead?
I mean CVE-2024-1931, in which unbound is vulnerable to a DoS if 'ede: yes' is
configured.
This is fixed in unbound 1.19.2, but 14.0 uses 1.19.1.
> On Jul 3, 2024, at 9:00 PM, Wall, Stephen wrote:
>
>> From: Dag-Erling Smørgrav
>> The base system unbound is meant to be used with a configuration generated by
>> `local-unbound-setup`, which never enables the `ede` option which is a
>> prerequisite for the DoS attack described in CVE-2024-1
On Wed, 3 Jul 2024 16:29:38 -0700
Cy Schubert wrote:
> On Wed, 3 Jul 2024 13:00:41 +
> "Wall, Stephen" wrote:
>
> > > From: Dag-Erling Smørgrav
> > > The base system unbound is meant to be used with a configuration
> > > generated by
> > > `local-unbound-setup`, which never enables the `e
On Wed, 3 Jul 2024 13:00:41 +
"Wall, Stephen" wrote:
> > From: Dag-Erling Smørgrav
> > The base system unbound is meant to be used with a configuration generated
> > by
> > `local-unbound-setup`, which never enables the `ede` option which is a
> > prerequisite for the DoS attack described i
> From: Dag-Erling Smørgrav
> The base system unbound is meant to be used with a configuration generated by
> `local-unbound-setup`, which never enables the `ede` option which is a
> prerequisite for the DoS attack described in CVE-2024-1931.
Thanks for your reply.
Local_unbound_setup supports d
"Wall, Stephen" writes:
> This CVE lists unbound 1.19.1 as being vulnerable. This is the
> version currently included in 14.0, but there is no Security Advisory
> for it. Does this mean that the base system unbound can’t be used in
> a way that makes it vulnerable, or is this something that need
> This CVE lists unbound 1.19.1 as being vulnerable. This is the version
> currently included in 14.0, but there is no Security Advisory for it. Does
> this mean that the base system unbound can’t be used in a way that makes it
> vulnerable, or is this something that needs to be addressed?
So
