On Wed, 3 Jul 2024 13:00:41 +0000 "Wall, Stephen" <[email protected]> wrote:
> > From: Dag-Erling Smørgrav <[email protected]> > > The base system unbound is meant to be used with a configuration generated > > by > > `local-unbound-setup`, which never enables the `ede` option which is a > > prerequisite for the DoS attack described in CVE-2024-1931. Did you actually mean CVE-2024-33655 instead? > > Thanks for your reply. > > Local_unbound_setup supports dropping additional config files in > /var/unbound/conf.d, which will be loaded by unbound. Files in this > directory are not altered by local_unbound_setup. This implies, to me, that > customization of the base unbound is specifically supported, meaning any > FreeBSD site could potentially have ede enabled, and therefore by vulnerable > to this CVE. > It's my opinion that this warrants at least an advisory cautioning users of > FreeBSD not to enable ede, if not a patch to address it. That would be an MFS of 335c7cda12138f2aefa41fb739707612cc12a9be from stable/14 to releng/14.0 (releng/14.1 already has it) and a corresponding MFS from stable/13 to releng/13.{2,3}. > > - Steve Wall -- Cheers, Cy Schubert <[email protected]> FreeBSD UNIX: <[email protected]> Web: https://FreeBSD.org NTP: <[email protected]> Web: https://nwtime.org e^(i*pi)+1=0
