git: 7382ac2b1be7 - main - security/vuxml: document unbound vulnerability

From: Robert Clausecker <fuz_at_FreeBSD.org>
Date: Sun, 06 Oct 2024 16:16:53 UTC
The branch main has been updated by fuz:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7382ac2b1be7e88d833178bd9da899342293aa2f

commit 7382ac2b1be7e88d833178bd9da899342293aa2f
Author:     Robert Clausecker <fuz@FreeBSD.org>
AuthorDate: 2024-10-06 15:22:35 +0000
Commit:     Robert Clausecker <fuz@FreeBSD.org>
CommitDate: 2024-10-06 16:16:19 +0000

    security/vuxml: document unbound vulnerability
    
    PR:             281894
    Security:       CVE-2024-8508
    Security:       2368755b-83f6-11ef-8d2e-a04a5edf46d9
---
 security/vuxml/vuln/2024.xml | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
index c7a7e8ea2a68..abd25ac05ad8 100644
--- a/security/vuxml/vuln/2024.xml
+++ b/security/vuxml/vuln/2024.xml
@@ -1,3 +1,41 @@
+  <vuln vid="2368755b-83f6-11ef-8d2e-a04a5edf46d9">
+    <topic>Unbound -- Denial of service attack</topic>
+    <affects>
+      <package>
+	<name>unbound</name>
+	<range><lt>1.21.1</lt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>NLnet labs report:</p>
+	<blockquote cite="https://nlnetlabs.nl/news/2024/Oct/03/unbound-1.21.1-released/">
+	  <p>A vulnerability has been discovered in Unbound when handling
+	    replies with very large RRsets that Unbound needs to perform name
+	    compression for.</p>
+	  <p>Malicious upstreams responses with very large RRsets can cause
+	    Unbound to spend a considerable time applying name compression to
+	    downstream replies. This can lead to degraded performance and
+	    eventually denial of service in well orchestrated attacks.</p>
+	  <p>Unbound version 1.21.1 introduces a hard limit on the number of
+	    name compression calculations it is willing to do per packet.
+	    Packets that need more compression will result in semi-compressed
+	    packets or truncated packets, even on TCP for huge messages, to
+	    avoid locking the CPU for long.</p>
+	  <p>This change should not affect normal DNS traffic.</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2024-8508</cvename>
+      <url>https://nlnetlabs.nl/news/2024/Oct/03/unbound-1.21.1-released/</url>
+    </references>
+    <dates>
+      <discovery>2024-10-03</discovery>
+      <entry>2024-10-06</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="fe7031d3-3000-4b43-9fa6-52c2b624b8f9">
     <topic>zeek -- potential DoS vulnerability</topic>
     <affects>