From nobody Sun Oct 06 16:16:53 2024 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XM6qT5HZYz5YFgZ; Sun, 06 Oct 2024 16:16:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XM6qT3qs7z4H6F; Sun, 6 Oct 2024 16:16:53 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1728231413; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xOCNQSBGaHriWjyRbJG9Cb2Kx4tXCfMZW7UILEYIUBw=; b=rSP/vu5sNIpBVk0bs2+c5SCc8pf39ZnKCyhleh8PVGmMFNDOEJvpNq0tWA7Zmq7vx3sFZd vfUtcEfzEVm+JVLadxiVFQShR1BUZt+LeL1DPqdURvduUN1S3TmWl9SPCydcz7LPn3rvtg lwAwmCcVS6BTeQ6bx/PKYVPe05SP2cGuanCNzsvZOkqhKzFDFmKuOXmwrym3+oYFhVk6ul fZJd38N1vnyHyLFv95WOgOs3biRRxlBPjSEmN86Oyf2MKFQq/kr+ei1BBzVSMPO3pU5U/W n6+E2NVlEpMdRDgABO3FUYxnW2ik3OzYhzi/J7K2Daf6bIGqp1+Ky/WGeAVZgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1728231413; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xOCNQSBGaHriWjyRbJG9Cb2Kx4tXCfMZW7UILEYIUBw=; b=azxcqfuEdGAwFThhvH3rVCHifHCJTeVS6rwJMCQ3MhD204CcibVJJ3OmzVIgYujusQ/Gmn LxemLVwA+akKRnvBhiCetLGoCgxI0s3V47k5eun3s6lE0BDDCcyZw3FMiG7oC/c15jCwI+ YOXEOCZvXRRCMUwOEvLuSVXX4xUmjA9djQHc7R71rkC7zeANZE7YzREPnSmQy2iCqsBO8Z D2D7SFMDrP3v43CbM2akUruc3f/JBxw3LC4Qe/t9drsxCfyCQxwnKRuGEh0Ie/3eFfle7U gFgrT48RryopMnTN7jHM0LbUa7p9eajG2Em9yXxBx+H1mfCVu3in/BbY6gD/zg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1728231413; a=rsa-sha256; cv=none; b=P3+20MJz8itVTcxqud0NoecOXK4WxzfO6KcBjlrA9CfnbXbj1kUhnY29zu4G6ibAU/yuog Uj2uvo6Ms3eNWoCJ6W4CycYcpuRjSJW+njbWv+77Kqx+/ZOOtcrZVJIIUIVuWIkeqbROof qdbHyjA/g+tm3v/Pp54S4vxXuanQBVG2BQZtZiNRkSUkP5XSfvVxkRvVFvsxcjWtHi2/Lf znZB1UX9huvE1yYRYInQrv717440R4gqvPt0TQ7jsD/so2vrAYGreo+zQ9C91gmxFx+UGO LxmP9yZ1L5LFoLJ7SnHzkgDK9VIimrS2cqHbgyhhYr8l8ojsTI9WVAkpWJG9Mg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XM6qT3PKyz17wj; Sun, 6 Oct 2024 16:16:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 496GGr76067386; Sun, 6 Oct 2024 16:16:53 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 496GGrPx067383; Sun, 6 Oct 2024 16:16:53 GMT (envelope-from git) Date: Sun, 6 Oct 2024 16:16:53 GMT Message-Id: <202410061616.496GGrPx067383@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Robert Clausecker Subject: git: 7382ac2b1be7 - main - security/vuxml: document unbound vulnerability List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-all@freebsd.org Sender: owner-dev-commits-ports-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fuz X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 7382ac2b1be7e88d833178bd9da899342293aa2f Auto-Submitted: auto-generated The branch main has been updated by fuz: URL: https://cgit.FreeBSD.org/ports/commit/?id=7382ac2b1be7e88d833178bd9da899342293aa2f commit 7382ac2b1be7e88d833178bd9da899342293aa2f Author: Robert Clausecker AuthorDate: 2024-10-06 15:22:35 +0000 Commit: Robert Clausecker CommitDate: 2024-10-06 16:16:19 +0000 security/vuxml: document unbound vulnerability PR: 281894 Security: CVE-2024-8508 Security: 2368755b-83f6-11ef-8d2e-a04a5edf46d9 --- security/vuxml/vuln/2024.xml | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index c7a7e8ea2a68..abd25ac05ad8 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,41 @@ + + Unbound -- Denial of service attack + + + unbound + 1.21.1 + + + + +

NLnet labs report:

+
+

A vulnerability has been discovered in Unbound when handling + replies with very large RRsets that Unbound needs to perform name + compression for.

+

Malicious upstreams responses with very large RRsets can cause + Unbound to spend a considerable time applying name compression to + downstream replies. This can lead to degraded performance and + eventually denial of service in well orchestrated attacks.

+

Unbound version 1.21.1 introduces a hard limit on the number of + name compression calculations it is willing to do per packet. + Packets that need more compression will result in semi-compressed + packets or truncated packets, even on TCP for huge messages, to + avoid locking the CPU for long.

+

This change should not affect normal DNS traffic.

+
+ + + + CVE-2024-8508 + https://nlnetlabs.nl/news/2024/Oct/03/unbound-1.21.1-released/ + + + 2024-10-03 + 2024-10-06 + + + zeek -- potential DoS vulnerability