[Bug 281894] dns/unbound: Security upgrade to 1.21.1

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281894

            Bug ID: 281894
           Summary: dns/unbound: Security upgrade to 1.21.1
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://nlnetlabs.nl/news/2024/Oct/03/unbound-1.21.1-r
                    eleased/
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: jaap@NLnetLabs.nl
                CC: security-officer@FreeBSD.org
 Attachment #254050 maintainer-approval+
             Flags:

Created attachment 254050
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=254050&action=edit
patch to upgrade

A vulnerability has been discovered in Unbound when handling replies with very
large RRsets that Unbound needs to perform name compression for.

Malicious upstreams responses with very large RRsets can cause Unbound to spend
a considerable time applying name compression to downstream replies. This can
lead to degraded performance and eventually denial of service in well
orchestrated attacks.

Unbound version 1.21.1 introduces a hard limit on the number of name
compression calculations it is willing to do per packet. Packets that need more
compression will result in semi-compressed packets or truncated packets, even
on TCP for huge messages, to avoid locking the CPU for long.

This change should not affect normal DNS traffic.

We would like to thank Toshifumi Sakaguchi for discovering and responsibly
disclosing the vulnerability.


Apart from this, This pot also includes a patch to bug fix for people using the
base openSSL (See also bug #281804).

-- 
You are receiving this mail because:
You are the assignee for the bug.