From nobody Sun Oct 06 12:23:27 2024 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XM1f84QPbz5Xlc1 for ; Sun, 06 Oct 2024 12:23:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XM1f80r8lz52Zn for ; Sun, 6 Oct 2024 12:23:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1728217408; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=oKWnaA+eIrOByPxwzN2vR1J6u2igTLwEpv6CBUOaJ3o=; b=q5QSvuwA8Etg7qkZP326vYColg/IR0w9GdLyQJ2Z4n7GldRFjUSRn80Nj0WmzoVj6f4T7R zaVhqtffhpsZOSREaHfblgyvT5Dv6JrO8JrEZFjWyUDucNXKVfThvlFHdMDHG/IaNco7TZ qSMvV8CALacPxY6NQOtmLjjXh24cqyMy58eNrHqXguj+21Njpn0Oy/AbHW0ejGV9BnKPli QJh4RicFi0sLLjS+aZgUJxOXzNocW1FRETEQzi7OPYmyaMOZzZFsWsYRaVV6asTn2LPn38 btzSzH0MU9SHmc1E07CCS7S8SYcV0PDfYqL4NCEDrPWPtMtYbm3kwqWePGBYOg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1728217408; a=rsa-sha256; cv=none; b=t43Vi/TfG6n6+Y5nb5LB+lLM1PA9sfGWZhQ6wVtniDi5vEjtUsAL0P3BdtiRsmEK5gQwA3 sfQtq5V+YkEJzwMvAOfmAhlw+PIqYbbVZxDGS0PzrtU3uUixBkrdPUShdR42TGdNI+m14N XxXUHF9UVlpNaP75dAP+HEMtPFXRG+JGIJXA2H/acHDEAwxrD6PhDOCWPq4YDQ0elfMcHU QcZ45fqC9dU7VFU0ySDRQAqzoZjmp4QzNXlSkb005DODtXQrnG+krmTS+BuMmwWBQitxJh /so/Rj90Ip6FBw9tzTAyVuRUdF0arA08btu7RmkAqjT6CLNfmiK3dMBgInr//w== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XM1f80Rqhz127H for ; Sun, 6 Oct 2024 12:23:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 496CNRuO026549 for ; Sun, 6 Oct 2024 12:23:27 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 496CNRIR026548 for ports-bugs@FreeBSD.org; Sun, 6 Oct 2024 12:23:27 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 281894] dns/unbound: Security upgrade to 1.21.1 Date: Sun, 06 Oct 2024 12:23:27 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: jaap@NLnetLabs.nl X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ports-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform bug_file_loc op_sys bug_status bug_severity priority component assigned_to reporter cc flagtypes.name attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-ports-bugs@freebsd.org Sender: owner-freebsd-ports-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D281894 Bug ID: 281894 Summary: dns/unbound: Security upgrade to 1.21.1 Product: Ports & Packages Version: Latest Hardware: Any URL: https://nlnetlabs.nl/news/2024/Oct/03/unbound-1.21.1-r eleased/ OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: jaap@NLnetLabs.nl CC: security-officer@FreeBSD.org Attachment #254050 maintainer-approval+ Flags: Created attachment 254050 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D254050&action= =3Dedit patch to upgrade A vulnerability has been discovered in Unbound when handling replies with v= ery large RRsets that Unbound needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to s= pend a considerable time applying name compression to downstream replies. This c= an lead to degraded performance and eventually denial of service in well orchestrated attacks. Unbound version 1.21.1 introduces a hard limit on the number of name compression calculations it is willing to do per packet. Packets that need = more compression will result in semi-compressed packets or truncated packets, ev= en on TCP for huge messages, to avoid locking the CPU for long. This change should not affect normal DNS traffic. We would like to thank Toshifumi Sakaguchi for discovering and responsibly disclosing the vulnerability. Apart from this, This pot also includes a patch to bug fix for people using= the base openSSL (See also bug #281804). --=20 You are receiving this mail because: You are the assignee for the bug.=