RE: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound

Reply: Gordon Tetlow : "Re: FreeBSD Security Advisory FreeBSD-SA-24:03.unbound"
In reply to: FreeBSD Security Advisories : "FreeBSD Security Advisory FreeBSD-SA-24:03.unbound"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Wall, Stephen <stephen.wall_at_redcom.com>
Date: Fri, 19 Apr 2024 15:11:51 UTC

> FreeBSD-SA-24:03.unbound                                    Security Advisory
> 
> Topic:          Multiple vulnerabilities in unbound

Since upgrading to p6 in response to this SA, we've found that kinit has started
failing for us. This looks to be due to aaf2c7fdb8 [1], when it attempts to load
the legacy OpenSSL provider, which we do not install on our systems.
Furthermore, it loads the default provider as well, which we specifically do not
load when systems are configured for FIPS operation.

What is our exposure if we simple revert this commit?  Are there any CVE's
associated with it?  Is there a way to disable the ciphers at build time that
can trigger the segfaults?

Or am I on my own resolving this because we do not use the legacy provider (I.e.
not a default system)?

Thanks for your consideration.

- Steve Wall

[1] https://cgit.freebsd.org/src/commit/?h=releng/14.0&id=aaf2c7fdb81a1dd9de9fc77c9313f4e60e68fa76