RE: CVE 2024 1931 - unbound
- Reply: Cy Schubert : "Re: CVE 2024 1931 - unbound"
- Reply: Gordon Tetlow : "Re: CVE 2024 1931 - unbound"
- In reply to: Dag-Erling_Smørgrav : "Re: CVE 2024 1931 - unbound"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 03 Jul 2024 13:00:41 UTC
> From: Dag-Erling Smørgrav <des@FreeBSD.org> > The base system unbound is meant to be used with a configuration generated by > `local-unbound-setup`, which never enables the `ede` option which is a > prerequisite for the DoS attack described in CVE-2024-1931. Thanks for your reply. Local_unbound_setup supports dropping additional config files in /var/unbound/conf.d, which will be loaded by unbound. Files in this directory are not altered by local_unbound_setup. This implies, to me, that customization of the base unbound is specifically supported, meaning any FreeBSD site could potentially have ede enabled, and therefore by vulnerable to this CVE. It's my opinion that this warrants at least an advisory cautioning users of FreeBSD not to enable ede, if not a patch to address it. - Steve Wall