From nobody Wed Jul 03 23:29:38 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WDwwl0wrHz5QYd2 for ; Wed, 03 Jul 2024 23:29:43 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WDwwk628bz54dY for ; Wed, 3 Jul 2024 23:29:42 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; none Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTPS id OzLusxrAO2Ui5P9PxsXIKF; Wed, 03 Jul 2024 23:29:41 +0000 Received: from spqr.komquats.com ([70.66.152.170]) by cmsmtp with ESMTPSA id P9PvsRZfyByQrP9PwsszIh; Wed, 03 Jul 2024 23:29:41 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=UOF+Hzfy c=1 sm=1 tr=0 ts=6685dee5 a=y8EK/9tc/U6QY+pUhnbtgQ==:117 a=y8EK/9tc/U6QY+pUhnbtgQ==:17 a=xqWC_Br6kY4A:10 a=IkcTkHD0fZMA:10 a=4kmOji7k6h8A:10 a=pG-ruRFFAAAA:8 a=6I5d2MoRAAAA:8 a=YxBL1-UpAAAA:8 a=EkcXrb_YAAAA:8 a=n5jPfsbsv1iODwBjfRAA:9 a=QEXdDO2ut3YA:10 a=kChDrUH9n7t_jgL0N8VH:22 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 173F94A2; Wed, 03 Jul 2024 16:29:39 -0700 (PDT) Received: from slippy (localhost [IPv6:::1]) by slippy.cwsent.com (Postfix) with ESMTP id C71A01A9; Wed, 03 Jul 2024 16:29:38 -0700 (PDT) Date: Wed, 3 Jul 2024 16:29:38 -0700 From: Cy Schubert To: "Wall, Stephen" Cc: "freebsd-security@freebsd.org" Subject: Re: CVE 2024 1931 - unbound Message-ID: <20240703162938.7459b610@slippy> In-Reply-To: References: <86jzi71tjx.fsf@ltc.des.dev> Organization: KOMQUATS X-Mailer: Claws Mail 3.20.0 (GTK+ 2.24.33; amd64-portbld-freebsd15.0) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-CMAE-Envelope: MS4xfPgt75Pn16yqstp4DqwNmv+BNXnzvHqtCXJ4+1la33jcvuHeMf/AM6rw7oZ+rVU81M7pBzQSDQWP7OOCZwU7NLL15ISGAZrvDOkzjQCj5E9t4OU9rFsa 3c6vnhoFV9r26dvuVqPPDZgKNDgHpOOg6cVBsEU+fp5BGJDr2VrhPrlLITzRvalfBmk5Ww6pUxp357Q9TeS625O9BkTRPftA602If3nwoWUJ9FV00Pp4EhRX TjOTBSDrG2A/HKT1bKJjcg== X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US] X-Rspamd-Queue-Id: 4WDwwk628bz54dY On Wed, 3 Jul 2024 13:00:41 +0000 "Wall, Stephen" wrote: > > From: Dag-Erling Sm=C3=B8rgrav > > The base system unbound is meant to be used with a configuration genera= ted by > > `local-unbound-setup`, which never enables the `ede` option which is a > > prerequisite for the DoS attack described in CVE-2024-1931. Did you actually mean CVE-2024-33655 instead? =20 >=20 > Thanks for your reply. >=20 > Local_unbound_setup supports dropping additional config files in /var/unb= ound/conf.d, which will be loaded by unbound. Files in this directory are = not altered by local_unbound_setup. This implies, to me, that customizatio= n of the base unbound is specifically supported, meaning any FreeBSD site c= ould potentially have ede enabled, and therefore by vulnerable to this CVE. > It's my opinion that this warrants at least an advisory cautioning users = of FreeBSD not to enable ede, if not a patch to address it. That would be an MFS of 335c7cda12138f2aefa41fb739707612cc12a9be from stable/14 to releng/14.0 (releng/14.1 already has it) and a corresponding MFS from stable/13 to releng/13.{2,3}. >=20 > - Steve Wall --=20 Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=3D0