Re: CVE 2024 1931 - unbound

From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Wed, 03 Jul 2024 23:29:38 UTC
On Wed, 3 Jul 2024 13:00:41 +0000
"Wall, Stephen" <stephen.wall@redcom.com> wrote:

> > From: Dag-Erling Smørgrav <des@FreeBSD.org>
> > The base system unbound is meant to be used with a configuration generated by
> > `local-unbound-setup`, which never enables the `ede` option which is a
> > prerequisite for the DoS attack described in CVE-2024-1931.

Did you actually mean CVE-2024-33655 instead?
  
> 
> Thanks for your reply.
> 
> Local_unbound_setup supports dropping additional config files in /var/unbound/conf.d, which will be loaded by unbound.  Files in this directory are not altered by local_unbound_setup.  This implies, to me, that customization of the base unbound is specifically supported, meaning any FreeBSD site could potentially have ede enabled, and therefore by vulnerable to this CVE.
> It's my opinion that this warrants at least an advisory cautioning users of FreeBSD not to enable ede, if not a patch to address it.

That would be an MFS of 335c7cda12138f2aefa41fb739707612cc12a9be from
stable/14 to releng/14.0 (releng/14.1 already has it) and a
corresponding MFS from stable/13 to releng/13.{2,3}.

> 
> - Steve Wall

-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e^(i*pi)+1=0