Re: CVE 2024 1931 - unbound

From: Dag-Erling_Smørgrav <des_at_FreeBSD.org>
Date: Sat, 29 Jun 2024 18:40:34 UTC
"Wall, Stephen" <stephen.wall@redcom.com> writes:
> This CVE lists unbound 1.19.1 as being vulnerable.  This is the
> version currently included in 14.0, but there is no Security Advisory
> for it.  Does this mean that the base system unbound can’t be used in
> a way that makes it vulnerable, or is this something that needs to be
> addressed?

The base system unbound is meant to be used with a configuration
generated by `local-unbound-setup`, which never enables the `ede` option
which is a prerequisite for the DoS attack described in CVE-2024-1931.

DES (speaking only for himself)
-- 
Dag-Erling Smørgrav - des@FreeBSD.org