Question regarding the fix for CVE-2024-43168 in unbound
Daniel Leidert
daniel.leidert at dleidert.dev
Mon Sep 23 20:26:14 UTC 2024
Hi,
I am a Debian developer and part of the Debian LTS team. I'm currently
going through the open vulnerabilities for the unbound versions in
Debian Buster and Bullseye.
One of the issues is described in CVE-2024-43168. That particular issue
was closed by [1]. However, it was then followed by a series of other
commits [2,3,4]. In the pull request you mention [5] that these changes
stop unbound "from taking a long time" and "having trouble with
malformed input causing invalid accesses".
How serious are these issues? There hasn't been any additonal CVE as
far as I know. Should these additional commits be applied to complete
the fix for CVE-2024-43168?
Regards, Daniel
[1] https://github.com/NLnetLabs/unbound/pull/1040
[2] https://github.com/NLnetLabs/unbound/commit/dfff8d23cf4145c58e5c1e99d4159d3a91a70ab7
[3] https://github.com/NLnetLabs/unbound/commit/4497e8a154f53cd5947a6ee5aa65cf99be57152e
[4] https://github.com/NLnetLabs/unbound/commit/c085a53268940dfbb907cbaa7a690740b6c8210c
[5] https://github.com/NLnetLabs/unbound/pull/1040#issuecomment-2033884392
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: This is a digitally signed message part
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20240923/fa0295fc/attachment.bin>
More information about the Unbound-users
mailing list