Hi, I am a Debian developer and part of the Debian LTS team. I'm currently going through the open vulnerabilities for the unbound versions in Debian Buster and Bullseye.
One of the issues is described in CVE-2024-43168. That particular issue was closed by [1]. However, it was then followed by a series of other commits [2,3,4]. In the pull request you mention [5] that these changes stop unbound "from taking a long time" and "having trouble with malformed input causing invalid accesses". How serious are these issues? There hasn't been any additonal CVE as far as I know. Should these additional commits be applied to complete the fix for CVE-2024-43168? Regards, Daniel [1] https://github.com/NLnetLabs/unbound/pull/1040 [2] https://github.com/NLnetLabs/unbound/commit/dfff8d23cf4145c58e5c1e99d4159d3a91a70ab7 [3] https://github.com/NLnetLabs/unbound/commit/4497e8a154f53cd5947a6ee5aa65cf99be57152e [4] https://github.com/NLnetLabs/unbound/commit/c085a53268940dfbb907cbaa7a690740b6c8210c [5] https://github.com/NLnetLabs/unbound/pull/1040#issuecomment-2033884392
signature.asc
Description: This is a digitally signed message part
