Diffusion FreeBSD src repository b01f35a4e19d

Mitigate YXDOMAIN and nodata non-referral answer poisoning.
b01f35a4e19d
Actions

Description

Mitigate YXDOMAIN and nodata non-referral answer poisoning.

Add a fix to apply scrubbing of unsolicited NS RRSets (and their
respective address records) for YXDOMAIN and nodata non-referral
answers. This prevents a malicious actor from exploiting a possible
cache poison attack.

Obtained from: NLnet Labs
Security: FreeBSD-SA-25:10.unbound
Security: CVE-2025-11411

(cherry picked from commit 2a3a6a1771148a709c2d9694c1d66c41ce8dee79)

Details

Provenance

gordon

Authored on Fri, Nov 21, 9:24 PM

Parents

rG5f2dd3dfd72d: local-unbound: Read a tab separated resolv.conf

Branches

Unknown

Tags

Unknown

Event Timeline

gordon committed rGb01f35a4e19d: Mitigate YXDOMAIN and nodata non-referral answer poisoning. (authored by gordon).Wed, Nov 26, 3:59 PM

Changes (1)

Path

Size

contrib/

unbound/

iterator/

iter_scrub.c

rGb01f35a4e19d

View Options

contrib/unbound/iterator/iter_scrub.c