The CVE number for this vulnerability is CVE-2024-1931.

== Summary
Recent versions of Unbound contain a vulnerability that can cause denial
of service by a certain code path that can lead to an infinite loop.
This issue can only be triggered if the non-default option 'ede: yes' is
used, Unbound would reply with attached EDE information on a positive
reply, and the client's buffer size is relatively smaller than the
needed space to include EDE records.

== Affected products
Unbound 1.18.0 up to and including 1.19.1.

== Description
Unbound 1.18.0 introduced a feature that removes EDE records from
responses with size higher than the client's advertised buffer size.
Before removing all the EDE records however, it would try to see if
trimming the extra text fields on those records would result in an
acceptable size while still retaining the EDE codes.
Due to an unchecked condition, the code that trims the text of the EDE
records could loop indefinitely.
This happens when Unbound would reply with attached EDE information on a
positive reply and the client's buffer size is smaller than the needed
space to include EDE records.

This issue can only be triggered when the below condition is met:
* Unbound is configured with 'ede: yes' (non-default).

== Solution
Either disable ede support with 'ede: no' (default configuration), or
download a patched version of Unbound, or apply the patch manually.

+ Downloading patched version
Unbound 1.19.2 is released with the patch
https://nlnetlabs.nl/downloads/unbound/unbound-1.19.2.tar.gz

+ Applying the patch manually
For Unbound 1.18.0 up to and including 1.19.1 the patch is:
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2024-1931.diff

Apply the patch on the Unbound source directory with:
'patch -p1 < patch_CVE-2024-1931.diff'
then run 'make install' to install Unbound.

== Acknowledgments
We would like to thank Fredrik Pettai and Patrik Lundin from SUNET for
notifying us about the issue and working with us to identify the
vulnerability.