From owner-freebsd-security@FreeBSD.ORG  Wed Dec 17 18:12:28 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id B66AA5F6;
 Wed, 17 Dec 2014 18:12:28 +0000 (UTC)
Received: from luigi.brtsvcs.net (luigi.brtsvcs.net
 [IPv6:2607:fc50:1000:1f00::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 92C7D1EC;
 Wed, 17 Dec 2014 18:12:28 +0000 (UTC)
Received: from chombo.houseloki.net (c-71-59-211-166.hsd1.or.comcast.net
 [71.59.211.166])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by luigi.brtsvcs.net (Postfix) with ESMTPSA id 5C87F2D4F8E;
 Wed, 17 Dec 2014 18:12:27 +0000 (UTC)
Received: from [IPv6:2601:7:2580:181:baca:3aff:fe83:bd29] (unknown
 [IPv6:2601:7:2580:181:baca:3aff:fe83:bd29])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by chombo.houseloki.net (Postfix) with ESMTPSA id 3ED731966;
 Wed, 17 Dec 2014 10:12:25 -0800 (PST)
Message-ID: <5491C783.8060303@bluerosetech.com>
Date: Wed, 17 Dec 2014 10:12:19 -0800
From: Darren Pilgrim <list_freebsd@bluerosetech.com>
Reply-To: freebsd-security@freebsd.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: freebsd-security@freebsd.org, 
 FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:30.unbound
References: <20141217083643.E0059421C@nine.des.no>
In-Reply-To: <20141217083643.E0059421C@nine.des.no>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Dec 2014 18:12:28 -0000

On 12/17/2014 12:36 AM, FreeBSD Security Advisories wrote:
> IV.  Workaround
>
> No workaround is available, but hosts not running unbound(8) are not
> vulnerable.

The first part of that statement is false.  The dns/unbound port was 
fixed for CVE-2014-8602 on 9 December.  Thus a valid work around is to 
disable local_unbound and use ports/dns/unbound.