Debian Patches

Status for unbound/1.17.1-2+deb12u4

Patch Description Author Forwarded Bugs Origin Last update
unbound-control-setup-check-openssl.patch unbound-control-setup: check openssl
Before doing anything, check if openssl binary (which we will use)
is available, and print a useful error message if it is not found.

diff --git a/smallapp/unbound-control-setup.sh.in b/smallapp/unbound-control-setup.sh.in
index eaf1d082..be804879 100644		 Michael Tokarev <mjt@tls.msk.ru> no 2022-04-19
do-not-chown-control-socket.patch do not chown control socket
There's no need to chown the control socket to the unbound user,
only group ownership is actually useful.

diff --git a/daemon/remote.c b/daemon/remote.c
index 675ef439..76eb6118 100644		 Michael Tokarev <mjt@tls.msk.ru> no 2022-04-28
do-not-look-at-pidfile.patch diff --git a/daemon/unbound.c b/daemon/unbound.c
index 457a0803..9d8491b3 100644		 no
fix-812-fix-846-by-using-the-SSL_OP_IGNORE_UNEXPECTE.patch Fix #812, fix #846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option to ignore the unexpected eof while reading in openssl >= 3. George Thessalonikefs <george@nlnetlabs.nl> not-needed debian upstream upstream, https://github.com/NLnetLabs/unbound/commit/d7e776114114c16816570e48ab3a27eedc401a0e 2023-03-17
fix-823-Response-change-to-NODATA-for-some-ANY-queries.patch Fix #823: Response change to NODATA for some ANY queries since 1.12, tested on 1.16.1. "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> yes upstream https://github.com/NLnetLabs/unbound/commit/ba6325f24f6462420d3adf80a3c21848ab8e9fe0 2023-01-06
fix-not-following-cleared-RD-flags-amplification.patch Fix not following cleared RD flags potentially enables amplification DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab,
Tsinghua University. The fix stops query loops, by refusing to send
RD=0 queries to a forwarder, they still get answered from cache.		 "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> no https://github.com/NLnetLabs/unbound/commit/b12ab31ae36ae2b124748d37835d74dca15b161f 2023-01-18
CVE-2023-50387-DNSSEC-verification-complexity.patch Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> yes upstream https://github.com/NLnetLabs/unbound/commit/882903f2fa800c4cb6f5e225b728e2887bb7b9ae 2024-02-13
CVE-2023-50868-NSEC3-closest-encloser-proof-exhaust-CPU.patch CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU. "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> yes upstream https://github.com/NLnetLabs/unbound/commit/92f2a1ca690a44880f4c4fa70a4b5a4b029aaf1c 2024-02-13
CVE-2024-43168/01-193401e75.patch fix heap-buffer-overflow issue in function cfg_mark_ports of file util/config_file.c zhailiangliang <zhailiangliang@loongson.cn> yes upstream https://github.com/NLnetLabs/unbound/commit/193401e7543a1e561dd634a3eaae932fa462a2b9 2024-04-03
CVE-2024-43168/02-dfff8d23c.patch Adjust error text and disallow negative ports in other parts of cfg_mark_ports "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> yes upstream https://github.com/NLnetLabs/unbound/commit/dfff8d23cf4145c58e5c1e99d4159d3a91a70ab7 2024-04-03
CVE-2024-43168/03-4497e8a15.patch Fix potential overflow bug while parsing port in function cfg_mark_ports zhailiangliang <zhailiangliang@loongson.cn> yes upstream https://github.com/NLnetLabs/unbound/commit/4497e8a154f53cd5947a6ee5aa65cf99be57152e 2024-05-07
CVE-2024-43168/04-c085a5326.patch Fix declaration before statement, avoid print of null, and redundant check for array size "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> yes upstream https://github.com/NLnetLabs/unbound/commit/c085a53268940dfbb907cbaa7a690740b6c8210c 2024-05-07
CVE-2024-43167/01-8e43e2574.patch fix null pointer dereference issue in function ub_ctx_set_fwd of file libunbound/libunbound.c zhailiangliang <zhailiangliang@loongson.cn> yes debian upstream https://github.com/NLnetLabs/unbound/commit/8e43e2574c4e02f79c562a061581cdcefe136912 2024-05-21
CVE-2024-43167/02-86ee8ccd1.patch Fix to print a parse error when config is read with no name for a forward-zone, stub-zone or view "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> yes debian upstream https://github.com/NLnetLabs/unbound/commit/86ee8ccd121d6ad2db41e065b7d5e63605a324b2 2024-05-21
CVE-2024-43167/03-d149e755f.patch Fix for parse end of forward-zone, stub-zone and view. "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> yes debian upstream https://github.com/NLnetLabs/unbound/commit/d149e755fd0b961fe6f0710ae88e7b2fa1662310 2024-05-21
CVE-2024-43167/04-db1167c8b.patch Fix "memory exhausted" error when defining more than 9994 local-zones "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> yes debian upstream https://github.com/NLnetLabs/unbound/commit/db1167c8b38daf2a4352ba3e4e6d54740e999d29 2024-08-23
CVE-2024-8508.patch Fix CVE-2024-8508, unbounded name compression could lead to denial of service. Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> yes debian upstream https://github.com/NLnetLabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259 2024-10-03
CVE-2024-33655.patch Fix for the DNSBomb vulnerability CVE-2024-33655
Thanks to Xiang Li from the Network and Information Security Lab of
Tsinghua University for reporting it.		 "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> yes upstream https://github.com/NLnetLabs/unbound/commit/c3206f4568f60c486be6d165b1f2b5b254fea3de 2024-05-01
CVE-2025-5994.patch Fix RebirthDay Attack CVE-2025-5994
Reported by Xiang Li from AOSP Lab Nankai University.		 "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> yes debian upstream https://github.com/NLnetLabs/unbound/commit/5bf82f246481098a6473f296b21fc1229d276c0f 2025-07-16
0017-Updated-IPv4-and-IPv6-address-for-b.root-servers.net.patch Updated IPv4 and IPv6 address for b.root-servers.net in root hints.
See https://b.root-servers.org/news/2023/05/16/new-addresses.html .
This fixes the `root_hints` longtest.		 "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> no https://github.com/NLnetLabs/unbound/commit/a8739bad76d4d179290627e989c7ef236345bda6 2023-12-06
CVE-2025-11411/1-iterator-iter_scrub.c-pass-module_env-parameter-to-s.patch iterator/iter_scrub.c: pass module_env parameter to scrub_normalize()
This is a part of upstream commit 8df1e58209458b9ff62b00c29d01964570d82cbb
"Add harden-unknown-additional option":
https://github.com/NLnetLabs/unbound/commit/8df1e58209458b9ff62b00c29d01964570d82cbb
The only 2 minimal changes are needed for the subsequent fix in this area, -
passing extra `env' argumet to scrub_normalize().		 Michael Tokarev <mjt@tls.msk.ru> no 2025-11-30
CVE-2025-11411/2-possible-domain-hijacking-attack.patch CVE-2025-11411 (possible domain hijacking attack)
reported by Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan
from Tsinghua University.		 Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> yes upstream https://github.com/NLnetLabs/unbound/commit/a33f0638e1dacf2633cf2292078a674576bca852 2025-10-22
CVE-2025-11411/3-additional-fix-for-possible-domain-hijacking.patch Additional fix for CVE-2025-11411 (possible domain hijacking attack)
Fix to include YXDOMAIN and non-referral nodata answers in the mitigation as
well, reported by TaoFei Guo from Peking University, Yang Luo and JianJun Chen
from Tsinghua University.		 Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> yes debian upstream https://github.com/NLnetLabs/unbound/commit/f6269baa605d31859f28770e01a24e3677e5f82c 2025-11-26
fix-595-unbound-anchor-cannot-deal-with-full-disk.patch Fix #595: unbound-anchor cannot deal with full disk
- Fix #595: unbound-anchor cannot deal with full disk; it will now
first write out to a temp file before replacing the original one,
like Unbound already does for auto-trust-anchor-file.		 Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> yes debian upstream https://github.com/NLnetLabs/unbound/commit/8575d5b35ce3b91b41962fbba69030cc8789c3bf 2024-04-08

All known versions for source package 'unbound'

Links