Debian Patches
Status for unbound/1.22.0-2+deb13u3
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| do-not-chown-control-socket.patch | do not chown control socket There's no need to chown the control socket to the unbound user, only group ownership is actually useful. diff --git a/daemon/remote.c b/daemon/remote.c index 675ef439..76eb6118 100644 |
Michael Tokarev <mjt@tls.msk.ru> | no | 2022-04-28 | ||
| Fix-RebirthDay-Attack-CVE-2025-5994.patch | Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from AOSP Lab Nankai University | "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> | not-needed | debian | upstream, https://github.com/NLnetLabs/unbound/commit/5bf82f246481098a6473f296b21fc1229d276c0f | 2025-07-16 |
| CVE-2025-11411.patch | Fix CVE-2025-11411 (possible domain hijacking attack) Reported by Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua University. |
Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> | yes | upstream | https://github.com/NLnetLabs/unbound/commit/a33f0638e1dacf2633cf2292078a674576bca852 | 2025-10-22 |
| CVE-2025-11411-additional-nodata.patch | Additional fix for CVE-2025-11411 (possible domain hijacking attack), to include YXDOMAIN and non-referral nodata answers in the mitigation as well, reported by TaoFei Guo from Peking University, Yang Luo and JianJun Chen from Tsinghua University. |
Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> | not-needed | upstream, https://github.com/NLnetLabs/unbound/commit/f6269baa605d31859f28770e01a24e3677e5f82c | 2025-11-26 | |
| 1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch | Fix #1247: forward-first: ssl handshake failed on root nameservers diff --git a/iterator/iterator.c b/iterator/iterator.c |
Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> | not-needed | debian | upstream, https://github.com/NLnetLabs/unbound/issues/1247 | 2025-06-25 |
| 1247-turn-off-fetch-policy-for-delegation-when.patch | For #1247, turn off fetch-policy for delegation when looking into parent side name servers that may not update the addresses and hit NXNS limits diff --git a/iterator/iter_delegpt.h b/iterator/iter_delegpt.h |
Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> | not-needed | debian | upstream, https://github.com/NLnetLabs/unbound/issues/1247 | 2025-06-25 |
| 26-05/01-Use-the-same-EDE-removal-logic-when-encoding-errors.patch | - Use the same EDE removal logic when encoding errors as when encoding replies. | Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> | not-needed | upstream, https://github.com/NLnetLabs/unbound/commit/44659cb3bf4601d2daa19a0d51ac5af54bc698bc | 2025-12-31 | |
| 26-05/02-CVE-2026-33278-Possible-RCU-in-DNSSEC-validation.patch | - Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report. | "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> | not-needed | upstream, https://github.com/NLnetLabs/unbound/commit/6a31e470f80a6e5c559ebe7fd4cfc0582d3b6d0a | 2026-05-20 | |
| 26-05/03-CVE-2026-42944-Heap-overflow-multiple-nsid-cookie-padding.patch | - Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the report. |
"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> | not-needed | upstream, https://github.com/NLnetLabs/unbound/commit/fe946ba4e935a1528e6866e108e5bc9e7533ae18 | 2026-05-20 | |
| 26-05/04-CVE-2026-42959-Crash-DNSSEC-validation-of-malicious-content.patch | - Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the report. | "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> | not-needed | upstream, https://github.com/NLnetLabs/unbound/commit/94d5babaee22a016e376bdcfee2b9bb40360367c | 2026-05-20 | |
| 26-05/05-CVE-2026-32792-Packet-of-death-with-DNSCrypt.patch | - Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths from 'calif.io' for the report. | "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> | not-needed | upstream, https://github.com/NLnetLabs/unbound/commit/a587535c5dd8a5ea8259507152f055be318367df | 2026-05-20 | |
| 26-05/06-CVE-2026-40622-Ghost-domain-name-variant.patch | - Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo Alto Networks, for the report. | "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> | not-needed | upstream, https://github.com/NLnetLabs/unbound/commit/8d8fa4226613138f5a244a9f1a2506704e049180 | 2026-05-20 | |
| 26-05/07-CVE-2026-41292-Parsing-a-long-list-of-incoming-EDNS-options.patch | - Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto Networks, for the report. |
"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> | not-needed | upstream, https://github.com/NLnetLabs/unbound/commit/ef5ca84360934fa1e857ebc371d4b093aea6355d | 2026-05-20 | |
| 26-05/08-CVE-2026-42534-Jostle-logic-bypass-degrades-performance.patch | - Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report. | "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> | not-needed | upstream, https://github.com/NLnetLabs/unbound/commit/a794c87578c963606a6fb00a54c46fcf935f519a | 2026-05-20 | |
| 26-05/09-CVE-2026-42923-Degradation-of-service-unbouded-NSEC-hash-calc.patch | - Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report. |
"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> | not-needed | upstream, https://github.com/NLnetLabs/unbound/commit/c343fff3a4de922835fec7232b90faed658b5371 | 2026-05-20 | |
| 26-05/10-CVE-2026-42960-Possible-cache-poisoning-following-delegation.patch | - Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun Chen, Tsinghua University, for the report. |
"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> | not-needed | upstream, https://github.com/NLnetLabs/unbound/commit/8ae4b4545dccaaabd30b597b0dcb0d9640c8cc39 | 2026-05-20 | |
| 26-05/11-CVE-2026-44390-Unbounded-name-compression.patch | - Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for the report. |
"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> | not-needed | upstream, https://github.com/NLnetLabs/unbound/commit/dae7a3797424607906b132c008fc12dba867b5f3 | 2026-05-20 | |
| 26-05/12-CVE-2026-44608-UAF-in-RPZ-code.patch | - Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan Zhang, Palo Alto Networks, for the report. | "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> | not-needed | upstream, https://github.com/NLnetLabs/unbound/commit/75b6dba593d4fff000434cd64807c6ebd50bd244 | 2026-05-20 | |
| 26-05/13-Unit-test-for-CVE-2026-33278.patch | - Unit test for CVE-2026-33278. | "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> | not-needed | upstream, https://github.com/NLnetLabs/unbound/commit/b46ff5c18eafa055378b7105c9c5e77454291a47 | 2026-05-20 | |
| 26-05/14-Unit-test-for-CVE-2026-42944.patch | - Unit test for CVE-2026-42944. | "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> | not-needed | upstream, https://github.com/NLnetLabs/unbound/commit/9d2e0f1c02f842d355809ffea28a1bd62bfe83ba | 2026-05-20 | |
| 26-05/15-Unit-test-for-CVE-2026-42959.patch | - Unit test for CVE-2026-42959. | "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> | not-needed | upstream, https://github.com/NLnetLabs/unbound/commit/d357935f662d239616fee1403f6799a66b60d986 | 2026-05-20 | |
| 26-05/16-Unit-test-for-CVE-2026-40622.patch | - Unit test for CVE-2026-40622. | "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> | not-needed | upstream, https://github.com/NLnetLabs/unbound/commit/b5f21f41658f65d6143df6a3208e8ccf1a01604d | 2026-05-20 | |
| 26-05/17-Unit-test-for-CVE-2026-42960.patch | - Unit test for CVE-2026-42960. | "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> | not-needed | upstream, https://github.com/NLnetLabs/unbound/commit/0d2282d5513e73b526a44483d63fc5d0f9c41439 | 2026-05-20 |
All known versions for source package 'unbound'
- 1.25.1-1 (sid, forky)
- 1.22.0-2+deb13u3 (trixie-proposed-updates, trixie-security)
- 1.22.0-2+deb13u2 (trixie)
- 1.17.1-2+deb12u4 (bookworm)
- 1.17.1-2+deb12u3 (bookworm-security)
