Debian Patches

Status for unbound/1.22.0-2+deb13u3

Patch Description Author Forwarded Bugs Origin Last update
do-not-chown-control-socket.patch do not chown control socket
There's no need to chown the control socket to the unbound user,
only group ownership is actually useful.

diff --git a/daemon/remote.c b/daemon/remote.c
index 675ef439..76eb6118 100644
Michael Tokarev <mjt@tls.msk.ru> no 2022-04-28
Fix-RebirthDay-Attack-CVE-2025-5994.patch Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from AOSP Lab Nankai University "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> not-needed debian upstream, https://github.com/NLnetLabs/unbound/commit/5bf82f246481098a6473f296b21fc1229d276c0f 2025-07-16
CVE-2025-11411.patch Fix CVE-2025-11411 (possible domain hijacking attack)
Reported by Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from
Tsinghua University.
Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> yes upstream https://github.com/NLnetLabs/unbound/commit/a33f0638e1dacf2633cf2292078a674576bca852 2025-10-22
CVE-2025-11411-additional-nodata.patch Additional fix for CVE-2025-11411 (possible domain hijacking attack), to include YXDOMAIN and non-referral nodata answers in
the mitigation as well, reported by TaoFei Guo from Peking University, Yang
Luo and JianJun Chen from Tsinghua University.
Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> not-needed upstream, https://github.com/NLnetLabs/unbound/commit/f6269baa605d31859f28770e01a24e3677e5f82c 2025-11-26
1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch Fix #1247: forward-first: ssl handshake failed on root nameservers
diff --git a/iterator/iterator.c b/iterator/iterator.c
Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> not-needed debian upstream, https://github.com/NLnetLabs/unbound/issues/1247 2025-06-25
1247-turn-off-fetch-policy-for-delegation-when.patch For #1247, turn off fetch-policy for delegation when looking into parent side name servers that may not update the addresses and
hit NXNS limits

diff --git a/iterator/iter_delegpt.h b/iterator/iter_delegpt.h
Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> not-needed debian upstream, https://github.com/NLnetLabs/unbound/issues/1247 2025-06-25
26-05/01-Use-the-same-EDE-removal-logic-when-encoding-errors.patch - Use the same EDE removal logic when encoding errors as when encoding replies. Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> not-needed upstream, https://github.com/NLnetLabs/unbound/commit/44659cb3bf4601d2daa19a0d51ac5af54bc698bc 2025-12-31
26-05/02-CVE-2026-33278-Possible-RCU-in-DNSSEC-validation.patch - Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report. "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> not-needed upstream, https://github.com/NLnetLabs/unbound/commit/6a31e470f80a6e5c559ebe7fd4cfc0582d3b6d0a 2026-05-20
26-05/03-CVE-2026-42944-Heap-overflow-multiple-nsid-cookie-padding.patch - Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto
Networks, for the report.
"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> not-needed upstream, https://github.com/NLnetLabs/unbound/commit/fe946ba4e935a1528e6866e108e5bc9e7533ae18 2026-05-20
26-05/04-CVE-2026-42959-Crash-DNSSEC-validation-of-malicious-content.patch - Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the report. "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> not-needed upstream, https://github.com/NLnetLabs/unbound/commit/94d5babaee22a016e376bdcfee2b9bb40360367c 2026-05-20
26-05/05-CVE-2026-32792-Packet-of-death-with-DNSCrypt.patch - Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths from 'calif.io' for the report. "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> not-needed upstream, https://github.com/NLnetLabs/unbound/commit/a587535c5dd8a5ea8259507152f055be318367df 2026-05-20
26-05/06-CVE-2026-40622-Ghost-domain-name-variant.patch - Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo Alto Networks, for the report. "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> not-needed upstream, https://github.com/NLnetLabs/unbound/commit/8d8fa4226613138f5a244a9f1a2506704e049180 2026-05-20
26-05/07-CVE-2026-41292-Parsing-a-long-list-of-incoming-EDNS-options.patch - Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan
Zhang from Palo Alto Networks, for the report.
"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> not-needed upstream, https://github.com/NLnetLabs/unbound/commit/ef5ca84360934fa1e857ebc371d4b093aea6355d 2026-05-20
26-05/08-CVE-2026-42534-Jostle-logic-bypass-degrades-performance.patch - Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report. "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> not-needed upstream, https://github.com/NLnetLabs/unbound/commit/a794c87578c963606a6fb00a54c46fcf935f519a 2026-05-20
26-05/09-CVE-2026-42923-Degradation-of-service-unbouded-NSEC-hash-calc.patch - Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for
the report.
"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> not-needed upstream, https://github.com/NLnetLabs/unbound/commit/c343fff3a4de922835fec7232b90faed658b5371 2026-05-20
26-05/10-CVE-2026-42960-Possible-cache-poisoning-following-delegation.patch - Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo
and JianJun Chen, Tsinghua University, for the report.
"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> not-needed upstream, https://github.com/NLnetLabs/unbound/commit/8ae4b4545dccaaabd30b597b0dcb0d9640c8cc39 2026-05-20
26-05/11-CVE-2026-44390-Unbounded-name-compression.patch - Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Thanks to Qifan Zhang, Palo Alto
Networks, for the report.
"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> not-needed upstream, https://github.com/NLnetLabs/unbound/commit/dae7a3797424607906b132c008fc12dba867b5f3 2026-05-20
26-05/12-CVE-2026-44608-UAF-in-RPZ-code.patch - Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan Zhang, Palo Alto Networks, for the report. "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> not-needed upstream, https://github.com/NLnetLabs/unbound/commit/75b6dba593d4fff000434cd64807c6ebd50bd244 2026-05-20
26-05/13-Unit-test-for-CVE-2026-33278.patch - Unit test for CVE-2026-33278. "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> not-needed upstream, https://github.com/NLnetLabs/unbound/commit/b46ff5c18eafa055378b7105c9c5e77454291a47 2026-05-20
26-05/14-Unit-test-for-CVE-2026-42944.patch - Unit test for CVE-2026-42944. "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> not-needed upstream, https://github.com/NLnetLabs/unbound/commit/9d2e0f1c02f842d355809ffea28a1bd62bfe83ba 2026-05-20
26-05/15-Unit-test-for-CVE-2026-42959.patch - Unit test for CVE-2026-42959. "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> not-needed upstream, https://github.com/NLnetLabs/unbound/commit/d357935f662d239616fee1403f6799a66b60d986 2026-05-20
26-05/16-Unit-test-for-CVE-2026-40622.patch - Unit test for CVE-2026-40622. "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> not-needed upstream, https://github.com/NLnetLabs/unbound/commit/b5f21f41658f65d6143df6a3208e8ccf1a01604d 2026-05-20
26-05/17-Unit-test-for-CVE-2026-42960.patch - Unit test for CVE-2026-42960. "W.C.A. Wijngaards" <wouter@nlnetlabs.nl> not-needed upstream, https://github.com/NLnetLabs/unbound/commit/0d2282d5513e73b526a44483d63fc5d0f9c41439 2026-05-20

All known versions for source package 'unbound'

Links