Your message dated Wed, 26 Nov 2025 20:26:22 +0000
with message-id <[email protected]>
and subject line Bug#1121446: fixed in unbound 1.24.2-1
has caused the Debian Bug report #1121446,
regarding unbound: Followup to CVE-2025-11411
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121446: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121446
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: unbound
Version: 1.24.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi
unbound 1.24.2 contains a followup to CVE-2025-11411 (possible domain
hijacking attack), include YXDOMAIN and non-referral nodata answers
in the mitigation as well.
Cf.: https://github.com/NLnetLabs/unbound/releases/tag/release-1.24.2
| This security release has additional fixes for CVE-2025-11411.
|
| Promiscuous NS RRSets that complement DNS replies in the authority
| section can be used to trick resolvers to update their delegation
| information for the zone.
|
| The CVE is described here
| https://nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt
|
| Unbound 1.24.1 included a fix that scrubs unsolicited NS RRSets (and
| their respective address records) from replies mitigating the possible
| poison effect.
|
| Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS
| RRSets (and their respective address records) from YXDOMAIN and
| non-referral nodata replies as well, mitigating the possible poison
| effect.
|
| We would like to thank TaoFei Guo from Peking University, Yang Luo and
| JianJun Chen from Tsinghua University for discovering and responsibly
| disclosing the partial mitigation of CVE-2025-11411 in Unbound 1.24.1.
|
| Bug Fixes:
|
| Additional fix for CVE-2025-11411 (possible domain hijacking attack),
| to include YXDOMAIN and non-referral nodata answers in the mitigation
| as well, reported by TaoFei Guo from Peking University, Yang Luo and
| JianJun Chen from Tsinghua University.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: unbound
Source-Version: 1.24.2-1
Done: Michael Tokarev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
unbound, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated unbound package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 26 Nov 2025 22:59:06 +0300
Source: unbound
Architecture: source
Version: 1.24.2-1
Distribution: unstable
Urgency: medium
Maintainer: unbound packagers <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 1121446
Changes:
unbound (1.24.2-1) unstable; urgency=medium
.
* new upstream security release:
Additional fix for CVE-2025-11411 (possible domain hijacking attack),
to include YXDOMAIN and non-referral nodata answers in the mitigation
as well, reported by TaoFei Guo from Peking University, Yang Luo
and JianJun Chen from Tsinghua University.
Closes: #1121446, CVE-2025-11411
* debian/upstream/signing-key.asc: merge two separate parts into one
(keeping the same two keys)
Checksums-Sha1:
c395181f40ec7906a83da45cb24a958aac6f23f6 3267 unbound_1.24.2-1.dsc
89220193962044660fb5ec375601b3faccd4bd5b 6905018 unbound_1.24.2.orig.tar.gz
f639d8d09df093c6a014841907f36296d560a764 862 unbound_1.24.2.orig.tar.gz.asc
cc9e491ae65173d823e3aaae280e4e62b7df8062 35820 unbound_1.24.2-1.debian.tar.xz
721e1d1a3bbd9649c949b9c15f4d2a66c6adebd2 6449 unbound_1.24.2-1_source.buildinfo
Checksums-Sha256:
fb416caafd91f080db635f83e414e22cdc46ea1baed89cab660ad3c2f657adaa 3267
unbound_1.24.2-1.dsc
44e7b53e008a6dcaec03032769a212b46ab5c23c105284aa05a4f3af78e59cdb 6905018
unbound_1.24.2.orig.tar.gz
b9bc1395242e1d22bf8a2bf4504a40b405a6a4fa527db27116b50da317111246 862
unbound_1.24.2.orig.tar.gz.asc
7b3027fa14199b844a36294c27bd3d68941f42b696658705bf97eba7e41cb687 35820
unbound_1.24.2-1.debian.tar.xz
092a14a36b5ec36e90d138b1b67bb351d152ff2be70d4e521b26f00862f9e776 6449
unbound_1.24.2-1_source.buildinfo
Files:
530ff3071396488454c4a924b99e8579 3267 net optional unbound_1.24.2-1.dsc
dfa7175de7a5cab0e8deb43a304795de 6905018 net optional
unbound_1.24.2.orig.tar.gz
a2babf1c2ee46015f65fe0c671920605 862 net optional
unbound_1.24.2.orig.tar.gz.asc
6cf73e6c49fc988bd3a8759a33529c59 35820 net optional
unbound_1.24.2-1.debian.tar.xz
5d5c023d977f3ef1f5c003c25357f9f2 6449 net optional
unbound_1.24.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
wsG7BAEBCgBvBYJpJ1yaCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmeptCkKYZxaj5Fa77z0zgDzDbtHOmmnOLnwCPrDYfdy
BRYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AADfpQ/+KcplXSs2b53fSjMHg9lVBw/g
oc/tjOwrnc6bSxxJEp6z3GsGBPEV5sd0sQ4p1SKmQPSG7Ou1b/m0mTuz6vYSGpSX
Hj04KnaHvgEpOWU0WFXGGvXav0sf1IwVknvc21O9+Qp/5XxnbvDnh0ZAO4/O24P5
sre7pQKwZOaFnFZjpxD0Kn9HjjLTUgJvDDXgPnGANGtW0r8AuTkWGWNUFzlnG+vy
dDAo7lANtWOop2yscPkwUgwN/DR1Ii76HuLmcR7aIYT6n2Fb9dcL/QUzbKaqMm1a
lY/qw7zsr9B5h60h6odK6eS0krZvDfAY1LI1SzSYcfSmZSjXeuxXN8cY1A0Q1y3h
wNJF8Fb9zvE4Mk2N25/2d5gIuJMEkznxq4HxVY2XlJPNmMTktZ/2x+AYCE76fnHA
U6gVE+tgRnNa9mQE20CJVrpou2SrFel4rUAgIZTzFtDz4GDCKPL7YgTtTL4UYamJ
p5HPeDLBJPfC2SBCb0cS/aL9WghzDdsEA2O+92wP7SumbtF77Z1sWNP4zq1j3EvS
+4sZKKcL2kjnZZOMlh1iS3SF81YRrCx1heFb/LH+gkeRcRZkfEuDRIcBfJeAGyCw
SRoTrA3PLJCZ0PiLYgFKuoF4vFyszy9Oea9scxe18oGr6snoosOMS/pRVS7wgst3
nhaCAMBbOVxMatvefp4=
=O11y
-----END PGP SIGNATURE-----
pgpY3XOvCxGyb.pgp
Description: PGP signature
--- End Message ---
