Your message dated Fri, 05 Dec 2025 15:32:19 +0000
with message-id <[email protected]>
and subject line Bug#1121446: fixed in unbound 1.22.0-2+deb13u1
has caused the Debian Bug report #1121446,
regarding unbound: Followup to CVE-2025-11411
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121446: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121446
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: unbound
Version: 1.24.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi
unbound 1.24.2 contains a followup to CVE-2025-11411 (possible domain
hijacking attack), include YXDOMAIN and non-referral nodata answers
in the mitigation as well.
Cf.: https://github.com/NLnetLabs/unbound/releases/tag/release-1.24.2
| This security release has additional fixes for CVE-2025-11411.
|
| Promiscuous NS RRSets that complement DNS replies in the authority
| section can be used to trick resolvers to update their delegation
| information for the zone.
|
| The CVE is described here
| https://nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt
|
| Unbound 1.24.1 included a fix that scrubs unsolicited NS RRSets (and
| their respective address records) from replies mitigating the possible
| poison effect.
|
| Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS
| RRSets (and their respective address records) from YXDOMAIN and
| non-referral nodata replies as well, mitigating the possible poison
| effect.
|
| We would like to thank TaoFei Guo from Peking University, Yang Luo and
| JianJun Chen from Tsinghua University for discovering and responsibly
| disclosing the partial mitigation of CVE-2025-11411 in Unbound 1.24.1.
|
| Bug Fixes:
|
| Additional fix for CVE-2025-11411 (possible domain hijacking attack),
| to include YXDOMAIN and non-referral nodata answers in the mitigation
| as well, reported by TaoFei Guo from Peking University, Yang Luo and
| JianJun Chen from Tsinghua University.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: unbound
Source-Version: 1.22.0-2+deb13u1
Done: Michael Tokarev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
unbound, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated unbound package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 26 Nov 2025 23:12:47 +0300
Source: unbound
Architecture: source
Version: 1.22.0-2+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: unbound packagers <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 1121446
Changes:
unbound (1.22.0-2+deb13u1) trixie-security; urgency=high
.
[ Guilhem Moulin ]
* Fix CVE-2025-11411: Cache poisoning vulnerability via NS RRSet injection
* debian/salsa-ci.yml: Disable reprotest and lintian jobs, set RELEASE=trixie
.
[ Michael Tokarev ]
* CVE-2025-11411-additional-nodata.patch -- additional fixes
for CVE-2025-11411 (Closes: #1121446, CVE-2025-11411)
* d/gbp.conf: set default branch to debian/trixie
Checksums-Sha1:
1f4e467b5226f3430831490826aa346b1860cfb3 3299 unbound_1.22.0-2+deb13u1.dsc
0dcb1b90126eb244aca1ce01c60da8aa62e0f314 6682466 unbound_1.22.0.orig.tar.gz
d8f1d3eb62b83aa4d2a05963f443bb60bf0c3f3a 833 unbound_1.22.0.orig.tar.gz.asc
d05804c97198236aabf1b759c45dfef94bc71a44 41960
unbound_1.22.0-2+deb13u1.debian.tar.xz
29901bb072c81abfd6d0cbad87e96a7a4da1b1ac 6481
unbound_1.22.0-2+deb13u1_source.buildinfo
Checksums-Sha256:
4dcd956ac3740c8fae0b0ad5b9332f90317c44dace0e899e05fab18ae7b2f1a8 3299
unbound_1.22.0-2+deb13u1.dsc
c5dd1bdef5d5685b2cedb749158dd152c52d44f65529a34ac15cd88d4b1b3d43 6682466
unbound_1.22.0.orig.tar.gz
1b5d91ad040b1f1c0351b8f6fe288b4123fc63b887152463512be69bc687f915 833
unbound_1.22.0.orig.tar.gz.asc
ddf9aa2085d3ab1db05719f78ec5581b5d759758b34b43aaaa7d654a065e7347 41960
unbound_1.22.0-2+deb13u1.debian.tar.xz
34d4a0ec59ca66cf3f6b18e622eb772f6d4ab6f7b8273bbb64926b3225b4869d 6481
unbound_1.22.0-2+deb13u1_source.buildinfo
Files:
40daa7bcad0d281f0e2de4b0e0a37d3d 3299 net optional unbound_1.22.0-2+deb13u1.dsc
be0e5ae64c6619a638c116addd4da670 6682466 net optional
unbound_1.22.0.orig.tar.gz
4e435494ea5757d1ea1f89aca2bb0be0 833 net optional
unbound_1.22.0.orig.tar.gz.asc
f7a7aa96b7447993c87dba4aa658b3ff 41960 net optional
unbound_1.22.0-2+deb13u1.debian.tar.xz
f2a8a4d33b4487bfab014c150f279348 6481 net optional
unbound_1.22.0-2+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
wsG7BAEBCgBvBYJpKhAcCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmc3jYmvJrhXtvdHIwrxmR9e8Y2Inx21LnHRIcAOdkQs
OhYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AACZfw/7B1ulFI+NoLPsNtGQeN0h2DCV
4jbBo+mL8aEUYXChUmN1c7giX02AahJ7Y4Zevc0dSU673xFRgQTLEz2YzoLKqLRy
QO1qYfy1iCaEbkiuf5cg37FpeaHF7zGyV7TsP1Tpw4Ahd1NWC39e4xOb4Yqk3oqx
pHZSuGyXPI7GFsEvDy0o+7ESQVruDUcDenxwxfLIpNB4qMLc6G0VQuBfqfmdIg1H
s/hsaiF0h2hSpQK3tE2yn/wj5y8UG7batb/sOcclTMBzk+E+UsrC7ewhA98Hzyu5
JgBUpiMAO0Ex2rramTxltkslMLKKaPuuepg4e37uVk0Irk6JXlRgY/CIR+ocCoCu
f39zjf0gWj4mqOPpoD8RjF+BQl8MKNGuNW5m6wCQYYxcv3HIePQol0eRO9TjHmQ/
SWa/m7ApOfX/wfn1vZi23302zrqxeX1fPRHiTIoz4MQwlkzrQlcABq5o9jvSpI7O
MkDH2JVdDBAyq2i4CatIumPdqE65hvIKY1Awyhs0GxcL/DPOsghi0skgaeLRLIdf
KyBziIsy8Fk2ihS/uT1X5QBoyJjeAb1mzS/u5nGpE9gIHogzR84J0y3Qn2jYe4s7
yGxeMwctKFf/1TyY68k0yD8dwrPjxDX/OyLLgnTUhHVmsuLj5uEDav7YHaHNunUc
zVJ2ym2q9QBbfHJij8o=
=CpC9
-----END PGP SIGNATURE-----
pgpJxIludwIyD.pgp
Description: PGP signature
--- End Message ---
