Your message dated Sun, 07 Dec 2025 17:17:31 +0000
with message-id <[email protected]>
and subject line Bug#1121446: fixed in unbound 1.17.1-2+deb12u4
has caused the Debian Bug report #1121446,
regarding unbound: Followup to CVE-2025-11411
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121446: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121446
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: unbound
Version: 1.24.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi
unbound 1.24.2 contains a followup to CVE-2025-11411 (possible domain
hijacking attack), include YXDOMAIN and non-referral nodata answers
in the mitigation as well.
Cf.: https://github.com/NLnetLabs/unbound/releases/tag/release-1.24.2
| This security release has additional fixes for CVE-2025-11411.
|
| Promiscuous NS RRSets that complement DNS replies in the authority
| section can be used to trick resolvers to update their delegation
| information for the zone.
|
| The CVE is described here
| https://nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt
|
| Unbound 1.24.1 included a fix that scrubs unsolicited NS RRSets (and
| their respective address records) from replies mitigating the possible
| poison effect.
|
| Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS
| RRSets (and their respective address records) from YXDOMAIN and
| non-referral nodata replies as well, mitigating the possible poison
| effect.
|
| We would like to thank TaoFei Guo from Peking University, Yang Luo and
| JianJun Chen from Tsinghua University for discovering and responsibly
| disclosing the partial mitigation of CVE-2025-11411 in Unbound 1.24.1.
|
| Bug Fixes:
|
| Additional fix for CVE-2025-11411 (possible domain hijacking attack),
| to include YXDOMAIN and non-referral nodata answers in the mitigation
| as well, reported by TaoFei Guo from Peking University, Yang Luo and
| JianJun Chen from Tsinghua University.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: unbound
Source-Version: 1.17.1-2+deb12u4
Done: Michael Tokarev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
unbound, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated unbound package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 30 Nov 2025 13:33:55 +0300
Source: unbound
Architecture: source
Version: 1.17.1-2+deb12u4
Distribution: bookworm
Urgency: medium
Maintainer: unbound packagers <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 1100870 1121446
Changes:
unbound (1.17.1-2+deb12u4) bookworm; urgency=medium
.
* CVE-2024-33655.patch: remove unrelated change
testdata/fwd_udptmout.tdir/fwd_udptmout.conf is not modified
by the upstream commit in question (c3206f4568f6)
* fix-823-Response-change-to-NODATA-for-some-ANY-queries.patch
Fixes: https://github.com/NLnetLabs/unbound/issues/823
* fix-not-following-cleared-RD-flags-amplification.patch
fix potential amplification DDoS attacks
* replace combined CVE-2023-50387_CVE-2023-50868_1.16.1-1.17.1.patch
with 2 separate upstream commits, add patch descriptions, and add
missing changes for testdata files:
o CVE-2023-50387-DNSSEC-verification-complexity.patch
o CVE-2023-50387_CVE-2023-50868_1.16.1-1.17.1.patch
* 3 changes to fix CVE-2025-11411 (possible domain hijacking attack):
o 1-iterator-iter_scrub.c-pass-module_env-parameter-to-s.patch
(a change from "Add harden-unknown-additional option" upstream patch)
o 2-possible-domain-hijacking-attack.patch
o 3-additional-fix-for-possible-domain-hijacking.patch
(Closes: #1121446)
* fix-595-unbound-anchor-cannot-deal-with-full-disk.patch
Fixes: https://github.com/NLnetLabs/unbound/issues/595
(Closes: #1100870)
* d/gbp.conf: set default branch to debian/bookworm
Checksums-Sha1:
3615ab581f792e3f3f2cb91a90e99d0bf171467e 3298 unbound_1.17.1-2+deb12u4.dsc
90da3bb8883931e30384057722dd9d1df4286f46 6244773 unbound_1.17.1.orig.tar.gz
6b754d1c792a1f6d01d6706a75777b87d434b134 833 unbound_1.17.1.orig.tar.gz.asc
1b61b719cc446bc895bba26aa93fc4503fe9e576 75016
unbound_1.17.1-2+deb12u4.debian.tar.xz
c63703eae1e77b81d8db82ac11f4aea41b3a054c 6658
unbound_1.17.1-2+deb12u4_source.buildinfo
Checksums-Sha256:
7833b82f7a888354c672dd743c19551325cb745e9a70793e90f4c9493ebaa065 3298
unbound_1.17.1-2+deb12u4.dsc
ee4085cecce12584e600f3d814a28fa822dfaacec1f94c84bfd67f8a5571a5f4 6244773
unbound_1.17.1.orig.tar.gz
b66a35d11545a1334b8aec1848c8c7ee0e01ef4a2950f2260a7c26b6fd61bfbf 833
unbound_1.17.1.orig.tar.gz.asc
b756330de8dd715ac8305bf36be0b0cc93a11703d2c542b4a320dcf1e71b229a 75016
unbound_1.17.1-2+deb12u4.debian.tar.xz
7c60674027288634b8388a16c4c53a2dbe5bc9759bfbf6b6c53ef6bf8a53e7e7 6658
unbound_1.17.1-2+deb12u4_source.buildinfo
Files:
ea3d7497fcb20e41b0af248025e95d2f 3298 net optional unbound_1.17.1-2+deb12u4.dsc
bb96df2dc579c11ada537dbc52781abc 6244773 net optional
unbound_1.17.1.orig.tar.gz
8a6399230741197bdd17cc7e7686fe31 833 net optional
unbound_1.17.1.orig.tar.gz.asc
8b02cb5a8cf64bb6bce878aacaf9788c 75016 net optional
unbound_1.17.1-2+deb12u4.debian.tar.xz
3d26fe2d017082b62013a401d61935be 6658 net optional
unbound_1.17.1-2+deb12u4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
wsG7BAEBCgBvBYJpNFlxCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmeRYmJ3Ep1b38tfla7G/TJZqb65bORHq3eUUX5zowq7
YBYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AADMsg//QtN0M5U6NU2t3TeTeZVcAICW
z784PDluPJ5yq2VnSTl10rTrZYLLgEdrbnKPNr31u7LLX6Tg20fgQwZoOCeJI1OH
PYUV5/7ImzoKED7F5+XrbS3zkVG8/6nUVQuzqZjcep51DlPOAMynmV0PQvmFCisD
y5H13oxE6ZODYCf5nsl/3dXpMNg2cQZH+7uA6UQ5OFSmxlK8UdLBJxfqyiOWg4Vm
lDrc7nOemsri6AZLymI7BWS0XAUaXkmUTB8S0RCVB+pUJKw//Dba9d4+ywqXmA0i
IVO6GJWHVd4RjAAoW64Q4DInMszvGIEQ//RcxLzM6aBBW1XuV9kgW8RFQp5lREz/
PxBEQ0xHprGd7iv4T4DgeZ35wjPD/Y0HwOkRO+S1D2l8DQLPq8k/HhmimuVV9qey
YPMv16mZLE0L0yrhITTz3emCs3Q/Oc+Abx+rLNGnG5qJpT8MrmYwp4BFAd6gz9VN
gmhZ1FHzhZ9BdBqg5wvUUlw9K7NVXoUYojicjjDYJPmxlqBLwytGa2YKFzDhPuQY
b4Ys4f5HJ7hMJjVg2nXRXovrqxdwXJHU9W27M85vp5Yz7svUQXboBrx00yx7SMVN
oLUUgC7OoHZYlSyLVMb7ubBJayKhY/VbeohZw2BqZAxI/qwQsuxHfwdWpTbwrEa/
pM/VnvqTlycM2bguJXk=
=YJ5A
-----END PGP SIGNATURE-----
pgps07nKXjTuX.pgp
Description: PGP signature
--- End Message ---
