Source: unbound Version: 1.24.1-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi unbound 1.24.2 contains a followup to CVE-2025-11411 (possible domain hijacking attack), include YXDOMAIN and non-referral nodata answers in the mitigation as well. Cf.: https://github.com/NLnetLabs/unbound/releases/tag/release-1.24.2 | This security release has additional fixes for CVE-2025-11411. | | Promiscuous NS RRSets that complement DNS replies in the authority | section can be used to trick resolvers to update their delegation | information for the zone. | | The CVE is described here | https://nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt | | Unbound 1.24.1 included a fix that scrubs unsolicited NS RRSets (and | their respective address records) from replies mitigating the possible | poison effect. | | Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS | RRSets (and their respective address records) from YXDOMAIN and | non-referral nodata replies as well, mitigating the possible poison | effect. | | We would like to thank TaoFei Guo from Peking University, Yang Luo and | JianJun Chen from Tsinghua University for discovering and responsibly | disclosing the partial mitigation of CVE-2025-11411 in Unbound 1.24.1. | | Bug Fixes: | | Additional fix for CVE-2025-11411 (possible domain hijacking attack), | to include YXDOMAIN and non-referral nodata answers in the mitigation | as well, reported by TaoFei Guo from Peking University, Yang Luo and | JianJun Chen from Tsinghua University. Regards, Salvatore
