Control: found -1 1.19.1-1 1.17.1-2+deb12u4 If I may, I'm updating the bug metadata to indicate this is pertinent to more than just unstable so it doesn't get missed: • CVE-2026-33278, considered critical, was introduced in 1.19.1 and affects Trixie. • At least one high-severity issue (CVE-2026-42959) doesn't have a known lower bound on the vulnerable upstream version, and at least some of the issues should be presumed to affect Bookworm (1.17.1).
By the way, I think CVE-2026-32792 "Packet of death with DNSCrypt" doesn't affect Debian. That requires DNSCrypt support to be built into Unbound, which I don't believe we do, as upstream says that would require an explicit '--enable-dnscrypt' on the './configure' command-line and require a build dependency on libsodium, which the build log shows is not even checked for. If I can explicitly confirm this for all suites, I'd like to update the info at https://security-tracker.debian.org/tracker/CVE-2026-32792 I'm checking in on this to see if I can help (testing, looking stuff over, peeking at patches that don't apply cleanly, or otherwise). I know at least one other systems administrator that is concerned about CVE-2026-33278 (possible remote code execution) and XMPP servers can be at especially high risk—this because many servers use mutual TLS authentication and DANE to secure even inbound connections, and Unbound seems popular among this audience. Thanks for your maintainership
signature.asc
Description: This is a digitally signed message part
