Hi John FYI: The maintainer prepared already updates for trixie-security pending review.
On Mon, May 25, 2026 at 03:35:25AM +0000, John Scott wrote: > Control: found -1 1.19.1-1 1.17.1-2+deb12u4 > > If I may, I'm updating the bug metadata to indicate this is > pertinent to more than just unstable so it doesn't get missed: > • CVE-2026-33278, considered critical, was introduced in 1.19.1 and > affects Trixie. > • At least one high-severity issue (CVE-2026-42959) doesn't have a > known lower bound on the vulnerable upstream version, and at least > some of the issues should be presumed to affect Bookworm (1.17.1). Yes we have not yet fully assessed for each release if something is not affected in a older version because the code only introduced later. But I believe your assessment for CVE-2026-33278 is not correct, becaue yes for upstream it might only be introduced later, but the Debian bookworm version did need to backport the changes for CVE-2023-50868, and so contains the problematic code as well, added with patch CVE-2023-50868-NSEC3-closest-encloser-proof-exhaust-CPU.patch, Michael do you agree? > By the way, I think CVE-2026-32792 "Packet of death with DNSCrypt" > doesn't affect Debian. That requires DNSCrypt support to be built > into Unbound, which I don't believe we do, as upstream says that > would require an explicit '--enable-dnscrypt' on the './configure' > command-line and require a build dependency on libsodium, which the > build log shows is not even checked for. If I can explicitly confirm > this for all suites, I'd like to update the info at > https://security-tracker.debian.org/tracker/CVE-2026-32792 I did have a look at tis and yes we apparently do not built with DNSCrypt support enabled, so I have updated the tracker entry as per https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8655640544472357ce374da2087d6eaf282612a . Thanks for spotting this. > > I'm checking in on this to see if I can help (testing, looking stuff > over, peeking at patches that don't apply cleanly, or otherwise). I > know at least one other systems administrator that is concerned > about CVE-2026-33278 (possible remote code execution) and XMPP > servers can be at especially high risk—this because many servers use > mutual TLS authentication and DANE to secure even inbound > connections, and Unbound seems popular among this audience. > Thanks for your maintainership Regards, Salvatore
