On 25.05.2026 21:58, Salvatore Bonaccorso wrote:
Hi John
FYI: The maintainer prepared already updates for trixie-security pending
review.
Yes that's true, and that required quite some efforts already.
I'm not sure what to do with bookworm version though - this one
is significantly different than the current code, and most changes
will need to be carefully back-ported.
On Mon, May 25, 2026 at 03:35:25AM +0000, John Scott wrote:
Control: found -1 1.19.1-1 1.17.1-2+deb12u4
If I may, I'm updating the bug metadata to indicate this is
pertinent to more than just unstable so it doesn't get missed:
• CVE-2026-33278, considered critical, was introduced in 1.19.1 and
affects Trixie.
• At least one high-severity issue (CVE-2026-42959) doesn't have a
known lower bound on the vulnerable upstream version, and at least
some of the issues should be presumed to affect Bookworm (1.17.1).
Yes we have not yet fully assessed for each release if something is
not affected in a older version because the code only introduced
later.
But I believe your assessment for CVE-2026-33278 is not correct,
becaue yes for upstream it might only be introduced later, but the
Debian bookworm version did need to backport the changes for
CVE-2023-50868, and so contains the problematic code as well, added
with patch
CVE-2023-50868-NSEC3-closest-encloser-proof-exhaust-CPU.patch, Michael
do you agree?
I mentioned exactly that on IRC earlier today:
15:37 < mjt> jfyi, fwiw, - CVE-2026-42923 (unbound), "hash calculations
introduced in 1.19.1" - these calculations has been back-ported to
debian 1.17 version, as
CVE-2023-50387-DNSSEC-verification-complexity.patch
& CVE-2023-50868-NSEC3-closest-encloser-proof-exhaust-CPU.patch
So yes, I agree.
By the way, I think CVE-2026-32792 "Packet of death with DNSCrypt"
doesn't affect Debian. That requires DNSCrypt support to be built
into Unbound, which I don't believe we do, as upstream says that
would require an explicit '--enable-dnscrypt' on the './configure'
command-line and require a build dependency on libsodium, which the
build log shows is not even checked for. If I can explicitly confirm
this for all suites, I'd like to update the info at
https://security-tracker.debian.org/tracker/CVE-2026-32792
I did have a look at tis and yes we apparently do not built with
DNSCrypt support enabled, so I have updated the tracker entry as
per
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8655640544472357ce374da2087d6eaf282612a
. Thanks for spotting this.
This is true indeed, and I know it too, however I've added the patch
in question to the package, - just so we're complete, even if we don't
use this code in default debian build.
Thanks,
/mjt
