Hi Michael, On Mon, May 25, 2026 at 10:54:36PM +0300, Michael Tokarev wrote: [...] > > But I believe your assessment for CVE-2026-33278 is not correct, > > becaue yes for upstream it might only be introduced later, but the > > Debian bookworm version did need to backport the changes for > > CVE-2023-50868, and so contains the problematic code as well, added > > with patch > > CVE-2023-50868-NSEC3-closest-encloser-proof-exhaust-CPU.patch, Michael > > do you agree? > > I mentioned exactly that on IRC earlier today: > > 15:37 < mjt> jfyi, fwiw, - CVE-2026-42923 (unbound), "hash calculations > introduced in 1.19.1" - these calculations has been back-ported to > debian 1.17 version, as > CVE-2023-50387-DNSSEC-verification-complexity.patch > & CVE-2023-50868-NSEC3-closest-encloser-proof-exhaust-CPU.patch > > So yes, I agree. > > > > By the way, I think CVE-2026-32792 "Packet of death with DNSCrypt" > > > doesn't affect Debian. That requires DNSCrypt support to be built > > > into Unbound, which I don't believe we do, as upstream says that > > > would require an explicit '--enable-dnscrypt' on the './configure' > > > command-line and require a build dependency on libsodium, which the > > > build log shows is not even checked for. If I can explicitly confirm > > > this for all suites, I'd like to update the info at > > > https://security-tracker.debian.org/tracker/CVE-2026-32792 > > > > I did have a look at tis and yes we apparently do not built with > > DNSCrypt support enabled, so I have updated the tracker entry as > > per > > https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8655640544472357ce374da2087d6eaf282612a > > . Thanks for spotting this. > > This is true indeed, and I know it too, however I've added the patch > in question to the package, - just so we're complete, even if we don't > use this code in default debian build.
Thanks for the confirmation. Regards, Salvatore
