During the month of November 2025 and on behalf of Freexian, I worked on the following:
unbound ------- Uploaded 1.13.1-1+deb11u6 and issued DLA-4365-1. https://lists.debian.org/msgid-search/[email protected] * CVE-2025-11411: Promiscuous NS RRSets that complement DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone, which could lead to domain hijacking. Uploaded 1.9.0-2+deb10u7 (buster) and issued ELA-1567-1. https://www.freexian.com/lts/extended/updates/ela-1567-1-unbound/ Uploaded unbound1.9=1.9.0-2+deb10u2~deb9u7 (stretch) and issued ELA-1568-1. https://www.freexian.com/lts/extended/updates/ela-1568-1-unbound1.9/ Also, submit debdiffs to the Security Team for review for a fix in both bookworm and trixie. It was later discovered that the fix from upstream version 1.24.1 was incomplete and a follow-up fix was included in version 1.24.2, thereby yielding new (E)LTS uploads and -2 [ED]LAs. Uploaded 1.13.1-1+deb11u7 and issued DLA-4365-2. https://lists.debian.org/msgid-search/[email protected] Uploaded 1.9.0-2+deb10u8 (buster) and issued ELA-1567-2. https://www.freexian.com/lts/extended/updates/ela-1567-2-unbound/ Uploaded unbound1.9=1.9.0-2+deb10u2~deb9u8 (stretch) and issued ELA-1568-2. https://www.freexian.com/lts/extended/updates/ela-1568-2-unbound1.9/ expat ----- Attempted to backport fixes for CVE-2025-59375 (and CVE-2013-0340), but — in coordination with the security team — triage the issue as too intrusive for suites prior to trixie. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem.
signature.asc
Description: PGP signature
