| AArch64 | |
| ppc64le | |
| s390x | |
| x86-64 |
- Add security patch unbound-patch_combined-1.25.1_v3.diff:
* CVE-2026-33278, bsc#1265587: Possible remote code execution
during DNSSEC validation
* CVE-2026-42944, bsc#1265578: Heap overflow and crash with
multiple nsid, cookie, padding EDNS options
* CVE-2026-42959, bsc#1265586: Crash during DNSSEC validation of
malicious content
* CVE-2026-32792, bsc#1265583: Packet of death with DNSCrypt
* CVE-2026-40622, bsc#1265581: "Ghost domain name" variant
* CVE-2026-41292, bsc#1265580: Parsing a long list of incoming
EDNS options degrades performance
* CVE-2026-42534, bsc#1265585: Jostle logic bypass degrades
resolution performance
* CVE-2026-42923, bsc#1265589: Degradation of service with
unbounded NSEC3 hash calculations
* CVE-2026-42960, bsc#1265588: Possible cache poisoning attack
while following delegation
* CVE-2026-44390, bsc#1265584: Unbounded name compression in
certain cases causes degradation of service
* CVE-2026-44608, bsc#1265582: Use after free and crash in RPZ
code.
- Fix CVE-2025-11411 (possible domain hijacking attack). Since this minimal patch interferes with most of the unit tests, the '%check' section has been removed from the spec file. [CVE-2025-11411, bsc#1252525, unbound-1.20-CVE-2025-11411.patch]
- Fix CVE-2024-8508, unbounded name compression could lead to denial of service. [CVE-2024-8508, bsc#1231284, unbound-1.20-CVE-2024-8508.patch]
- Fix null pointer dereference issue in function ub_ctx_set_fwd. [CVE-2024-43167, bsc#1229068, unbound-1.20-CVE-2024-43167.patch]
- Update to 1.20.0
* A lot of bugfixes and added features.
For a complete list take a look at the changelog located at:
/usr/share/doc/packages/unbound/Changelog or
https://www.nlnetlabs.nl/projects/unbound/download/
Some Noteworthy Changes:
* Removed DLV. The DLV has been decommisioned since unbound
1.5.4 and has been advised to stop using it since. The use of
dlv options displays a warning.
* Remove EDNS lame procedure, do not re-query without EDNS after
timeout.
* Add DNS over HTTPS
* libunbound has been upgraded to major version 8
Security Fixes:
* Fix CVE-2023-50387, DNSSEC verification complexity can be
exploited to exhaust CPU resources and stall DNS resolvers.
[bsc#1219823, CVE-2023-50387]
* Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust
CPU.
[bsc#1219826, CVE-2023-50868]
* Fix CVE-2022-30698, Novel "ghost domain names" attack by
introducing subdomain delegations.
[bsc#1202033, CVE-2022-30698]
* Fix CVE-2022-30699, Novel "ghost domain names" attack by
updating almost expired delegation information.
[bsc#1202031, CVE-2022-30699]
* Fix CVE-2022-3204, NRDelegation attack leads to uncontrolled
resource consumption (Non-Responsive Delegation Attack).
[bsc#1203643, CVE-2022-3204]
Packaging Changes:
* Use prefixes instead of sudo in unbound.service
* Remove no longer necessary BuildRequires: libfstrm-devel and
libprotobuf-c-devel
* Following patches removed because they are now obsolete:
unbound-1.6.8-amplifying-an-incoming-query.patch
patch_cve_2019-18934.patch
bsc1185382_CVE-2019-25031_f8875527.patch
bsc1185383.4_CVE-2019-25032.3_226298bb.patch
bsc1185385_CVE-2019-25034_a3545867.patch
bsc1185386.7_CVE-2019-25035.6_fa23ee8f.patch
bsc1185391.2_CVE-2019-25040.1_2d444a50.patch
bsc1185389.90_CVE-2019-25038.9_02080f6b.patch
bsc1185388_CVE-2019-25037_d2eb78e8.patch
bsc1185393_CVE-2019-25042_6c3a0b54.patch
bsc1179191_CVE-2020-28935_19f8f4d9.patch
[jsc#PED-8333]