| Package | unbound |
|---|---|
| Version | 1.9.0-2+deb10u6 (buster) |
| Related CVEs | CVE-2019-18934 CVE-2019-25031 CVE-2019-25032 CVE-2019-25033 CVE-2019-25034 CVE-2019-25035 CVE-2019-25036 CVE-2019-25037 CVE-2019-25038 CVE-2019-25039 CVE-2019-25040 CVE-2019-25041 CVE-2019-25042 CVE-2024-33655 CVE-2025-5994 |
- CVE-2025-5994
-
Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.
Unbound now includes a fix that disregards replies that came back without ECS when ECS was expected.
- CVE-2024-33655
-
The DNSBomb attack, via specially timed DNS queries and answers, can cause a Denial of Service on resolvers and spoofed targets.
While Unbound itself is not vulnerable for DoS, it can be used to take part in a pulsing DoS amplification attack.
Configuration options have been added to help mitigate the impact by trying to shrink the DNSBomb window so that the impact of the DoS from Unbound is significantly lower than it used to be:
discard-timeout(default value: 1900)-
After 1900 ms a reply to the client will be dropped. Unbound would still work on the query but refrain from replying in order to not accumulate a huge number of “old” replies. Legitimate clients retry on timeouts.
wait-limit(default value: 1000)-
Limits the amount of client queries that require recursion (cache-hits are not counted) per IP address. More recursive queries than the allowed limit are dropped. Use
`wait-limit: 0`in order to disable all wait limits. wait-limit-netblock-
These do not have a default value but they can fine grain configuration for specific netblocks.
- CVE-2019-25031
-
Configuration injection in
create_unbound_ad_servers.shupon a successful man-in-the-middle attack against a cleartext HTTP session. - CVE-2019-25032
-
Integer overflow in the regional allocator via
regional_alloc. - CVE-2019-25033
-
Integer overflow in the regional allocator via the
ALIGN_UPmacro. - CVE-2019-25034
-
Integer overflow in
sldns_str2wire_dname_buf_origin()leading to an out-of-bounds write. - CVE-2019-25035
-
Out-of-bounds write in
sldns_bget_token_par(). - CVE-2019-25036
-
Assertion failure and denial of service in
synth_cname(). - CVE-2019-25037
-
Assertion failure and denial of service in
dname_pkt_copy()via an invalid packet. - CVE-2019-25038
-
Integer overflow in a size calculation in dnscrypt/dnscrypt.c.
- CVE-2019-25039
-
Integer overflow in a size calculation in respip/respip.c.
- CVE-2019-25040
-
Infinite loop via a compressed name in
dname_pkt_copy(). - CVE-2019-25041
-
Assertion failure via a compressed name in
dname_pkt_copy(). - CVE-2019-25042
-
Out-of-bounds write via a compressed name in
rdata_copy(). - CVE-2019-18934
-
Shell code injection vulnerability after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with
--enable-ipsecmodsupport, and ipsecmod is enabled and used in the configuration.Debian binary packages are not built with
--enable-ipsecmod, and therefore unaffected. Still, the fix is included in the source package for users building their own packages.
In addition, this version includes follow-up upstream fixes and improvements for CVE-2024-43167.
For Debian 10 buster, these problems have been fixed in version 1.9.0-2+deb10u6.
We recommend that you upgrade your unbound packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.