| Package | unbound1.9 |
|---|---|
| Version | 1.9.0-2+deb10u2~deb9u6 (stretch) |
| Related CVEs | CVE-2019-18934 CVE-2024-33655 CVE-2025-5994 |
- CVE-2025-5994
-
Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.
Unbound now includes a fix that disregards replies that came back without ECS when ECS was expected.
- CVE-2024-33655
-
The DNSBomb attack, via specially timed DNS queries and answers, can cause a Denial of Service on resolvers and spoofed targets.
While Unbound itself is not vulnerable for DoS, it can be used to take part in a pulsing DoS amplification attack.
Configuration options have been added to help mitigate the impact by trying to shrink the DNSBomb window so that the impact of the DoS from Unbound is significantly lower than it used to be:
discard-timeout(default value: 1900)-
After 1900 ms a reply to the client will be dropped. Unbound would still work on the query but refrain from replying in order to not accumulate a huge number of “old” replies. Legitimate clients retry on timeouts.
wait-limit(default value: 1000)-
Limits the amount of client queries that require recursion (cache-hits are not counted) per IP address. More recursive queries than the allowed limit are dropped. Use
`wait-limit: 0`in order to disable all wait limits. wait-limit-netblock-
These do not have a default value but they can fine grain configuration for specific netblocks.
- CVE-2019-18934
-
Shell code injection vulnerability after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with
--enable-ipsecmodsupport, and ipsecmod is enabled and used in the configuration.Debian binary packages are not built with
--enable-ipsecmod, and therefore unaffected. Still, the fix is included in the source package for users building their own packages.
In addition, this version includes follow-up upstream fixes and improvements for CVE-2024-43167.
For Debian 9 stretch, these problems have been fixed in version 1.9.0-2+deb10u2~deb9u6.
We recommend that you upgrade your unbound1.9 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.