Bug 291236 - dns/unbound: Update to version 1.24.2
Summary: dns/unbound: Update to version 1.24.2
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Li-Wen Hsu
URL: https://www.nlnetlabs.nl/news/2025/No...
Keywords:
Depends on:
Blocks:
 
Reported: 2025-11-26 13:29 UTC by Jaap Akkerhuis
Modified: 2025-11-26 19:25 UTC (History)
2 users (show)

See Also:

Attachments
patch to update (1.09 KB, patch)
2025-11-26 13:29 UTC, Jaap Akkerhuis 		jaap: maintainer-approval+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jaap Akkerhuis 2025-11-26 13:29:09 UTC 
Created attachment 265665 [details]
patch to update

This security release has additional fixes for CVE-2025-11411.

Promiscuous NS RRSets that complement DNS replies in the authority
section can be used to trick resolvers to update their delegation
information for the zone.

The CVE is described here
https://nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt

Unbound 1.24.1 included a fix that scrubs unsolicited NS RRSets (and
their respective address records) from replies mitigating the possible
poison effect.

Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS
RRSets (and their respective address records) from YXDOMAIN and
non-referral nodata replies as well, mitigating the possible poison
effect.

We would like to thank TaoFei Guo from Peking University, Yang Luo and
JianJun Chen from Tsinghua University for discovering and responsibly
disclosing the partial mitigation of CVE-2025-11411 in Unbound 1.24.1.

Bug Fixes:
- Additional fix for CVE-2025-11411 (possible domain hijacking attack),
   to include YXDOMAIN and non-referral nodata answers in the mitigation
   as well, reported by TaoFei Guo from Peking University, Yang Luo and
   JianJun Chen from Tsinghua University.
Comment 1 commit-hook freebsd_committer freebsd_triage 2025-11-26 14:23:03 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=f4188ecfbeb4e406838684c46178a9b4fc32d4c2

commit f4188ecfbeb4e406838684c46178a9b4fc32d4c2
Author:     Jaap Akkerhuis <jaap@NLnetLabs.nl>
AuthorDate: 2025-11-26 13:12:58 +0000
Commit:     Li-Wen Hsu <lwhsu@FreeBSD.org>
CommitDate: 2025-11-26 14:22:08 +0000

    dns/unbound: Update to 1.24.2

    This security release has additional fixes for CVE-2025-11411.

    PR:             291236

 dns/unbound/Makefile | 2 +-
 dns/unbound/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2025-11-26 14:24:04 UTC 
A commit in branch 2025Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ff79a1fe954c7d50a40f6a795222273dc4d39cfe

commit ff79a1fe954c7d50a40f6a795222273dc4d39cfe
Author:     Jaap Akkerhuis <jaap@NLnetLabs.nl>
AuthorDate: 2025-11-26 13:12:58 +0000
Commit:     Li-Wen Hsu <lwhsu@FreeBSD.org>
CommitDate: 2025-11-26 14:22:57 +0000

    dns/unbound: Update to 1.24.2

    This security release has additional fixes for CVE-2025-11411.

    PR:             291236
    (cherry picked from commit f4188ecfbeb4e406838684c46178a9b4fc32d4c2)

 dns/unbound/Makefile | 2 +-
 dns/unbound/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 3 R. Christian McDonald freebsd_committer freebsd_triage 2025-11-26 19:25:46 UTC 
thank you for pushing this through so quickly :)