Package "libunbound-dev"

  unbound (1.19.2-1ubuntu3.8) noble-security; urgency=medium

  * SECURITY UPDATE: Packet of death with DNSCrypt (feasibility very low)
    - debian/patches/CVE-2026-32792: validate len in dnscrypt/dnscrypt.c.
    - CVE-2026-32792
  * SECURITY UPDATE: Possible remote code execution during DNSSEC validation
    - debian/patches/CVE-2026-33278.patch: save rrsets alloc by gen_dns_msg
      in services/cache/dns.c, testdata/*, validator/val_nsec3.c.
    - CVE-2026-33278
  * SECURITY UPDATE: "Ghost domain name" variant
    - debian/patches/CVE-2026-40622.patch: never let an NS overwrite extend
      lifetime past the entry it replaces in services/cache/rrset.c.
    - CVE-2026-40622
  * SECURITY UPDATE: Parsing a long list of incoming EDNS options degrades
    performance
    - debian/patches/CVE-2026-41292.patch: limit parsed edns options in
      util/data/msgparse.c.
    - CVE-2026-41292
  * SECURITY UPDATE: Jostle logic bypass degrades resolution performance
    - debian/patches/CVE-2026-42534.patch: properly handle jostle aging in
      services/mesh.c, services/mesh.h.
    - CVE-2026-42534
  * SECURITY UPDATE: Degradation of service with unbounded NSEC3 hash
    calculations
    - debian/patches/CVE-2026-42923.patch: limit salt length in
      validator/val_neg.c, validator/val_nsec3.c, validator/val_nsec3.h.
    - CVE-2026-42923
  * SECURITY UPDATE: Heap overflow and crash with multiple nsid, cookie,
    padding EDNS options
    - debian/patches/CVE-2026-42944.patch: use proper data sizes in
      testcode/unitmain.c, util/data/msgencode.c, util/data/msgencode.h,
      util/data/msgparse.c.
    - CVE-2026-42944
  * SECURITY UPDATE: Crash during DNSSEC validation of malicious content
    - debian/patches/CVE-2026-42959.patch: fix calculations in
      validator/val_utils.c.
    - CVE-2026-42959
  * SECURITY UPDATE: Possible cache poisoning attack while following
    delegation
    - debian/patches/CVE-2026-42960.patch: only mark glue as allowed for
      type NS in the authority section in iterator/iter_scrub.c.
    - CVE-2026-42960
  * SECURITY UPDATE: Unbounded name compression in certain cases causes
    degradation of service
    - debian/patches/CVE-2026-44390.patch: fix counting in
      util/data/msgencode.c.
    - CVE-2026-44390
  * SECURITY UPDATE: Use after free and crash in RPZ code
    - debian/patches/CVE-2026-44608.patch: fix UaF in services/rpz.c.
    - CVE-2026-44608

 -- Marc Deslauriers <email address hidden> Mon, 18 May 2026 19:42:21 -0400

  unbound (1.19.2-1ubuntu3.7) noble-security; urgency=medium

  * SECURITY REGRESSION: Incomplete fix for CVE-2025-11411.
    - debian/patches/CVE-2025-11411-fix1.patch: Add mitigations for YXDOMAIN in
      iterator/iter_scrub.c. Add tests in testdata/iter_scrub_promiscuous.rpl
      and testdata/ratelimit.tdir/ratelimit.testns.
    - CVE-2025-11411

 -- Hlib Korzhynskyy <email address hidden> Mon, 01 Dec 2025 14:03:30 -0330

  unbound (1.19.2-1ubuntu3.6) noble-security; urgency=medium

  * SECURITY UPDATE: promiscuous NS RRSets domain hijack issue
    - debian/patches/CVE-2025-11411.patch: fix possible domain hijacking
      attack and add new iter-scrub-promiscuous configuration option.
    - CVE-2025-11411

 -- Marc Deslauriers <email address hidden> Fri, 31 Oct 2025 09:21:18 -0400

  unbound (1.19.2-1ubuntu3.5) noble-security; urgency=medium

  * SECURITY UPDATE: Rebirthday Attack cache poisoning issue
    - debian/patches/CVE-2025-5994.patch: Fix issue in
      edns-subnet/subnetmod.c, edns-subnet/subnetmod.h.
    - CVE-2025-5994

 -- Marc Deslauriers <email address hidden> Fri, 18 Jul 2025 13:32:04 -0400

  unbound (1.19.2-1ubuntu3.4) noble; urgency=medium

  * debian/patches/lp-2087526-1-fix-memory-exhaust-in-local-zones.patch:
    fix error: "memory exhausted" when defining more than 9994
    local_zones. (LP: #2087526).

 -- John Chittum <email address hidden> Thu, 06 Feb 2025 14:41:07 -0500