UbuntuUpdates.org

Package "libunbound8"

Name: libunbound8

Description:

library implementing DNS resolution and validation
Latest version: 1.22.0-2ubuntu2.3
Release: questing (25.10)
Level: security
Repository: main
Head package: unbound
Homepage: https://www.unbound.net/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "libunbound8"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "libunbound8" in Questing

Repository Area Version
base main 1.22.0-2ubuntu2
updates main 1.22.0-2ubuntu2.3

Changelog

Version: 1.22.0-2ubuntu2.3 2026-05-20 13:07:40 UTC

  unbound (1.22.0-2ubuntu2.3) questing-security; urgency=medium

  * SECURITY UPDATE: Packet of death with DNSCrypt (feasibility very low)
    - debian/patches/CVE-2026-32792: validate len in dnscrypt/dnscrypt.c.
    - CVE-2026-32792
  * SECURITY UPDATE: Possible remote code execution during DNSSEC validation
    - debian/patches/CVE-2026-33278.patch: save rrsets alloc by gen_dns_msg
      in services/cache/dns.c, testdata/*, validator/val_nsec3.c.
    - CVE-2026-33278
  * SECURITY UPDATE: "Ghost domain name" variant
    - debian/patches/CVE-2026-40622.patch: never let an NS overwrite extend
      lifetime past the entry it replaces in services/cache/rrset.c.
    - CVE-2026-40622
  * SECURITY UPDATE: Parsing a long list of incoming EDNS options degrades
    performance
    - debian/patches/CVE-2026-41292.patch: limit parsed edns options in
      util/data/msgparse.c.
    - CVE-2026-41292
  * SECURITY UPDATE: Jostle logic bypass degrades resolution performance
    - debian/patches/CVE-2026-42534.patch: properly handle jostle aging in
      services/mesh.c, services/mesh.h.
    - CVE-2026-42534
  * SECURITY UPDATE: Degradation of service with unbounded NSEC3 hash
    calculations
    - debian/patches/CVE-2026-42923.patch: limit salt length in
      validator/val_neg.c, validator/val_nsec3.c, validator/val_nsec3.h.
    - CVE-2026-42923
  * SECURITY UPDATE: Heap overflow and crash with multiple nsid, cookie,
    padding EDNS options
    - debian/patches/CVE-2026-42944.patch: use proper data sizes in
      testcode/unitmain.c, util/data/msgencode.c, util/data/msgencode.h,
      util/data/msgparse.c.
    - CVE-2026-42944
  * SECURITY UPDATE: Crash during DNSSEC validation of malicious content
    - debian/patches/CVE-2026-42959.patch: fix calculations in
      validator/val_utils.c.
    - CVE-2026-42959
  * SECURITY UPDATE: Possible cache poisoning attack while following
    delegation
    - debian/patches/CVE-2026-42960.patch: only mark glue as allowed for
      type NS in the authority section in iterator/iter_scrub.c.
    - CVE-2026-42960
  * SECURITY UPDATE: Unbounded name compression in certain cases causes
    degradation of service
    - debian/patches/CVE-2026-44390.patch: fix counting in
      util/data/msgencode.c.
    - CVE-2026-44390
  * SECURITY UPDATE: Use after free and crash in RPZ code
    - debian/patches/CVE-2026-44608.patch: fix UaF in services/rpz.c.
    - CVE-2026-44608

 -- Marc Deslauriers <email address hidden> Mon, 18 May 2026 19:38:17 -0400
Source diff to previous version
CVE-2026-32792 Packet of death with DNSCrypt (feasibility very low
CVE-2026-33278 Possible arbitrary code execution during DNSSEC validation
CVE-2026-40622 "Ghost domain name" variant
CVE-2026-41292 Parsing a long list of incoming EDNS options degrades performance
CVE-2026-42534 Jostle logic bypass degrades resolution performance
CVE-2026-42923 Degradation of service with unbounded NSEC3 hash calculations
CVE-2026-42944 Heap overflow and crash with multiple nsid, cookie, padding EDNS options
CVE-2026-42959 Crash during DNSSEC validation of malicious content
CVE-2026-42960 Possible cache poisoning attack while following delegation
CVE-2026-44390 Unbounded name compression in certain cases causes degradation of service
CVE-2026-44608 Use after free and crash in RPZ code (special requirements apply)

Version: 1.22.0-2ubuntu2.2 2025-12-02 17:09:02 UTC

  unbound (1.22.0-2ubuntu2.2) questing-security; urgency=medium

  * SECURITY REGRESSION: Incomplete fix for CVE-2025-11411.
    - debian/patches/CVE-2025-11411-fix1.patch: Add mitigations for YXDOMAIN in
      iterator/iter_scrub.c. Add tests in testdata/iter_scrub_promiscuous.rpl
      and testdata/ratelimit.tdir/ratelimit.testns.
    - CVE-2025-11411

 -- Hlib Korzhynskyy <email address hidden> Thu, 27 Nov 2025 17:51:39 -0330
Source diff to previous version
CVE-2025-11411 NLnet Labs Unbound up to and including version 1.24.0 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive

Version: 1.22.0-2ubuntu2.1 2025-11-04 19:07:11 UTC

  unbound (1.22.0-2ubuntu2.1) questing-security; urgency=medium

  * SECURITY UPDATE: promiscuous NS RRSets domain hijack issue
    - debian/patches/CVE-2025-11411.patch: fix possible domain hijacking
      attack and add new iter-scrub-promiscuous configuration option.
    - CVE-2025-11411

 -- Marc Deslauriers <email address hidden> Fri, 31 Oct 2025 08:47:51 -0400
CVE-2025-11411 NLnet Labs Unbound up to and including version 1.24.0 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive


About   -   Send Feedback to @ubuntu_updates