[SECURITY] [DLA 4280-1] unbound security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4280-1] unbound security update
From: Guilhem Moulin <guilhem@debian.org>
Date: Sun, 24 Aug 2025 21:42:10 +0200
Message-id: <[🔎] aKtrEjhOdTCKSMe_@debian.org>
Mail-followup-to: debian-lts-announce@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4280-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
August 24, 2025                               https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : unbound
Version        : 1.13.1-1+deb11u5
CVE ID         : CVE-2024-33655 CVE-2025-5994
Debian Bug     : 1109427

Vulnerabilities were found in unbound, a validating, recursive, and
caching DNS resolver, which may lead to Denial of Service or cache
poisoning.

CVE-2024-33655

    The DNSBomb attack, via specially timed DNS queries and answers, can
    cause a Denial of Service on resolvers and spoofed targets.

    While Unbound itself is not vulnerable for DoS, it can be used to
    take part in a pulsing DoS amplification attack.

    Configuration options have been added to help mitigate the impact by
    trying to shrink the DNSBomb window so that the impact of the DoS
    from Unbound is significantly lower than it used to be:

      * discard-timeout: 1900
        After 1900 ms a reply to the client will be dropped.  Unbound
        would still work on the query but refrain from replying in order
        to not accumulate a huge number of "old" replies.  Legitimate
        clients retry on timeouts.

      * wait-limit: 1000
        Limits the amount of client queries that require recursion
        (cache-hits are not counted) per IP address.  More recursive
        queries than the allowed limit are dropped.
        wait-limit: 0 disables all wait limits.

      * wait-limit-netblock
        These do not have a default value but they can fine grain
        configuration for specific netblocks.

CVE-2025-5994

    Resolvers supporting ECS need to segregate outgoing queries to
    accommodate for different outgoing ECS information.  This re-opens
    up resolvers to a birthday paradox attack (Rebirthday Attack) that
    tries to match the DNS transaction ID in order to cache non-ECS
    poisonous replies.

    Unbound now includes a fix that disregards replies that came back
    without ECS when ECS was expected.

This update also includes follow-up upstream fixes and improvements for
CVE-2024-43167 and CVE-2024-43168.

For Debian 11 bullseye, these problems have been fixed in version
1.13.1-1+deb11u5.

We recommend that you upgrade your unbound packages.

For the detailed security status of unbound please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/unbound

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 4279-1] thunderbird security update
Next by Date: [SECURITY] [DLA 4281-1] iperf3 security update
Previous by thread: [SECURITY] [DLA 4279-1] thunderbird security update
Next by thread: [SECURITY] [DLA 4281-1] iperf3 security update
Index(es):
- Date
- Thread