------------------------------------------------------------------------- Debian LTS Advisory DLA-4365-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin November 05, 2025 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : unbound Version : 1.13.1-1+deb11u6 CVE ID : CVE-2025-11411 Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan discovered that unbound, a validating, recursive, and caching DNS resolver, was vulnerable to cache poisoning via NS RRSet injection, which could lead to domain hijack. Promiscuous NS RRSets that complement DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor who is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) can poison Unbound's cache for the delegation point. The fix scrubs unsolicited NS RRSets (and their respective address records) from replies, thereby mitigating the possible poison effect. The protection can be turned off by setting the new configuration option "iter-scrub-promiscuous" to "no", see unbound.conf(5). For Debian 11 bullseye, this problem has been fixed in version 1.13.1-1+deb11u6. We recommend that you upgrade your unbound packages. For the detailed security status of unbound please refer to its security tracker page at: https://security-tracker.debian.org/tracker/unbound Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature