During the month of November 2025 and on behalf of Freexian, I worked on the
following:
unbound
-------
Uploaded 1.13.1-1+deb11u6 and issued DLA-4365-1.
https://lists.debian.org/msgid-search/?m=aQvX925m1EMHq-YQ@debian.org
* CVE-2025-11411: Promiscuous NS RRSets that complement DNS replies in
the authority section can be used to trick resolvers to update their
delegation information for the zone, which could lead to domain
hijacking.
Uploaded 1.9.0-2+deb10u7 (buster) and issued ELA-1567-1.
https://www.freexian.com/lts/extended/updates/ela-1567-1-unbound/
Uploaded unbound1.9=1.9.0-2+deb10u2~deb9u7 (stretch) and issued ELA-1568-1.
https://www.freexian.com/lts/extended/updates/ela-1568-1-unbound1.9/
Also, submit debdiffs to the Security Team for review for a fix in both
bookworm and trixie.
It was later discovered that the fix from upstream version 1.24.1 was
incomplete and a follow-up fix was included in version 1.24.2, thereby
yielding new (E)LTS uploads and -2 [ED]LAs.
Uploaded 1.13.1-1+deb11u7 and issued DLA-4365-2.
https://lists.debian.org/msgid-search/?m=aSzNtCYsTMlbr-xx@debian.org
Uploaded 1.9.0-2+deb10u8 (buster) and issued ELA-1567-2.
https://www.freexian.com/lts/extended/updates/ela-1567-2-unbound/
Uploaded unbound1.9=1.9.0-2+deb10u2~deb9u8 (stretch) and issued ELA-1568-2.
https://www.freexian.com/lts/extended/updates/ela-1568-2-unbound1.9/
expat
-----
Attempted to backport fixes for CVE-2025-59375 (and CVE-2013-0340), but
— in coordination with the security team — triage the issue as too
intrusive for suites prior to trixie.
Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature