[Bug 291236] dns/unbound: Update to version 1.24.2
Date: Wed, 26 Nov 2025 13:29:09 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291236
Bug ID: 291236
Summary: dns/unbound: Update to version 1.24.2
Product: Ports & Packages
Version: Latest
Hardware: Any
URL: https://www.nlnetlabs.nl/news/2025/Nov/26/unbound-1.24
.2-released/
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: Individual Port(s)
Assignee: ports-bugs@FreeBSD.org
Reporter: jaap@NLnetLabs.nl
Attachment #265665 maintainer-approval+
Flags:
Created attachment 265665
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=265665&action=edit
patch to update
This security release has additional fixes for CVE-2025-11411.
Promiscuous NS RRSets that complement DNS replies in the authority
section can be used to trick resolvers to update their delegation
information for the zone.
The CVE is described here
https://nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt
Unbound 1.24.1 included a fix that scrubs unsolicited NS RRSets (and
their respective address records) from replies mitigating the possible
poison effect.
Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS
RRSets (and their respective address records) from YXDOMAIN and
non-referral nodata replies as well, mitigating the possible poison
effect.
We would like to thank TaoFei Guo from Peking University, Yang Luo and
JianJun Chen from Tsinghua University for discovering and responsibly
disclosing the partial mitigation of CVE-2025-11411 in Unbound 1.24.1.
Bug Fixes:
- Additional fix for CVE-2025-11411 (possible domain hijacking attack),
to include YXDOMAIN and non-referral nodata answers in the mitigation
as well, reported by TaoFei Guo from Peking University, Yang Luo and
JianJun Chen from Tsinghua University.
--
You are receiving this mail because:
You are the assignee for the bug.