-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 24 Aug 2025 18:37:35 +0200
Source: unbound
Binary: libunbound-dev libunbound8 libunbound8-dbgsym python3-unbound python3-unbound-dbgsym unbound unbound-anchor unbound-anchor-dbgsym unbound-dbgsym unbound-host unbound-host-dbgsym
Architecture: amd64
Version: 1.17.1-2+deb12u3
Distribution: bookworm-security
Urgency: high
Maintainer: amd64 / i386 Build Daemon (x86-ubc-02) <buildd_amd64-x86-ubc-02@buildd.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
 libunbound-dev - static library, header files, and docs for libunbound
 libunbound8 - library implementing DNS resolution and validation
 python3-unbound - library implementing DNS resolution and validation (Python3 bindi
 unbound    - validating, recursive, caching DNS resolver
 unbound-anchor - utility to securely fetch the root DNS trust anchor
 unbound-host - reimplementation of the 'host' command
Closes: 1078647 1083282 1109427
Changes:
 unbound (1.17.1-2+deb12u3) bookworm-security; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2024-8508: Denial of service vulnerability when processing
     malicious upstreams responses with very large RRsets. (Closes: #1083282)
   * Fix CVE-2024-33655: The DNSBomb attack, via specially timed DNS queries
     and answers, can cause a Denial of Service on resolvers and spoofed
     targets.  Unbound itself is not vulnerable for DoS, but it can be used to
     take part in a pulsing DoS amplification attack.
   * Fix CVE-2025-5994: Resolvers supporting ECS need to segregate outgoing
     queries to accommodate for different outgoing ECS information.  This
     re-opens up resolvers to a birthday paradox attack (Rebirthday Attack)
     that tries to match the DNS transaction ID in order to cache non-ECS
     poisonous replies. (Closes: #1109427)
   * Fix CVE-2024-43167: NULL pointer dereference flaw was found in the
     ub_ctx_set_fwd(). (Closes: #1078647)
   * Fix CVE-2024-43168: Heap-buffer overflow in the cfg_mark_ports().
   * Add upstream patch to update IP addresses for b.root-servers.net in root
     hints.
Checksums-Sha1:
 dbe5f984e1fbcff0fe53a493f70b0e4695caf263 636156 libunbound-dev_1.17.1-2+deb12u3_amd64.deb
 0755597f20672b41cc7e9d0ad090d91121679fd9 1253588 libunbound8-dbgsym_1.17.1-2+deb12u3_amd64.deb
 b5e17a12caa58ff6f1ea921173992062b054040e 552580 libunbound8_1.17.1-2+deb12u3_amd64.deb
 a18e1d087115085fe4eb94a8f0bb73a3f479abf3 170548 python3-unbound-dbgsym_1.17.1-2+deb12u3_amd64.deb
 d62a0b861fd112b55a2fa72e190dfbaadc44ef4a 202988 python3-unbound_1.17.1-2+deb12u3_amd64.deb
 6976a72a2ae565aebc82f23fe7bf51aa2be4fb39 60288 unbound-anchor-dbgsym_1.17.1-2+deb12u3_amd64.deb
 d8b1013b043a3aa9593daac0e346f555ded110a7 179780 unbound-anchor_1.17.1-2+deb12u3_amd64.deb
 39432bdfb036792075a9e271e082a910528cd674 5036260 unbound-dbgsym_1.17.1-2+deb12u3_amd64.deb
 256122c80aa2a3475f2dedf1db4c0fe222e33d15 132232 unbound-host-dbgsym_1.17.1-2+deb12u3_amd64.deb
 f4d8fda3345219dea581662c1de8958e5fee4587 201064 unbound-host_1.17.1-2+deb12u3_amd64.deb
 cf35d4f258e7aef3b9013446256818eb3f5b2eb8 10901 unbound_1.17.1-2+deb12u3_amd64-buildd.buildinfo
 c6b78e2b587d5cc363fe9ebda904aef80d0695c6 950488 unbound_1.17.1-2+deb12u3_amd64.deb
Checksums-Sha256:
 6c26a37597130ab848c33ff15cb5b416d98fa2d3f258881dfb173b283654b950 636156 libunbound-dev_1.17.1-2+deb12u3_amd64.deb
 929540a186a751baa73f165fb01820b7427628790c04bbe32ee59dc78331dfc8 1253588 libunbound8-dbgsym_1.17.1-2+deb12u3_amd64.deb
 a32741907946a75865a25821074240d297b0b25122acab6bdcf1b87bc7cfa918 552580 libunbound8_1.17.1-2+deb12u3_amd64.deb
 d3f0f4daaf56823a84385e0d5a3e11c1a3584afc026abf837450176d7feaa922 170548 python3-unbound-dbgsym_1.17.1-2+deb12u3_amd64.deb
 4e609c9140e07841407e3f033d682b514c42d1913bf8cae9312229925e9baf80 202988 python3-unbound_1.17.1-2+deb12u3_amd64.deb
 1232e4bb36b5c8612279ea178d8332d1b1a9e4d8059d8b2bd026e4b4bd3d6d81 60288 unbound-anchor-dbgsym_1.17.1-2+deb12u3_amd64.deb
 557d319afd12160c3ea97b0ed647867737fcd324e194a8fc2a58b590efa2ea24 179780 unbound-anchor_1.17.1-2+deb12u3_amd64.deb
 1344e4c59ac08d5442ebe706195e1dd9504200ad72824d6ea636073bfa3b4c70 5036260 unbound-dbgsym_1.17.1-2+deb12u3_amd64.deb
 9ebcb8940ae3dea2d69336b3afa5d56cc406efb12826473f7e53aefba1cc6c21 132232 unbound-host-dbgsym_1.17.1-2+deb12u3_amd64.deb
 91b48b4167f696929a878da3cf55feb3508711fa8039087451eeae4731fb5601 201064 unbound-host_1.17.1-2+deb12u3_amd64.deb
 efae349d3defee539e90eaca4c15ec670b30e8b274ec61855577b5c736c2110b 10901 unbound_1.17.1-2+deb12u3_amd64-buildd.buildinfo
 628f8f0e6b169bf70f0c71fab8c7547fa64e6c466f2579c1d020cdd003de0f8e 950488 unbound_1.17.1-2+deb12u3_amd64.deb
Files:
 45b9384f8fc4901a7d588457e45f92ca 636156 libdevel optional libunbound-dev_1.17.1-2+deb12u3_amd64.deb
 cc4710683b3403b2c78663031f018074 1253588 debug optional libunbound8-dbgsym_1.17.1-2+deb12u3_amd64.deb
 aa7cd27c1ca83a4324a3404c2571bed7 552580 libs optional libunbound8_1.17.1-2+deb12u3_amd64.deb
 ca80628097e8e4216561b50e620f4b92 170548 debug optional python3-unbound-dbgsym_1.17.1-2+deb12u3_amd64.deb
 d582d4457f27fe014ee930ae2fecd896 202988 python optional python3-unbound_1.17.1-2+deb12u3_amd64.deb
 0cf3bbca0b79be34516eaf1ef72c8782 60288 debug optional unbound-anchor-dbgsym_1.17.1-2+deb12u3_amd64.deb
 60163272af8b6651f191190df79da2e4 179780 net optional unbound-anchor_1.17.1-2+deb12u3_amd64.deb
 caf3de25874ac059394de70421d26b03 5036260 debug optional unbound-dbgsym_1.17.1-2+deb12u3_amd64.deb
 53ae18408fcd12a564e96a840515a4b3 132232 debug optional unbound-host-dbgsym_1.17.1-2+deb12u3_amd64.deb
 5e72f601682bbdd42347ef3fb5bbc6da 201064 net optional unbound-host_1.17.1-2+deb12u3_amd64.deb
 2bdc0c92d5846cb24dc065972ca5562e 10901 net optional unbound_1.17.1-2+deb12u3_amd64-buildd.buildinfo
 fd027ffc4ecad0cf74a5cb3f2dad934f 950488 net optional unbound_1.17.1-2+deb12u3_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEc5vuvf2HND40bnI+8IREj/cRiTMFAmis330ACgkQ8IREj/cR
iTPUlw/7Blse7UFDfYegZ5T0b1wrDR7t9wseSbs7VPY/2mzXa+ifUoDKLH9p0wu7
V3T2wSvE1VGaiCONqDbzpRSSgQkHJr82VGNhVRX4Y0RfoYBoFOr9X7yPhoX5r6Xb
DNDO8FWtdUxrCsu5EQUbkyz2/iohULG2/AIb+R+Xh+UX2J77w71EEOpsiTg4BMLj
mn7PUA+2Gsn+mPpMOnt7cFaB590WRe5Ktdvq68NSRIebtIj+ISs5SsXxzzr0g3Ln
oVrx7kGh6ToZO5QKm8P27ky1xuJODK3lQTfVq/aUY0JJPzkS4Di7s4c5AGzeJyZN
HtZdiXVRO+ce0Y+pD+h/JzYzJmieGTssPnprkdxPPQbpxyoRilixWOuAvHW8gW3N
Ei6pHIHDCm6mHChLI5u/Oivp/aGMBCn+ViX+HvzU1gvV8poPC/NUGnYCi+qVQnsk
8JeBWNitACutM/v/6U5JORHTf/zqorh5FjPK0yIFpt2fw2myQLZboreyFUcul3BF
vKDBrBXcPafktnLWT/UEiLwXvgLa7oE19b0uVf8PFYx8sT1u56PNKguHp8D6vAyW
E+3DvX0j0h6cWoLVRQbpVv7zSwO3MfApJjazrZmcwAWzwwY4ZYJ/89i17AyddSAa
GevutMABOTaOt3prbXLFKGt5gsMxiVdWBCHAbB65qf3rW5WDkVo=
=68uG
-----END PGP SIGNATURE-----