[DLA 4281-1] iperf3 security update
[DLA 4280-1] unbound security update
[SECURITY] [DLA 4281-1] iperf3 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4281-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
August 24, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : iperf3
Version : 3.9-1+deb11u3
CVE ID : CVE-2025-54349 CVE-2025-54350
Debian Bug : 1110376
Two vulnerabilities have been fixed in the IP bandwidth measuring tool iperf3.
CVE-2025-54349
heap buffer overflow
CVE-2025-54350
reachable assert
For Debian 11 bullseye, these problems have been fixed in version
3.9-1+deb11u3.
We recommend that you upgrade your iperf3 packages.
For the detailed security status of iperf3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/iperf3
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4280-1] unbound security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4280-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
August 24, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : unbound
Version : 1.13.1-1+deb11u5
CVE ID : CVE-2024-33655 CVE-2025-5994
Debian Bug : 1109427
Vulnerabilities were found in unbound, a validating, recursive, and
caching DNS resolver, which may lead to Denial of Service or cache
poisoning.
CVE-2024-33655
The DNSBomb attack, via specially timed DNS queries and answers, can
cause a Denial of Service on resolvers and spoofed targets.
While Unbound itself is not vulnerable for DoS, it can be used to
take part in a pulsing DoS amplification attack.
Configuration options have been added to help mitigate the impact by
trying to shrink the DNSBomb window so that the impact of the DoS
from Unbound is significantly lower than it used to be:
* discard-timeout: 1900
After 1900 ms a reply to the client will be dropped. Unbound
would still work on the query but refrain from replying in order
to not accumulate a huge number of "old" replies. Legitimate
clients retry on timeouts.
* wait-limit: 1000
Limits the amount of client queries that require recursion
(cache-hits are not counted) per IP address. More recursive
queries than the allowed limit are dropped.
wait-limit: 0 disables all wait limits.
* wait-limit-netblock
These do not have a default value but they can fine grain
configuration for specific netblocks.
CVE-2025-5994
Resolvers supporting ECS need to segregate outgoing queries to
accommodate for different outgoing ECS information. This re-opens
up resolvers to a birthday paradox attack (Rebirthday Attack) that
tries to match the DNS transaction ID in order to cache non-ECS
poisonous replies.
Unbound now includes a fix that disregards replies that came back
without ECS when ECS was expected.
This update also includes follow-up upstream fixes and improvements for
CVE-2024-43167 and CVE-2024-43168.
For Debian 11 bullseye, these problems have been fixed in version
1.13.1-1+deb11u5.
We recommend that you upgrade your unbound packages.
For the detailed security status of unbound please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/unbound
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
