[DLA 4365-1] unbound security update
[SECURITY] [DLA 4365-1] unbound security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4365-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
November 05, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : unbound
Version : 1.13.1-1+deb11u6
CVE ID : CVE-2025-11411
Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan discovered that
unbound, a validating, recursive, and caching DNS resolver, was
vulnerable to cache poisoning via NS RRSet injection, which could lead
to domain hijack.
Promiscuous NS RRSets that complement DNS replies in the authority
section can be used to trick resolvers to update their delegation
information for the zone. Usually these RRSets are used to update the
resolver's knowledge of the zone's name servers. A malicious actor who
is able to attach such records in a reply (i.e., spoofed packet,
fragmentation attack) can poison Unbound's cache for the delegation
point.
The fix scrubs unsolicited NS RRSets (and their respective address
records) from replies, thereby mitigating the possible poison effect.
The protection can be turned off by setting the new configuration option
"iter-scrub-promiscuous" to "no", see unbound.conf(5).
For Debian 11 bullseye, this problem has been fixed in version
1.13.1-1+deb11u6.
We recommend that you upgrade your unbound packages.
For the detailed security status of unbound please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/unbound
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
