Unbound update for Debian ELTS

Debian 10705 Published by

Security updates have been released for both Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS to address a vulnerability in the Unbound DNS resolver. The vulnerability, known as CVE-2025-11411, allows attackers to poison the cache and hijack domains through NS RRSet injection. The fix for both updates scrubs unsolicited NS RRSets from DNS replies, preventing potential cache poisoning attacks. To disable this protection, users can set the "iter-scrub-promiscuous" configuration option in unbound.conf(5) to "no."

ELA-1568-1 unbound1.9 security update
ELA-1567-1 unbound security update



ELA-1568-1 unbound1.9 security update


Package : unbound1.9
Version : 1.9.0-2+deb10u2~deb9u7 (stretch)

Related CVEs :
CVE-2025-11411

Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan discovered that
unbound, a validating, recursive, and caching DNS resolver, was
vulnerable to cache poisoning via NS RRSet injection, which could lead
to domain hijack.
Promiscuous NS RRSets that complement DNS replies in the authority
section can be used to trick resolvers to update their delegation
information for the zone. Usually these RRSets are used to update the
resolver’s knowledge of the zone’s name servers. A malicious actor who
is able to attach such records in a reply (i.e., spoofed packet,
fragmentation attack) can poison Unbound’s cache for the delegation
point.
The fix scrubs unsolicited NS RRSets (and their respective address
records) from replies, thereby mitigating the possible poison effect.
The protection can be turned off by setting the new configuration option
“iter-scrub-promiscuous” to “no”, see
unbound.conf(5).


ELA-1568-1 unbound1.9 security update



ELA-1567-1 unbound security update


Package : unbound
Version : 1.9.0-2+deb10u7 (buster)

Related CVEs :
CVE-2025-11411

Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan discovered that
unbound, a validating, recursive, and caching DNS resolver, was
vulnerable to cache poisoning via NS RRSet injection, which could lead
to domain hijack.
Promiscuous NS RRSets that complement DNS replies in the authority
section can be used to trick resolvers to update their delegation
information for the zone. Usually these RRSets are used to update the
resolver’s knowledge of the zone’s name servers. A malicious actor who
is able to attach such records in a reply (i.e., spoofed packet,
fragmentation attack) can poison Unbound’s cache for the delegation
point.
The fix scrubs unsolicited NS RRSets (and their respective address
records) from replies, thereby mitigating the possible poison effect.
The protection can be turned off by setting the new configuration option
“iter-scrub-promiscuous” to “no”, see
unbound.conf(5).


ELA-1567-1 unbound security update


Kernel and Poppler updates for Ubuntu

macOS Tahoe 26.2 Beta 1 released

Windows

Linux

macOS

Community

  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...