-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 24 Aug 2025 18:37:35 +0200
Source: unbound
Binary: libunbound-dev libunbound8 libunbound8-dbgsym python3-unbound python3-unbound-dbgsym unbound unbound-anchor unbound-anchor-dbgsym unbound-dbgsym unbound-host unbound-host-dbgsym
Architecture: i386
Version: 1.17.1-2+deb12u3
Distribution: bookworm-security
Urgency: high
Maintainer: all / amd64 / i386 Build Daemon (x86-conova-02) <buildd_amd64-x86-conova-02@buildd.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
 libunbound-dev - static library, header files, and docs for libunbound
 libunbound8 - library implementing DNS resolution and validation
 python3-unbound - library implementing DNS resolution and validation (Python3 bindi
 unbound    - validating, recursive, caching DNS resolver
 unbound-anchor - utility to securely fetch the root DNS trust anchor
 unbound-host - reimplementation of the 'host' command
Closes: 1078647 1083282 1109427
Changes:
 unbound (1.17.1-2+deb12u3) bookworm-security; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2024-8508: Denial of service vulnerability when processing
     malicious upstreams responses with very large RRsets. (Closes: #1083282)
   * Fix CVE-2024-33655: The DNSBomb attack, via specially timed DNS queries
     and answers, can cause a Denial of Service on resolvers and spoofed
     targets.  Unbound itself is not vulnerable for DoS, but it can be used to
     take part in a pulsing DoS amplification attack.
   * Fix CVE-2025-5994: Resolvers supporting ECS need to segregate outgoing
     queries to accommodate for different outgoing ECS information.  This
     re-opens up resolvers to a birthday paradox attack (Rebirthday Attack)
     that tries to match the DNS transaction ID in order to cache non-ECS
     poisonous replies. (Closes: #1109427)
   * Fix CVE-2024-43167: NULL pointer dereference flaw was found in the
     ub_ctx_set_fwd(). (Closes: #1078647)
   * Fix CVE-2024-43168: Heap-buffer overflow in the cfg_mark_ports().
   * Add upstream patch to update IP addresses for b.root-servers.net in root
     hints.
Checksums-Sha1:
 e89f70a23b928f6a71ecca6a8d8adc3afceaa037 685476 libunbound-dev_1.17.1-2+deb12u3_i386.deb
 92460e6bb50d09934989a378760e06d822177190 1109520 libunbound8-dbgsym_1.17.1-2+deb12u3_i386.deb
 d9aac7c59213f55e2799430c93b58e50e916b4b0 584600 libunbound8_1.17.1-2+deb12u3_i386.deb
 37504fe8f3d68afe550e1da33355814040950ac9 155284 python3-unbound-dbgsym_1.17.1-2+deb12u3_i386.deb
 46a3d078d79bee894b59da64d0665b01009a72c7 204348 python3-unbound_1.17.1-2+deb12u3_i386.deb
 82ea3042164db87d22247085edde48427abfce28 58164 unbound-anchor-dbgsym_1.17.1-2+deb12u3_i386.deb
 fd477fe8c1ee019361667dede9ce55ea83a53054 182704 unbound-anchor_1.17.1-2+deb12u3_i386.deb
 74210d3290eb4eef330790dcd7befd21739c3de8 4455248 unbound-dbgsym_1.17.1-2+deb12u3_i386.deb
 afe9956022e8753122e23c71155ca173e5dd95ee 112888 unbound-host-dbgsym_1.17.1-2+deb12u3_i386.deb
 ae45f7ddfd768900a57955b9028d5fc4d94ec834 204648 unbound-host_1.17.1-2+deb12u3_i386.deb
 19de2af7ac2bede2bb2cc55c5864c2369c792ddc 10798 unbound_1.17.1-2+deb12u3_i386-buildd.buildinfo
 60fadac4c92f17eb59a517975133b0163515c2b4 997404 unbound_1.17.1-2+deb12u3_i386.deb
Checksums-Sha256:
 c86f8409050b87164d000e9f89d2f0b19fc08ed39bf386f089f60d606a15457a 685476 libunbound-dev_1.17.1-2+deb12u3_i386.deb
 05bcae4db18efeedd63f3ea8463ed02bcea06bea9cefde2c644e20a27d383852 1109520 libunbound8-dbgsym_1.17.1-2+deb12u3_i386.deb
 40207c921e101cbe756931a77eb7b6ca6cf7309019bc12cbc6129500aaf2db02 584600 libunbound8_1.17.1-2+deb12u3_i386.deb
 49ff824d627213cf0a3fd48bd5c1cc834500ae52f4cf954f157ca2ee9cddf2bf 155284 python3-unbound-dbgsym_1.17.1-2+deb12u3_i386.deb
 3e15f54d8df7d3fabcd55431702c38ddcb75c3d1a36ff6cec3d42f93a7ebcf3b 204348 python3-unbound_1.17.1-2+deb12u3_i386.deb
 91e7a1dc5ec8bd5466b7035a0a35f03b29a907675ce325d59ec467f1ce75ec9a 58164 unbound-anchor-dbgsym_1.17.1-2+deb12u3_i386.deb
 ec8e50f3f661f36f8a6a1f6965f9e1a1b84f675e97bb63ddf166bbb7554302e9 182704 unbound-anchor_1.17.1-2+deb12u3_i386.deb
 13eebd6476b8ad915593c7eee0a18349e0d7df1a78cd4e5f425c5f052f4e6cd1 4455248 unbound-dbgsym_1.17.1-2+deb12u3_i386.deb
 7f8b609428570edab9c258a3c702b5302aa0427de32a2426b68a5da3fb871103 112888 unbound-host-dbgsym_1.17.1-2+deb12u3_i386.deb
 6dadb00a1836ba0d26ee95c1802d4abf181075fd4a57e9e0cb67b530d2990115 204648 unbound-host_1.17.1-2+deb12u3_i386.deb
 8a1f9d4606ad421452aea5590bab786490f989ee1e85792854e8b35843a4be95 10798 unbound_1.17.1-2+deb12u3_i386-buildd.buildinfo
 218ae6e2f25e3dfedcac9e4417fbca8964c2ecca6b961563503d07d2944477c4 997404 unbound_1.17.1-2+deb12u3_i386.deb
Files:
 34776364424045e417254972fdee6445 685476 libdevel optional libunbound-dev_1.17.1-2+deb12u3_i386.deb
 771fa542c6ec06aefe8574c47034ca74 1109520 debug optional libunbound8-dbgsym_1.17.1-2+deb12u3_i386.deb
 fc3995c29313ce282b803a7d2b5445c5 584600 libs optional libunbound8_1.17.1-2+deb12u3_i386.deb
 1744358c36a9fc05d122ebc8e1568c07 155284 debug optional python3-unbound-dbgsym_1.17.1-2+deb12u3_i386.deb
 2c33153684a9bb2cbafbba117142eddc 204348 python optional python3-unbound_1.17.1-2+deb12u3_i386.deb
 7564272d85819d778adce21e1a014160 58164 debug optional unbound-anchor-dbgsym_1.17.1-2+deb12u3_i386.deb
 d3d46c32ba91a650b89c028a18ae8d2b 182704 net optional unbound-anchor_1.17.1-2+deb12u3_i386.deb
 035e60ed3d7650b2bdf4b4faf5d14d07 4455248 debug optional unbound-dbgsym_1.17.1-2+deb12u3_i386.deb
 88b1db051c6b8d545329d53ed40e1bac 112888 debug optional unbound-host-dbgsym_1.17.1-2+deb12u3_i386.deb
 0d8e65a2c617c5f9d388f978f233ac8e 204648 net optional unbound-host_1.17.1-2+deb12u3_i386.deb
 2419489bbc58632cbffecfffedb1c6d1 10798 net optional unbound_1.17.1-2+deb12u3_i386-buildd.buildinfo
 faff140d8f226cb3a9cd7ce5f573c697 997404 net optional unbound_1.17.1-2+deb12u3_i386.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErwLLVsiCiGZggzpHJuP6X4A0XeIFAmis4MQACgkQJuP6X4A0
XeLRww/+OxgGQBnymHPz2yZyf/numj6ijs7gkT4EusC224/uDqGuZigHUf9GCTvz
AnROtdY05NCUe1iDLFHAFybuNyFI5U1Uf8F6Nnp1idz4Wp3VB/MDxgWFEgeYn7sc
qLAYRJY4/4TINNSsuGvazYw7xYCSLPrJqwxrV4wyG8ruWVjmP+WOIrWSaaFB8rNL
oXN+lNO3jeE38+Px7H3wX95MwjPGyWg++/Iyhv8LMPL1yflDn529sYR4PNI/s10+
ju8/2g7+8NSCRHnboPbvKmVhiUrvvRrALQBCtcyP0AYwPy/B2hYyWXgGvlkGDMkK
jXPBvTUP4xqAjT/u31b8MkK+Dz68QPI9bLDJX4zgsR2JScPaaWiA76B4xFnNK2J2
9v7wfZl05FMoVTBj5JRinL1/x1eZheRwX9J9sU7Sez7sZ1/zq8kIfqzYZWUIksO6
BCZ08Y1ybJZ3vdnpsKPZMzglhRJZoFsEP46eUELF9ArWzO8lu/wZAfM0Xp89GgHY
vnYDJJntY02/ZGLNGI5I3AaO4A+87qYveGA2KTzEqd8/HXV+aexokuynQwHESg9c
JzbFZVGP82jswD7050UPRWFXHfwEVKtNMFsoYAtkzdcA3z2tTkAOLrIsuZ8nLYuP
nvCnjCQ05TZCQ8xUoLiZOw7QzI1AsWEe8jNC2tVEUczGntjLSMY=
=Q0Su
-----END PGP SIGNATURE-----