unbound - Debian Package Tracker

general

source: unbound (main)
version: 1.13.1-1
maintainer: unbound packagers (DMD)
uploaders: Robert Edmonds [DMD]
arch: any
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 1.6.0-3+deb9u2
stable: 1.9.0-2+deb10u2
stable-sec: 1.9.0-2+deb10u2
stable-bpo: 1.13.1-1~bpo10+1
testing: 1.13.1-1
unstable: 1.13.1-1

versioned links

1.6.0-3+deb9u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.9.0-2+deb10u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.13.1-1~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.13.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libunbound-dev
libunbound8
python3-unbound
unbound (22 bugs: 0, 18, 4, 0)
unbound-anchor (2 bugs: 0, 1, 1, 0)
unbound-host (3 bugs: 0, 1, 2, 0)

action needed

13 security issues in buster high

There are 13 open security issues in buster.

12 important issues:

CVE-2019-25031: Unbound before 1.9.5 allows configuration injection in create_unbound_ad_servers.sh upon a successful man-in-the-middle attack against a cleartext HTTP session.
CVE-2019-25032: Unbound before 1.9.5 allows an integer overflow in the regional allocator via regional_alloc.
CVE-2019-25033: Unbound before 1.9.5 allows an integer overflow in the regional allocator via the ALIGN_UP macro.
CVE-2019-25034: Unbound before 1.9.5 allows an integer overflow in sldns_str2wire_dname_buf_origin, leading to an out-of-bounds write.
CVE-2019-25035: Unbound before 1.9.5 allows an out-of-bounds write in sldns_bget_token_par.
CVE-2019-25036: Unbound before 1.9.5 allows an assertion failure and denial of service in synth_cname.
CVE-2019-25037: Unbound before 1.9.5 allows an assertion failure and denial of service in dname_pkt_copy via an invalid packet.
CVE-2019-25038: Unbound before 1.9.5 allows an integer overflow in a size calculation in dnscrypt/dnscrypt.c.
CVE-2019-25039: Unbound before 1.9.5 allows an integer overflow in a size calculation in respip/respip.c.
CVE-2019-25040: Unbound before 1.9.5 allows an infinite loop via a compressed name in dname_pkt_copy.
CVE-2019-25041: Unbound before 1.9.5 allows an assertion failure via a compressed name in dname_pkt_copy.
CVE-2019-25042: Unbound before 1.9.5 allows an out-of-bounds write via a compressed name in rdata_copy.

1 issue left for the package maintainer to handle:

CVE-2020-28935: (needs triaging) NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system.

You can find information about how to handle this issue in the security team's documentation.

Created: 2021-02-19 Last update: 2021-05-06 19:30

4 bugs tagged patch in the BTS normal

The BTS contains patches fixing 4 bugs (5 if counting merged bugs), consider including or untagging them.

Created: 2020-10-19 Last update: 2021-06-12 18:33

lintian reports 4 warnings normal

Lintian reports 4 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-04-11 Last update: 2021-04-11 10:20

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.1 instead of 4.5.0).

Created: 2020-11-17 Last update: 2021-02-10 07:36

testing migrations

This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2021-02-27] Accepted unbound 1.13.1-1~bpo10+1 (source) into buster-backports (Robert Edmonds)
[2021-02-20] unbound 1.13.1-1 MIGRATED to testing (Debian testing watch)
[2021-02-09] Accepted unbound 1.13.1-1 (source) into unstable (Robert Edmonds)
[2020-12-29] unbound 1.13.0-1 MIGRATED to testing (Debian testing watch)
[2020-12-24] Accepted unbound 1.13.0-1 (source) into unstable (Robert Edmonds)
[2020-10-24] Accepted unbound 1.12.0-1~bpo10+1 (source amd64) into buster-backports (Robert Edmonds)
[2020-10-24] unbound 1.12.0-1 MIGRATED to testing (Debian testing watch)
[2020-10-19] Accepted unbound 1.12.0-1 (source) into unstable (Robert Edmonds)
[2020-08-15] Accepted unbound 1.11.0-1~bpo10+1 (source amd64) into buster-backports (Robert Edmonds)
[2020-08-15] unbound 1.11.0-1 MIGRATED to testing (Debian testing watch)
[2020-08-10] Accepted unbound 1.11.0-1 (source) into unstable (Robert Edmonds)
[2020-06-15] Accepted unbound 1.10.1-1~bpo10+1 (source amd64) into buster-backports, buster-backports (Debian FTP Masters) (signed by: Robert Edmonds)
[2020-05-30] Accepted unbound 1.9.0-2+deb10u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Robert Edmonds)
[2020-05-26] Accepted unbound 1.9.0-2+deb10u2 (source) into stable->embargoed, stable (Debian FTP Masters) (signed by: Robert Edmonds)
[2020-05-22] unbound 1.10.1-1 MIGRATED to testing (Debian testing watch)
[2020-05-19] Accepted unbound 1.10.1-1 (source) into unstable (Robert Edmonds)
[2020-04-24] unbound 1.10.0-1 MIGRATED to testing (Debian testing watch)
[2020-04-18] Accepted unbound 1.10.0-1 (source) into unstable (Robert Edmonds)
[2020-02-07] unbound 1.9.6-2 MIGRATED to testing (Debian testing watch)
[2020-02-01] Accepted unbound 1.9.6-2 (source) into unstable (Robert Edmonds)
[2020-02-01] unbound 1.9.6-1 MIGRATED to testing (Debian testing watch)
[2020-01-27] Accepted unbound 1.9.6-1 (source) into unstable (Robert Edmonds)
[2019-10-31] unbound 1.9.4-2 MIGRATED to testing (Debian testing watch)
[2019-10-26] Accepted unbound 1.9.4-2 (source) into unstable (Robert Edmonds)
[2019-10-19] Accepted unbound 1.9.0-2+deb10u1 (source) into proposed-updates->stable-new, proposed-updates (Robert Edmonds)
[2019-10-16] Accepted unbound 1.9.0-2+deb10u1 (source) into stable->embargoed, stable (Robert Edmonds)
[2019-10-06] unbound 1.9.4-1 MIGRATED to testing (Debian testing watch)
[2019-10-04] Accepted unbound 1.9.4-1 (source) into unstable (Robert Edmonds)
[2019-09-07] unbound 1.9.3-1 MIGRATED to testing (Debian testing watch)
[2019-08-27] Accepted unbound 1.9.3-1 (source amd64) into unstable (Robert Edmonds)

bugs [bug history graph]

all: 27 28
RC: 0
I&N: 20 21
M&W: 7
F&P: 0
patch: 4 5

links

homepage
lintian (0, 4)
buildd: logs, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.13.1-1
8 bugs