-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 24 Aug 2025 18:37:35 +0200
Source: unbound
Architecture: source
Version: 1.17.1-2+deb12u3
Distribution: bookworm-security
Urgency: high
Maintainer: unbound packagers <unbound@packages.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 1078647 1083282 1109427
Changes:
 unbound (1.17.1-2+deb12u3) bookworm-security; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2024-8508: Denial of service vulnerability when processing
     malicious upstreams responses with very large RRsets. (Closes: #1083282)
   * Fix CVE-2024-33655: The DNSBomb attack, via specially timed DNS queries
     and answers, can cause a Denial of Service on resolvers and spoofed
     targets.  Unbound itself is not vulnerable for DoS, but it can be used to
     take part in a pulsing DoS amplification attack.
   * Fix CVE-2025-5994: Resolvers supporting ECS need to segregate outgoing
     queries to accommodate for different outgoing ECS information.  This
     re-opens up resolvers to a birthday paradox attack (Rebirthday Attack)
     that tries to match the DNS transaction ID in order to cache non-ECS
     poisonous replies. (Closes: #1109427)
   * Fix CVE-2024-43167: NULL pointer dereference flaw was found in the
     ub_ctx_set_fwd(). (Closes: #1078647)
   * Fix CVE-2024-43168: Heap-buffer overflow in the cfg_mark_ports().
   * Add upstream patch to update IP addresses for b.root-servers.net in root
     hints.
Checksums-Sha1:
 9ad6f2b42d804724c2282f85c1c656ebfe215ec9 2953 unbound_1.17.1-2+deb12u3.dsc
 90da3bb8883931e30384057722dd9d1df4286f46 6244773 unbound_1.17.1.orig.tar.gz
 f4ee28549b0827609e8a91ebbee1a1e98c84755f 60392 unbound_1.17.1-2+deb12u3.debian.tar.xz
 ff3a5def205303325799e027e8b3b36c317f5bea 5892 unbound_1.17.1-2+deb12u3_source.buildinfo
Checksums-Sha256:
 df7ea09f8be3e6c991f76045cbc1065079b722cc647b1f8b9097906f2e6b6c8e 2953 unbound_1.17.1-2+deb12u3.dsc
 ee4085cecce12584e600f3d814a28fa822dfaacec1f94c84bfd67f8a5571a5f4 6244773 unbound_1.17.1.orig.tar.gz
 ef8cbfe14f143d0c2364b97773a075e0d2b2a960940852e925ea81be87c4de41 60392 unbound_1.17.1-2+deb12u3.debian.tar.xz
 ebf2e0e55e19e40f61878a05d5bf105688070faee30b00b54d2a4a0dcfc73faa 5892 unbound_1.17.1-2+deb12u3_source.buildinfo
Files:
 3f5b7be232fb317484546508a00d3187 2953 net optional unbound_1.17.1-2+deb12u3.dsc
 bb96df2dc579c11ada537dbc52781abc 6244773 net optional unbound_1.17.1.orig.tar.gz
 a52b4b1a82efbce30fd3333befb259d0 60392 net optional unbound_1.17.1-2+deb12u3.debian.tar.xz
 3b0333a4f6ec10ba057efdc5fbe21ff9 5892 net optional unbound_1.17.1-2+deb12u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmis2RkACgkQ05pJnDwh
pVJ5eRAAzghqagsG0ocHBVj3WOn00c66Pw6NCLa/GHqZ+5FD9WRlIdPXKj7nYYEi
/bpLVyrzUzmcp4JfSq9+o0m+0m1IJBLdF0z+T0Op7ueirztRx/+gm5rIy8HCfscK
Z5+jXq4MBP/TjcMtmaooenl5oDcF6AMykoyCooZNlYDEWC3KdDGDyGc0uVbAEGME
VhlGnMlh9Tew0ivPKuZJkpDWoomAOmsSHllDUAn2eUDhGNTvWJFSklrQIxtvZi2V
5QgQMrhkoeRBUi2MvRwxpgaVxsR+P54w2OG8bJmwrHXp6wmrYRFJbU+BphlhIs2F
wL4nNchiOuxMI6OeGCD3UybSuCGeWEPJgXQUmyvaapK5CgClG/CAEQmY8ciwpH14
ekphi0+233sLSayIP9VpTuLhhObiBiD64gSbohnLk4Sy2yOUlpJJdgALL5mtUIfM
p8DqwSCiCbLgWgaf6FyQ/MIDyb7Ps5EvCbj3IDNd0sfEHlgNt2k3+uOjiD0vL3AX
ZqKM9Hq2Gsn3VigQ7aTsgbui+Y8+IA7AWw181SryT448CG6pWlEATySymriK+BDo
8snRsFZyC+lP83woiXXwfNZKN18/8+eG9A5Pnax3txAM2j6kR3T3isFzX8/WvdpY
ZBgKfuJxEYBnaIFJ3NP8YBi92C8qUvcXziyMzFwzgTUM56uqUO8=
=2eSc
-----END PGP SIGNATURE-----