From patchwork Thu May 21 13:29:50 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthias Fischer <matthias.fischer@ipfire.org>
X-Patchwork-Id: 9849
Return-Path: <development+bounces-2171-patchwork=ipfire.org@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4gLq5k6vLvz3wmL
	for <patchwork@web04.haj.ipfire.org>; Thu, 21 May 2026 13:30:02 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org
 [IPv6:2001:678:b28::201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail02.haj.ipfire.org", Issuer "E8" (not verified))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4gLq5k5zPpz310
	for <patchwork@ipfire.org>; Thu, 21 May 2026 13:30:02 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [IPv6:::1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4gLq5k59frz2xS2
	for <patchwork@ipfire.org>; Thu, 21 May 2026 13:30:02 +0000 (UTC)
X-Original-To: development@lists.ipfire.org
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4gLq5h1D1zz2xNp
	for <development@lists.ipfire.org>; Thu, 21 May 2026 13:30:00 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4gLq5g47gmz2M;
	Thu, 21 May 2026 13:29:59 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1779370199;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=W8oit7OWTlWM33Qr4v9QrLQW/Ph6fFxOkzcEhgiYfw4=;
	b=SIvJvpJH5fO9N2UgECmzOS2z27d3HXRIw+VRSlVcvSJ4HoA+9ykw6OWcy8E2HD7+mxd88O
	GeFFl+fYHDonaZAA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
	t=1779370199;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=W8oit7OWTlWM33Qr4v9QrLQW/Ph6fFxOkzcEhgiYfw4=;
	b=nTXo6G0uEjg6+iML1WXHRtM5h2HRkBp3opsnj/hbPqB6cY3WVVuRSfrXwCC/I7ywlno3WQ
	u/o9LPVhyGbtq4a9cyWNh23uh2yr6hnNvssVX66DpxV7YcY8QiJk+zSG9xbu4YgFTFPWGP
	uleevzSZ/cRIiTaqYSnEPUl1BHTKar8hxdpACcWg+mz7bbQMZlydJmD8AaDXhy4Sq82IGb
	dfczWPKFG4h2Tgi7fqZFDmGE6zOcpQF5PoHaOccQQNGZYP9YFQZi2EkbhuHBv2RAijbLFe
	wLjZIqcfbjcga0j8TGMTuM0VdFzyW1zSWH+yEle+n37A4gR0xYwQA0n8iDdUwg==
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Cc: Matthias Fischer <matthias.fischer@ipfire.org>
Subject: [PATCH] unbound: Update to 1.25.1
Date: Thu, 21 May 2026 15:29:50 +0200
Message-ID: <20260521132952.2649946-1-matthias.fischer@ipfire.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0

For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-25-1

"Bug Fixes

    Fix CVE-2026-33278, Possible remote code execution during DNSSEC
    validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
    Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie,
    padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for
    the report.
    Fix CVE-2026-42959, Crash during DNSSEC validation of malicious
    content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
    Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew
    Griffiths from 'calif.io' for the report.
    Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang,
    Palo Alto Networks, for the report.
    Fix CVE-2026-41292, Parsing a long list of incoming EDNS options
    degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan
    Zhang from Palo Alto Networks, for the report.
    Fix CVE-2026-42534, Jostle logic bypass degrades resolution
    performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
    Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash
    calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the
    report.
    Fix CVE-2026-42960, Possible cache poisoning attack while following
    delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and
    JianJun Chen, Tsinghua University, for the report.
    Fix CVE-2026-44390, Unbounded name compression in certain cases causes
    degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for
    the report.
    Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to
    Qifan Zhang, Palo Alto Networks, for the report."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
 config/rootfiles/common/unbound | 2 +-
 lfs/unbound                     | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound
index 4ab2ee5b4..2fdf58b08 100644
--- a/config/rootfiles/common/unbound
+++ b/config/rootfiles/common/unbound
@@ -11,7 +11,7 @@ etc/unbound/unbound.conf
 #usr/lib/libunbound.la
 #usr/lib/libunbound.so
 usr/lib/libunbound.so.8
-usr/lib/libunbound.so.8.1.36
+usr/lib/libunbound.so.8.1.37
 #usr/lib/pkgconfig/libunbound.pc
 usr/sbin/unbound
 usr/sbin/unbound-anchor
diff --git a/lfs/unbound b/lfs/unbound
index b0691e864..086025e4b 100644
--- a/lfs/unbound
+++ b/lfs/unbound
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.25.0
+VER        = 1.25.1
 
 THISAPP    = unbound-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 4c22e198c2257c251505f6845c42e67481edce2c5e8dc0c475584ef6b8e85907c322f32bd7ecfcb06243ba36fb3d91c63d8c1edd67dca66d374c6a242206e548
+$(DL_FILE)_BLAKE2 = da9818a14a540bf2d674f504a38da711cfead20af2c6f987aab74094b441ef31586f28608432d2369b2223b3287290f450218466654c71626e33df74da557f18
 
 install : $(TARGET)
 
@@ -109,7 +109,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	-mkdir -pv /var/lib/unbound
 	install -v -m 644 $(DIR_SRC)/config/unbound/root.key \
 		/var/lib/unbound/root.key
-	chown -Rv unbound:unbound /var/lib/unbound
+	chown -Rv nobody.nobody /var/lib/unbound
 
 	# Ship ICANN's certificates to validate DNS trust anchors
 	install -v -m 644 $(DIR_SRC)/config/unbound/icannbundle.pem \
@@ -117,7 +117,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 
 	# Install the cache directory
 	-mkdir -pv /var/cache/unbound
-	chown unbound:unbound /var/cache/unbound
+	chown nobody:nobody /var/cache/unbound
 
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)