unbound-1.24.2-2.el9
エラータID: AXSA:2026-1052:06
The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.
Security Fix(es):
* unbound: DNSBomb vulnerability (CVE-2024-33655)
* unbound: Unbound domain hijacking via promiscuous records (CVE-2025-11411)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the MIRACLE LINUX 9 Release Notes linked from the References section.
CVE-2024-33655
The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the "DNSBomb" issue.
CVE-2025-11411
NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect. Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS RRSets (and their respective address records) from YXDOMAIN and non-referral nodata replies, further mitigating the possible poison effect.
Update packages.
The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the "DNSBomb" issue.
NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect. Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS RRSets (and their respective address records) from YXDOMAIN and non-referral nodata replies, further mitigating the possible poison effect.
N/A
SRPMS
- unbound-1.24.2-2.el9.src.rpm
MD5: 11a6e5b373bbf6276d46717f81e9dd7c
SHA-256: 32296491d006ed100be506a179cb3ead7501cd5c002ed0834998ce980e6b6252
Size: 6.66 MB
Asianux Server 9 for x86_64
- python3-unbound-1.24.2-2.el9.x86_64.rpm
MD5: 162bccd1b235601775c1bd3120464895
SHA-256: 3f5e520f7eeee38c5ace048566bdf0fb7dc3a8b2a72433ad3ac250a1375e494a
Size: 109.14 kB - unbound-1.24.2-2.el9.x86_64.rpm
MD5: fc102736e59bb9f2743b38a21b870db4
SHA-256: 227c20322f42f45cee1e42e54fcbee08b3afe2b6fe83d213182fe3cbd47c58b3
Size: 1.05 MB - unbound-devel-1.24.2-2.el9.i686.rpm
MD5: 488ed8c539d305e6abb3ef4f53f542b1
SHA-256: 54197970f9bf1491be2ac1fb81f368b74c7d8c82f16d78a551482342940341ad
Size: 39.34 kB - unbound-devel-1.24.2-2.el9.x86_64.rpm
MD5: a505d5aa2b3ec9c39e222286418142f6
SHA-256: 6003193f75cd42c6c9fdd118bfd1ba0955c87d406a6ade04d70a5082d245cb18
Size: 39.36 kB - unbound-dracut-1.24.2-2.el9.x86_64.rpm
MD5: 28fdf363d016c073ca8abc7eb8fd4632
SHA-256: 8c0123c32ba2ff1a9bcb16527eff47060e948f4148aa1491c62034338389e80f
Size: 10.20 kB - unbound-libs-1.24.2-2.el9.i686.rpm
MD5: 680bb3a6b24333ea534469e9ccf6944c
SHA-256: 707d6e03d0aff6dca79c86738e944f36fca796467fb3818181d0950c0c91b726
Size: 603.93 kB - unbound-libs-1.24.2-2.el9.x86_64.rpm
MD5: 1271f1520eaf8fb7ad6929a274235113
SHA-256: abbe5fc214b21fccf9a8e8de088b8e2fd2fc11a7caae3fb5f622ef88aa606ea5
Size: 578.62 kB