New unbound for Debian available [1.10.1]

Nothing do with Pi-hole; just a place to talk about other stuff.

Link: https://packages.debian.org/sid/unbound

Bug Fixes:

  • CVE-2020-12662 Unbound can be tricked into amplifying an incoming
    query into a large number of queries directed to a target.
  • CVE-2020-12663 Malformed answers from upstream name servers can be
    used to make Unbound unresponsive.

Link: https://github.com/NLnetLabs/unbound/releases/tag/release-1.10.1

Thanks mibere and I saw that closed topic. I wanted to share that the package is now available directly for Debian and so no compiling is needed.

This was a really fast release in Debian.

It is only available in Sid though - which is classified as unstable.
Bullseye is in testing (and is the next one after Buster) and has version 1.10.0 within its packages.
Buster (the current release) has version 1.9.0

In a few day it mostly is also available Bullseye. If you sort out the dependencies you can install it also. In my case it running on Jessie which took a lot of work in several updates in time.

Update:
Unbound is now also in Bullseye (testing).

The stable version of Unbound in Debian had also it's security patch:

https://tracker.debian.org/pkg/unbound

1 Like

There is now a backport version of Unbound 1.10.1-1 available fur Debian Buster :clapping: and so who is running Debian Buster on their devices can now use the most recent version of Unbound.

https://packages.debian.org/buster-backports/unbound

Changelog:

unbound (1.10.1-1~bpo10+1) buster-backports; urgency=medium

  • Rebuild for buster-backports.

-- Robert Edmonds <edmonds@debian.org> Sat, 13 Jun 2020 19:55:11 -0400

unbound (1.10.1-1) unstable; urgency=high

  • New upstream version 1.10.1
    • Fix CVE-2020-12662: Unbound can be tricked into amplifying an incoming
      query into a large number of queries directed to a target.
    • Fix CVE-2020-12663: Malformed answers from upstream name servers can be
      used to make Unbound unresponsive.

-- Robert Edmonds <edmonds@debian.org> Tue, 19 May 2020 11:36:53 -0400

unbound (1.10.0-1) unstable; urgency=medium

[ Robert Edmonds ]

  • New upstream version 1.10.0
  • Drop debian/patches/0002-Allow-use-of-libbsd-functions-with-configure-
    option-.patch (applied upstream)

[ Stuart Prescott ]

  • Drop Python 2 module package (Closes: #938752)

-- Robert Edmonds <edmonds@debian.org> Sat, 18 Apr 2020 19:29:50 -0400

unbound (1.9.6-2) unstable; urgency=medium

  • debian/unbound.maintscript: Remove obsolete conffile
    /etc/unbound/unbound.conf.d/qname-minimisation.conf (Closes: #950406)

-- Robert Edmonds <edmonds@debian.org> Sat, 01 Feb 2020 14:44:39 -0500

unbound (1.9.6-1) unstable; urgency=medium

[ Robert Edmonds ]

  • New upstream version 1.9.6 (Closes: #948036)
    • Fixes 'unbound crashes with "Assertion nread >= 0 failed in
      evmap_io_del_"' (Closes: #930699)
    • Fixes "unbound: Fails to answer TCP queries due to broken idle-timeout"
      (Closes: #946421)
  • debian/source/options: Remove 'single-debian-patch' option
  • debian/unbound.service: Change ExecReload to send SIGHUP rather than
    using unbound-control (Closes: #923314)
  • Enable remote-control by default (Closes: #923314)
  • Allow use of libbsd functions with configure option --with-libbsd
  • Remove "qname-minimisation: yes" config file setting, since this is
    now the default (Closes: #915056)
  • debian/package-helper: No longer invoke unbound-anchor for root trust
    anchor update (Closes: #910675)
  • debian/control: Bump Standards-Version to 4.5.0 (no changes)
  • debian/control: Remove build dependencies on autotools-dev, dh-
    autoreconf
  • debian/libunbound8.symbols: Add "* Build-Depends-Package: libunbound-
    dev"
  • Rename debian/NEWS.Debian -> debian/NEWS

[ Matthew Palmer ]

  • Fix insecure use of start-stop-daemon --pidfile (Closes: #941573)

[ Simon Deziel ]

  • Install Apparmor profile prior to service startup (Closes: #919511)

[ Debian Janitor ]

  • Trim trailing whitespace.
  • Drop use of autotools-dev debhelper.
  • Bump debhelper from old 9 to 10.
  • Set field Upstream-Name in debian/copyright.

-- Robert Edmonds <edmonds@debian.org> Sun, 26 Jan 2020 22:45:45 -0500

unbound (1.9.4-2) unstable; urgency=medium

  • Cherry-pick upstream commit ec021e0d, "fix build with nettle-3.5"
    (Closes: #941041)

-- Robert Edmonds <edmonds@debian.org> Sat, 26 Oct 2019 08:00:58 -0400

unbound (1.9.4-1) unstable; urgency=high

  • New upstream version 1.9.4
    • Fix CVE-2019-16866: uninitialized memory access when parsing specially
      crafted NOTIFY query.

-- Robert Edmonds <edmonds@debian.org> Fri, 04 Oct 2019 00:43:19 -0400

unbound (1.9.3-1) unstable; urgency=medium

  • New upstream version 1.9.3

-- Robert Edmonds <edmonds@debian.org> Tue, 27 Aug 2019 14:24:11 -0400

unbound (1.9.3~rc1-1) experimental; urgency=medium

  • New upstream version 1.9.3~rc1
  • debian/control: Bump Standards-Version to 4.4.0 (no changes)
1 Like

And Unbound 1.11.0 is now available.

https://nlnetlabs.nl/projects/unbound/download/

1 Like

it would be nice if a version is released in raspberry.

You mean in the Operating System you use?
That is not up to the developers here or to the Unbound developers to decide...
People at Raspberry Pi OS make that call (and are typically quite slow in implementing new versions of Unbound it seems)

1 Like

It is still based on Debian and it is already known that there is a new version. The maintainer (Edmonds) have to find time to push it to Debian.

Last time it was even back-ported to Buster. :slight_smile:

Unbound was relead for the Debian SID version. It will take a little time to be also backported to Buster:

unbound (1.11.0-1) unstable; urgency=medium

[ Simon Deziel ]

  • systemd: don't create a PID file
  • debian/package-helper: mount --bind systemd notify socket into chroot
    (Closes: #867187)

[ Robert Edmonds ]

  • New upstream version 1.11.0
    • Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use
      "Requires:". (Closes: #958331)
    • Introduce "include-toplevel:" configuration option.
    • Adds its own implementation of Frame Streams for dnstap support.
  • debian/control: Remove build dependency on libfstrm-dev
  • debian/unbound.conf: Use "include-toplevel:" instead of "include:"
    (Closes: #950754)
  • debian/NEWS: Add entry for 1.11.0-1 regarding the change of
    /etc/unbound/unbound.conf to using the "include-toplevel:" directive
  • debian/patches/: Refresh patches

-- Robert Sun, 09 Aug 2020 20:57:15 -0400

And how can I install or update to Unbound 1.11.0 ?

Which version of Debian do you use Buster, Bullseye or SID?

The are released in stages and the next one will be Bullseye and then there will be a back-ported version to Buster.

Debian

They implemented now also Bullseye and Buster back-port is accepted to test.

Have look here to see the current status:

https://packages.debian.org/buster-backports/unbound

And Unbound 1.11.1 has been backported to Buster and so available to all Raspberry that are on Debian 10 (Buster).

fingers cross its not too long before they move it to the Stable release.

As already stated it is backported to stable/Buster/10 and I think this will make it available:

sudo deb http://ftp.de.debian.org/debian buster-backports main 
sudo apt update
sudo apt install unbound

I am still on Jessie/8 so I can't test it.

Unbound 1.12.0-1 is now available for Buster (Debian 10) as back port and the release notes can be found here: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-12-0

On the Debian site:
https://packages.debian.org/buster-backports/unbound