New unbound for Debian available [1.10.1]

Nothing do with Pi-hole; just a place to talk about other stuff.

Link: https://packages.debian.org/sid/unbound

Bug Fixes:

  • CVE-2020-12662 Unbound can be tricked into amplifying an incoming
    query into a large number of queries directed to a target.
  • CVE-2020-12663 Malformed answers from upstream name servers can be
    used to make Unbound unresponsive.

Link: https://github.com/NLnetLabs/unbound/releases/tag/release-1.10.1

Thanks mibere and I saw that closed topic. I wanted to share that the package is now available directly for Debian and so no compiling is needed.

This was a really fast release in Debian.

It is only available in Sid though - which is classified as unstable.
Bullseye is in testing (and is the next one after Buster) and has version 1.10.0 within its packages.
Buster (the current release) has version 1.9.0

In a few day it mostly is also available Bullseye. If you sort out the dependencies you can install it also. In my case it running on Jessie which took a lot of work in several updates in time.

Update:
Unbound is now also in Bullseye (testing).

The stable version of Unbound in Debian had also it's security patch:

https://tracker.debian.org/pkg/unbound

1 Like

There is now a backport version of Unbound 1.10.1-1 available fur Debian Buster :clapping: and so who is running Debian Buster on their devices can now use the most recent version of Unbound.

https://packages.debian.org/buster-backports/unbound

Changelog:

unbound (1.10.1-1~bpo10+1) buster-backports; urgency=medium

  • Rebuild for buster-backports.

-- Robert Edmonds <edmonds@debian.org> Sat, 13 Jun 2020 19:55:11 -0400

unbound (1.10.1-1) unstable; urgency=high

  • New upstream version 1.10.1
    • Fix CVE-2020-12662: Unbound can be tricked into amplifying an incoming
      query into a large number of queries directed to a target.
    • Fix CVE-2020-12663: Malformed answers from upstream name servers can be
      used to make Unbound unresponsive.

-- Robert Edmonds <edmonds@debian.org> Tue, 19 May 2020 11:36:53 -0400

unbound (1.10.0-1) unstable; urgency=medium

[ Robert Edmonds ]

  • New upstream version 1.10.0
  • Drop debian/patches/0002-Allow-use-of-libbsd-functions-with-configure-
    option-.patch (applied upstream)

[ Stuart Prescott ]

  • Drop Python 2 module package (Closes: #938752)

-- Robert Edmonds <edmonds@debian.org> Sat, 18 Apr 2020 19:29:50 -0400

unbound (1.9.6-2) unstable; urgency=medium

  • debian/unbound.maintscript: Remove obsolete conffile
    /etc/unbound/unbound.conf.d/qname-minimisation.conf (Closes: #950406)

-- Robert Edmonds <edmonds@debian.org> Sat, 01 Feb 2020 14:44:39 -0500

unbound (1.9.6-1) unstable; urgency=medium

[ Robert Edmonds ]

  • New upstream version 1.9.6 (Closes: #948036)
    • Fixes 'unbound crashes with "Assertion nread >= 0 failed in
      evmap_io_del_"' (Closes: #930699)
    • Fixes "unbound: Fails to answer TCP queries due to broken idle-timeout"
      (Closes: #946421)
  • debian/source/options: Remove 'single-debian-patch' option
  • debian/unbound.service: Change ExecReload to send SIGHUP rather than
    using unbound-control (Closes: #923314)
  • Enable remote-control by default (Closes: #923314)
  • Allow use of libbsd functions with configure option --with-libbsd
  • Remove "qname-minimisation: yes" config file setting, since this is
    now the default (Closes: #915056)
  • debian/package-helper: No longer invoke unbound-anchor for root trust
    anchor update (Closes: #910675)
  • debian/control: Bump Standards-Version to 4.5.0 (no changes)
  • debian/control: Remove build dependencies on autotools-dev, dh-
    autoreconf
  • debian/libunbound8.symbols: Add "* Build-Depends-Package: libunbound-
    dev"
  • Rename debian/NEWS.Debian -> debian/NEWS

[ Matthew Palmer ]

  • Fix insecure use of start-stop-daemon --pidfile (Closes: #941573)

[ Simon Deziel ]

  • Install Apparmor profile prior to service startup (Closes: #919511)

[ Debian Janitor ]

  • Trim trailing whitespace.
  • Drop use of autotools-dev debhelper.
  • Bump debhelper from old 9 to 10.
  • Set field Upstream-Name in debian/copyright.

-- Robert Edmonds <edmonds@debian.org> Sun, 26 Jan 2020 22:45:45 -0500

unbound (1.9.4-2) unstable; urgency=medium

  • Cherry-pick upstream commit ec021e0d, "fix build with nettle-3.5"
    (Closes: #941041)

-- Robert Edmonds <edmonds@debian.org> Sat, 26 Oct 2019 08:00:58 -0400

unbound (1.9.4-1) unstable; urgency=high

  • New upstream version 1.9.4
    • Fix CVE-2019-16866: uninitialized memory access when parsing specially
      crafted NOTIFY query.

-- Robert Edmonds <edmonds@debian.org> Fri, 04 Oct 2019 00:43:19 -0400

unbound (1.9.3-1) unstable; urgency=medium

  • New upstream version 1.9.3

-- Robert Edmonds <edmonds@debian.org> Tue, 27 Aug 2019 14:24:11 -0400

unbound (1.9.3~rc1-1) experimental; urgency=medium

  • New upstream version 1.9.3~rc1
  • debian/control: Bump Standards-Version to 4.4.0 (no changes)
1 Like

And Unbound 1.11.0 is now available.

https://nlnetlabs.nl/projects/unbound/download/

1 Like

it would be nice if a version is released in raspberry.

You mean in the Operating System you use?
That is not up to the developers here or to the Unbound developers to decide...
People at Raspberry Pi OS make that call (and are typically quite slow in implementing new versions of Unbound it seems)

1 Like

It is still based on Debian and it is already known that there is a new version. The maintainer (Edmonds) have to find time to push it to Debian.

Last time it was even back-ported to Buster. :slight_smile: