Unbound 1.9.4 with fix for CVE-2019-16866 is out

This release is a fix for vulnerability CVE-2019-16866 that causes a failure when a specially crafted query is received.

Full release notes

2 Likes

Thanks for posting this.

Any idea how to UPDATE Unbound ? I did the original install with “sudo apt install Unbound” … but it doesn’t look like it ever updates on its own with the usual “sudo apt update”. Currently still on 1.9.0-2.

My output of apt-cache policy:

Installed: 1.9.0-2
Candidate: 1.9.0-2
Version table:
*** 1.9.0-2 500
500 http://raspbian.raspberrypi.org/raspbian buster/main armhf Packages
100 /var/lib/dpkg/status

Currently you will probably have to build it.

1 Like

As it is a security fix I guess a patched version will be available via package managers like apt-get in the next days.

You can follow the Debian Buster package site of Unbound.

1 Like

Ok cool, I’ll give it a week or so to be added to the Raspberry Pi Debian repository, otherwise I’ll try to learn how to make/compile it myself. Thanks for the info!

You can install unstable/testing-packages in Debian if you want, just some extra config with apt pinning etc.

1.94 is accepted in unstable (Sid) of Debian and so already patched.

https://packages.debian.org/sid/unbound

Realy pleased that the maintainer of Unbound for Debian is active again and also that fast. :smiley:

And now Debian version 1.94-2 is available in Bullseye and Sid and in Buster is 1.9.0-2+deb10u1 available.

SID/Bullseye: https://packages.debian.org/sid/unbound
Buster: https://packages.debian.org/buster/unbound

Patched bug subject line Bug#941041: fixed in unbound 1.9.4-2 has caused the Debian Bug report #941041, regarding unbound: FTBFS with nettle 3.5.1, accesses ECC curves directly
to be marked as done.