Unbound 1.9.4 with fix for CVE-2019-16866 is out

This release is a fix for vulnerability CVE-2019-16866 that causes a failure when a specially crafted query is received.

Full release notes

2 Likes

Thanks for posting this.

Any idea how to UPDATE Unbound ? I did the original install with “sudo apt install Unbound” … but it doesn’t look like it ever updates on its own with the usual “sudo apt update”. Currently still on 1.9.0-2.

My output of apt-cache policy:

Installed: 1.9.0-2
Candidate: 1.9.0-2
Version table:
*** 1.9.0-2 500
500 http://raspbian.raspberrypi.org/raspbian buster/main armhf Packages
100 /var/lib/dpkg/status

Currently you will probably have to build it.

1 Like

As it is a security fix I guess a patched version will be available via package managers like apt-get in the next days.

You can follow the Debian Buster package site of Unbound.

1 Like

Ok cool, I’ll give it a week or so to be added to the Raspberry Pi Debian repository, otherwise I’ll try to learn how to make/compile it myself. Thanks for the info!

You can install unstable/testing-packages in Debian if you want, just some extra config with apt pinning etc.

1.94 is accepted in unstable (Sid) of Debian and so already patched.

https://packages.debian.org/sid/unbound

Realy pleased that the maintainer of Unbound for Debian is active again and also that fast. :smiley: