Unbound 1.9.4 with fix for CVE-2019-16866 is out

This release is a fix for vulnerability CVE-2019-16866 that causes a failure when a specially crafted query is received.

Full release notes


Thanks for posting this.

Any idea how to UPDATE Unbound ? I did the original install with “sudo apt install Unbound” … but it doesn’t look like it ever updates on its own with the usual “sudo apt update”. Currently still on 1.9.0-2.

My output of apt-cache policy:

Installed: 1.9.0-2
Candidate: 1.9.0-2
Version table:
*** 1.9.0-2 500
500 http://raspbian.raspberrypi.org/raspbian buster/main armhf Packages
100 /var/lib/dpkg/status

Currently you will probably have to build it.

1 Like

As it is a security fix I guess a patched version will be available via package managers like apt-get in the next days.

You can follow the Debian Buster package site of Unbound.

1 Like

Ok cool, I’ll give it a week or so to be added to the Raspberry Pi Debian repository, otherwise I’ll try to learn how to make/compile it myself. Thanks for the info!

You can install unstable/testing-packages in Debian if you want, just some extra config with apt pinning etc.

1.94 is accepted in unstable (Sid) of Debian and so already patched.


Realy pleased that the maintainer of Unbound for Debian is active again and also that fast. :smiley:

And now Debian version 1.94-2 is available in Bullseye and Sid and in Buster is 1.9.0-2+deb10u1 available.

SID/Bullseye: https://packages.debian.org/sid/unbound
Buster: https://packages.debian.org/buster/unbound

Patched bug subject line Bug#941041: fixed in unbound 1.9.4-2 has caused the Debian Bug report #941041, regarding unbound: FTBFS with nettle 3.5.1, accesses ECC curves directly
to be marked as done.