This release is a fix for vulnerability CVE-2019-16866 that causes a failure when a specially crafted query is received.
Thanks for posting this.
Any idea how to UPDATE Unbound ? I did the original install with “sudo apt install Unbound” … but it doesn’t look like it ever updates on its own with the usual “sudo apt update”. Currently still on 1.9.0-2.
My output of apt-cache policy:
*** 1.9.0-2 500
500 http://raspbian.raspberrypi.org/raspbian buster/main armhf Packages
Currently you will probably have to build it.
As it is a security fix I guess a patched version will be available via package managers like apt-get in the next days.
You can follow the Debian Buster package site of Unbound.
Ok cool, I’ll give it a week or so to be added to the Raspberry Pi Debian repository, otherwise I’ll try to learn how to make/compile it myself. Thanks for the info!
You can install unstable/testing-packages in Debian if you want, just some extra config with apt pinning etc.
1.94 is accepted in unstable (Sid) of Debian and so already patched.
Realy pleased that the maintainer of Unbound for Debian is active again and also that fast.
And now Debian version 1.94-2 is available in Bullseye and Sid and in Buster is 1.9.0-2+deb10u1 available.
Patched bug subject line Bug#941041: fixed in unbound 1.9.4-2 has caused the Debian Bug report #941041, regarding unbound: FTBFS with nettle 3.5.1, accesses ECC curves directly
to be marked as done.