Unbound 1.9.4 with fix for CVE-2019-16866 is out

This release is a fix for vulnerability CVE-2019-16866 that causes a failure when a specially crafted query is received.

Full release notes

2 Likes

Thanks for posting this.

Any idea how to UPDATE Unbound ? I did the original install with "sudo apt install Unbound" ... but it doesn't look like it ever updates on its own with the usual "sudo apt update". Currently still on 1.9.0-2.

My output of apt-cache policy:

Installed: 1.9.0-2
Candidate: 1.9.0-2
Version table:
*** 1.9.0-2 500
500 http://raspbian.raspberrypi.org/raspbian buster/main armhf Packages
100 /var/lib/dpkg/status

Currently you will probably have to build it.

1 Like

As it is a security fix I guess a patched version will be available via package managers like apt-get in the next days.

You can follow the Debian Buster package site of Unbound.

1 Like

Ok cool, I'll give it a week or so to be added to the Raspberry Pi Debian repository, otherwise I'll try to learn how to make/compile it myself. Thanks for the info!

You can install unstable/testing-packages in Debian if you want, just some extra config with apt pinning etc.