Mailing List Archive

From:: obsd@mulh.net
Subject:: Unbound security advisories 2026
To:: tech@openbsd.org
Date:: Fri, 19 Jun 2026 18:50:07 -0400

Download raw body.

Thread

2026-06-19 22:50 obsd@mulh.net:
Unbound security advisories 2026
- 2026-06-20 09:19 Stuart Henderson:
  Unbound security advisories 2026

https://nlnetlabs.nl/projects/unbound/security-advisories/
CVE-2026-(32792,33278,40622,41292,42534,42923,42944,42959,42960,44390,44608)

There are 11 CVEs listed as being fixed in unbound 1.25.1.
ALL of these also affects versions before 1.25.0 including 1.24.2 in 7.9-release.

There are links to each CVE patch and a combined minimal version patch.
https://nlnetlabs.nl/downloads/unbound/patch_combined-1.25.1_v3.diff
SHA1: 1894e34a364630536d1c61ffbb154259ca6fa0df

For OpenBSD it looks like the CVE-2026-40622 patch needs to be patched.
-		if(ns && !TTL_IS_EXPIRED(cached->ttl, timenow) &&
+		if(ns && cached->ttl >= timenow &&

Should an errata patch be released to update unbound in 7.9?

2026-06-19 22:50 obsd@mulh.net:
Unbound security advisories 2026
- 2026-06-20 09:19 Stuart Henderson:
  Unbound security advisories 2026