On 2026/06/19 18:50, obsd@mulh.net wrote:
> https://nlnetlabs.nl/projects/unbound/security-advisories/
> CVE-2026-(32792,33278,40622,41292,42534,42923,42944,42959,42960,44390,44608)
> 
> There are 11 CVEs listed as being fixed in unbound 1.25.1.
> ALL of these also affects versions before 1.25.0 including 1.24.2 in 7.9-release.
> 
> There are links to each CVE patch and a combined minimal version patch.
> https://nlnetlabs.nl/downloads/unbound/patch_combined-1.25.1_v3.diff
> SHA1: 1894e34a364630536d1c61ffbb154259ca6fa0df
> 
> For OpenBSD it looks like the CVE-2026-40622 patch needs to be patched.
> -		if(ns && !TTL_IS_EXPIRED(cached->ttl, timenow) &&
> +		if(ns && cached->ttl >= timenow &&
> 
> Should an errata patch be released to update unbound in 7.9?

When discussed (this was slightly too late for the last errata window),
we were generally happier with updating the whole thing rather than
cherrypicking.

There have been quite a few other commits to unbound upstream in the
last week or so, including some buffer overflows, and a regression
fix for rpz notifies (problem introduced between 1.24.2 and 1.25.1)
so at this point I think it would probably make more sense to wait for a
further release.