From: Stuart Henderson Subject: Re: Unbound security advisories 2026 To: obsd@mulh.net Cc: tech@openbsd.org Date: Sat, 20 Jun 2026 10:19:50 +0100 On 2026/06/19 18:50, obsd@mulh.net wrote: > https://nlnetlabs.nl/projects/unbound/security-advisories/ > CVE-2026-(32792,33278,40622,41292,42534,42923,42944,42959,42960,44390,44608) > > There are 11 CVEs listed as being fixed in unbound 1.25.1. > ALL of these also affects versions before 1.25.0 including 1.24.2 in 7.9-release. > > There are links to each CVE patch and a combined minimal version patch. > https://nlnetlabs.nl/downloads/unbound/patch_combined-1.25.1_v3.diff > SHA1: 1894e34a364630536d1c61ffbb154259ca6fa0df > > For OpenBSD it looks like the CVE-2026-40622 patch needs to be patched. > - if(ns && !TTL_IS_EXPIRED(cached->ttl, timenow) && > + if(ns && cached->ttl >= timenow && > > Should an errata patch be released to update unbound in 7.9? When discussed (this was slightly too late for the last errata window), we were generally happier with updating the whole thing rather than cherrypicking. There have been quite a few other commits to unbound upstream in the last week or so, including some buffer overflows, and a regression fix for rpz notifies (problem introduced between 1.24.2 and 1.25.1) so at this point I think it would probably make more sense to wait for a further release.