From: obsd@mulh.net
Subject: Re: Unbound security advisories 2026
To: tech@openbsd.org
Date: Sat, 20 Jun 2026 09:14:28 -0400

On 2026-06-20 9:19:50: Stuart Henderson wrote:
> When discussed (this was slightly too late for the last errata window),
> we were generally happier with updating the whole thing rather than
> cherrypicking.
>
> There have been quite a few other commits to unbound upstream in the
> last week or so, including some buffer overflows, and a regression
> fix for rpz notifies (problem introduced between 1.24.2 and 1.25.1)
> so at this point I think it would probably make more sense to wait for a
> further release.

Ok.

I figured 7.9-release came with 1.24.2 and so would always be 1.24.2
and get security patches as needed.  (I'm not complaining)

Seeing the long list of published CVEs on NLnetLabs website from May 20th had me concerned,
especially CVE-2026-33278 Possible arbitrary code execution during DNSSEC validation
affecting versions 1.19.1 and up, marked critical.

Now I see, only one critical, two high, and the remaining eight medium.
Not so bad, I can wait until 8.0-release to get the vulnerability fixes.