Source: unbound Version: 1.22.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 1.13.1-1+deb11u4 Control: found -1 1.13.1-1+deb11u2 Control: found -1 1.13.1-1
Hi, The following vulnerability was published for unbound. CVE-2025-5994[0]: | A multi-vendor cache poisoning vulnerability named 'Rebirthday | Attack' has been discovered in caching resolvers that support EDNS | Client Subnet (ECS). Unbound is also vulnerable when compiled with | ECS support, i.e., '--enable-subnet', AND configured to send ECS | information along with queries to upstream name servers, i.e., at | least one of the 'send-client-subnet', 'client-subnet-zone' or | 'client-subnet-always-forward' options is used. Resolvers supporting | ECS need to segregate outgoing queries to accommodate for different | outgoing ECS information. This re-opens up resolvers to a birthday | paradox attack (Rebirthday Attack) that tries to match the DNS | transaction ID in order to cache non-ECS poisonous replies. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-5994 https://www.cve.org/CVERecord?id=CVE-2025-5994 [1] https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt Please adjust the affected versions in the BTS as needed. Regards, Salvatore
