[PATCH] unbound: Update to 1.25.1

[PATCH] unbound: Update to 1.25.1

[Matthias Fischer]

For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-25-1

"Bug Fixes

    Fix CVE-2026-33278, Possible remote code execution during DNSSEC
    validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
    Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie,
    padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for
    the report.
    Fix CVE-2026-42959, Crash during DNSSEC validation of malicious
    content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
    Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew
    Griffiths from 'calif.io' for the report.
    Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang,
    Palo Alto Networks, for the report.
    Fix CVE-2026-41292, Parsing a long list of incoming EDNS options
    degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan
    Zhang from Palo Alto Networks, for the report.
    Fix CVE-2026-42534, Jostle logic bypass degrades resolution
    performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
    Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash
    calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the
    report.
    Fix CVE-2026-42960, Possible cache poisoning attack while following
    delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and
    JianJun Chen, Tsinghua University, for the report.
    Fix CVE-2026-44390, Unbounded name compression in certain cases causes
    degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for
    the report.
    Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to
    Qifan Zhang, Palo Alto Networks, for the report."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
 config/rootfiles/common/unbound | 2 +-
 lfs/unbound                     | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound
index 4ab2ee5b4..2fdf58b08 100644
--- a/config/rootfiles/common/unbound
+++ b/config/rootfiles/common/unbound
@@ -11,7 +11,7 @@ etc/unbound/unbound.conf
 #usr/lib/libunbound.la
 #usr/lib/libunbound.so
 usr/lib/libunbound.so.8
-usr/lib/libunbound.so.8.1.36
+usr/lib/libunbound.so.8.1.37
 #usr/lib/pkgconfig/libunbound.pc
 usr/sbin/unbound
 usr/sbin/unbound-anchor
diff --git a/lfs/unbound b/lfs/unbound
index b0691e864..086025e4b 100644
--- a/lfs/unbound
+++ b/lfs/unbound
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.25.0
+VER        = 1.25.1
 
 THISAPP    = unbound-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 4c22e198c2257c251505f6845c42e67481edce2c5e8dc0c475584ef6b8e85907c322f32bd7ecfcb06243ba36fb3d91c63d8c1edd67dca66d374c6a242206e548
+$(DL_FILE)_BLAKE2 = da9818a14a540bf2d674f504a38da711cfead20af2c6f987aab74094b441ef31586f28608432d2369b2223b3287290f450218466654c71626e33df74da557f18
 
 install : $(TARGET)
 
@@ -109,7 +109,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	-mkdir -pv /var/lib/unbound
 	install -v -m 644 $(DIR_SRC)/config/unbound/root.key \
 		/var/lib/unbound/root.key
-	chown -Rv unbound:unbound /var/lib/unbound
+	chown -Rv nobody.nobody /var/lib/unbound
 
 	# Ship ICANN's certificates to validate DNS trust anchors
 	install -v -m 644 $(DIR_SRC)/config/unbound/icannbundle.pem \
@@ -117,7 +117,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 
 	# Install the cache directory
 	-mkdir -pv /var/cache/unbound
-	chown unbound:unbound /var/cache/unbound
+	chown nobody:nobody /var/cache/unbound
 
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
-- 
2.53.0

Re: [PATCH] unbound: Update to 1.25.1

[Matthias Fischer]

On 21.05.2026 15:29, Matthias Fischer wrote:
> For details see:
> https://nlnetlabs.nl/projects/unbound/download/#unbound-1-25-1
> ...

Sorry for the noise - I tested the new unbound-version with Core 201 and
forgot to update the new ownerships!

I'm going to sit in my deepest corner and feel ashamed...

> -	chown -Rv unbound:unbound /var/lib/unbound
> +	chown -Rv nobody.nobody /var/lib/unbound
>  
>  	# Ship ICANN's certificates to validate DNS trust anchors
>  	install -v -m 644 $(DIR_SRC)/config/unbound/icannbundle.pem \
> @@ -117,7 +117,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  
>  	# Install the cache directory
>  	-mkdir -pv /var/cache/unbound
> -	chown unbound:unbound /var/cache/unbound
> +	chown nobody:nobody /var/cache/unbound
>  ...

Re: [PATCH] unbound: Update to 1.25.1

[Michael Tremer]

Hello,

Not a problem at all. I merged it too quickly too. I just wanted to have this in the release as everything in that release looked so scary...

> On 21 May 2026, at 14:58, Matthias Fischer <matthias.fischer@ipfire.org> wrote:
> 
> On 21.05.2026 15:29, Matthias Fischer wrote:
>> For details see:
>> https://nlnetlabs.nl/projects/unbound/download/#unbound-1-25-1
>> ...
> 
> Sorry for the noise - I tested the new unbound-version with Core 201 and
> forgot to update the new ownerships!
> 
> I'm going to sit in my deepest corner and feel ashamed...
> 
>> - chown -Rv unbound:unbound /var/lib/unbound
>> + chown -Rv nobody.nobody /var/lib/unbound
>> 
>> # Ship ICANN's certificates to validate DNS trust anchors
>> install -v -m 644 $(DIR_SRC)/config/unbound/icannbundle.pem \
>> @@ -117,7 +117,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>> 
>> # Install the cache directory
>> -mkdir -pv /var/cache/unbound
>> - chown unbound:unbound /var/cache/unbound
>> + chown nobody:nobody /var/cache/unbound
>> ...
>