diff --git a/unbound-1.17.1-CVE-2026-42959.patch b/unbound-1.17.1-CVE-2026-42959.patch new file mode 100644 index 0000000000000000000000000000000000000000..681a9dfd3c23738a273f20cf6991a978582908d1 --- /dev/null +++ b/unbound-1.17.1-CVE-2026-42959.patch @@ -0,0 +1,30 @@ +From 94d5babaee22a016e376bdcfee2b9bb40360367c Mon Sep 17 00:00:00 2001 +From: "W.C.A. Wijngaards" +Date: Wed, 20 May 2026 10:14:32 +0200 +Subject: [PATCH] - Fix CVE-2026-42959, Crash during DNSSEC validation of + malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the + report. + +Adapted-by: PkgAgent/deepseek-v4 (modified to adapt to opencloudos-stream) + +--- + validator/val_utils.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/validator/val_utils.c b/validator/val_utils.c +index e2319ee..92c52c2 100644 +--- a/validator/val_utils.c ++++ b/validator/val_utils.c +@@ -936,10 +936,10 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig, + if(query_dname_compare(name, + orig->rrsets[i]->rk.dname) == 0) + chase->rrsets[chase->an_numrrsets +- +orig->ns_numrrsets+chase->ar_numrrsets++] ++ +chase->ns_numrrsets+chase->ar_numrrsets++] + = orig->rrsets[i]; + } else if(rrset_has_signer(orig->rrsets[i], name, len)) { +- chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+ ++ chase->rrsets[chase->an_numrrsets+chase->ns_numrrsets+ + chase->ar_numrrsets++] = orig->rrsets[i]; + } + } diff --git a/unbound-1.17.1-CVE-2026-42960.patch b/unbound-1.17.1-CVE-2026-42960.patch new file mode 100644 index 0000000000000000000000000000000000000000..cbfffe4a28463919e84bed3896d95456ed276ebe --- /dev/null +++ b/unbound-1.17.1-CVE-2026-42960.patch @@ -0,0 +1,32 @@ +From 8ae4b4545dccaaabd30b597b0dcb0d9640c8cc39 Mon Sep 17 00:00:00 2001 +From: "W.C.A. Wijngaards" +Date: Wed, 20 May 2026 10:20:45 +0200 +Subject: [PATCH] - Fix CVE-2026-42960, Possible cache poisoning attack while + following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo + and JianJun Chen, Tsinghua University, for the report. + +Adapted-by: PkgAgent/deepseek-v4 (modified to adapt to opencloudos-stream) + +--- + iterator/iter_scrub.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c +index f093c1b..7c88272 100644 +--- a/iterator/iter_scrub.c ++++ b/iterator/iter_scrub.c +@@ -566,7 +566,13 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, + rrset->rrset_all_next = NULL; + return 1; + } +- mark_additional_rrset(pkt, msg, rrset); ++ /* Only mark glue as allowed for type NS in the authority ++ * section. Other RR types do not get glue for them, it ++ * is allowed from the answer section, but not authority ++ * so that a message can not have address records cached ++ * as a side effect to the query. */ ++ if(rrset->type==LDNS_RR_TYPE_NS) ++ mark_additional_rrset(pkt, msg, rrset); + prev = rrset; + rrset = rrset->rrset_all_next; + } diff --git a/unbound.spec b/unbound.spec index c610a45fb29a1de3a2936ae6a01a1276d2f11962..0cd4e72d7f034c2853f5f083c31f2b4b590c4e1b 100644 --- a/unbound.spec +++ b/unbound.spec @@ -3,7 +3,7 @@ Summary: Validating, recursive, caching DNS resolver Name: unbound Version: 1.17.1 -Release: 12%{?dist} +Release: 13%{?dist} License: BSD URL: https://nlnetlabs.nl/projects/unbound/ Source0: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}.tar.gz @@ -28,6 +28,8 @@ Patch0002: fix-CVE-2024-8508.patch Patch0003: CVE-2024-43167.patch Patch0004: CVE-2024-43168.patch Patch0005: fix-CVE-2025-5994.patch +Patch0006: unbound-1.17.1-CVE-2026-42959.patch +Patch0007: unbound-1.17.1-CVE-2026-42960.patch Patch3001: backport-pre-CVE-2024-33655-extended_error_encode-for-extended-errors.patch Patch3002: backport-pre-CVE-2024-33655-Downstream-DNS-Cookies-a-la-RFC7873-and-RFC9018.patch @@ -247,6 +249,10 @@ fi %changelog +* Mon Jun 01 2026 PkgAgent Robot - 1.17.1-13 +- [Type] security +- [DESC] Fix CVE-2026-42959, CVE-2026-42960 + * Tue Jul 29 2025 Xin Cheng - 1.17.1-12 - [Type] security - [DESC] fix CVE-2025-5994