unbound: Update to 1.25.1

For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-25-1

"Bug Fixes

    Fix CVE-2026-33278, Possible remote code execution during DNSSEC
    validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
    Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie,
    padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for
    the report.
    Fix CVE-2026-42959, Crash during DNSSEC validation of malicious
    content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
    Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew
    Griffiths from 'calif.io' for the report.
    Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang,
    Palo Alto Networks, for the report.
    Fix CVE-2026-41292, Parsing a long list of incoming EDNS options
    degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan
    Zhang from Palo Alto Networks, for the report.
    Fix CVE-2026-42534, Jostle logic bypass degrades resolution
    performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
    Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash
    calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the
    report.
    Fix CVE-2026-42960, Possible cache poisoning attack while following
    delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and
    JianJun Chen, Tsinghua University, for the report.
    Fix CVE-2026-44390, Unbounded name compression in certain cases causes
    degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for
    the report.
    Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to
    Qifan Zhang, Palo Alto Networks, for the report."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound
index 4ab2ee5b4865e22ebb1696bf3ea6e4aaafb47d57..2fdf58b084902aa51864142e328274f5b77ff8a9 100644 (file)
--- a/config/rootfiles/common/unbound
+++ b/config/rootfiles/common/unbound
@@ -11,7 +11,7 @@ etc/unbound/unbound.conf
 #usr/lib/libunbound.la
 #usr/lib/libunbound.so
 usr/lib/libunbound.so.8
-usr/lib/libunbound.so.8.1.36
+usr/lib/libunbound.so.8.1.37
 #usr/lib/pkgconfig/libunbound.pc
 usr/sbin/unbound
 usr/sbin/unbound-anchor

diff --git a/lfs/unbound b/lfs/unbound
index b0691e864e35530eef77317ee6d9d68d29b2ccb7..086025e4b1c4f527d9d4b5b2efe9071ae66b16c6 100644 (file)
--- a/lfs/unbound
+++ b/lfs/unbound
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.25.0
+VER        = 1.25.1
 
 THISAPP    = unbound-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 4c22e198c2257c251505f6845c42e67481edce2c5e8dc0c475584ef6b8e85907c322f32bd7ecfcb06243ba36fb3d91c63d8c1edd67dca66d374c6a242206e548
+$(DL_FILE)_BLAKE2 = da9818a14a540bf2d674f504a38da711cfead20af2c6f987aab74094b441ef31586f28608432d2369b2223b3287290f450218466654c71626e33df74da557f18
 
 install : $(TARGET)
 
@@ -109,7 +109,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        -mkdir -pv /var/lib/unbound
        install -v -m 644 $(DIR_SRC)/config/unbound/root.key \
                /var/lib/unbound/root.key
-       chown -Rv unbound:unbound /var/lib/unbound
+       chown -Rv nobody.nobody /var/lib/unbound
 
        # Ship ICANN's certificates to validate DNS trust anchors
        install -v -m 644 $(DIR_SRC)/config/unbound/icannbundle.pem \
@@ -117,7 +117,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 
        # Install the cache directory
        -mkdir -pv /var/cache/unbound
-       chown unbound:unbound /var/cache/unbound
+       chown nobody:nobody /var/cache/unbound
 
        @rm -rf $(DIR_APP)
        @$(POSTBUILD)