From: W.C.A. Wijngaards Date: Wed, 20 May 2026 08:20:45 +0000 (+0200) Subject: - Fix CVE-2026-42960, Possible cache poisoning attack while following X-Git-Tag: release-1.25.1~3 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=8ae4b4545dccaaabd30b597b0dcb0d9640c8cc39;p=thirdparty%2Funbound.git - Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun Chen, Tsinghua University, for the report. --- diff --git a/doc/Changelog b/doc/Changelog index 4822075f9..eb59a1a73 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -19,6 +19,9 @@ - Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report. + - Fix CVE-2026-42960, Possible cache poisoning attack while following + delegation. Thanks to TaoFei Guo from Peking University, Yang Luo + and JianJun Chen, Tsinghua University, for the report. 23 April 2026: Wouter - Merge #1441: Fix buffer overrun in diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c index 37c4150cd..74a258640 100644 --- a/iterator/iter_scrub.c +++ b/iterator/iter_scrub.c @@ -777,7 +777,13 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, rrset->rrset_all_next = NULL; return 1; } - mark_additional_rrset(pkt, msg, rrset); + /* Only mark glue as allowed for type NS in the authority + * section. Other RR types do not get glue for them, it + * is allowed from the answer section, but not authority + * so that a message can not have address records cached + * as a side effect to the query. */ + if(rrset->type==LDNS_RR_TYPE_NS) + mark_additional_rrset(pkt, msg, rrset); prev = rrset; rrset = rrset->rrset_all_next; }