This security release fixes the Rebirthday Attack CVE-2025-5994.
This re-opens up resolvers to a birthday paradox, for EDNS client subnet
servers that respond with non-ECS answers. It only affects Unbound when
compiled with --enable-subnet, and subnetmod is enabled with config
options that send ECS information to upstream servers.
The CVE is described here
https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt
We would like to thank Xiang Li (AOSP Lab, Nankai University) for
discovering and responsibly disclosing the vulnerability.
Bug Fixes:
- Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from
AOSP Lab Nankai University.