This security release has additional fixes for CVE-2025-11411.
Promiscuous NS RRSets that complement DNS replies in the authority
section can be used to trick resolvers to update their delegation
information for the zone.
The CVE is described here
https://nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt
Unbound 1.24.1 included a fix that scrubs unsolicited NS RRSets (and
their respective address records) from replies mitigating the possible
poison effect.
Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS
RRSets (and their respective address records) from YXDOMAIN and
non-referral nodata replies as well, mitigating the possible poison
effect.
We would like to thank TaoFei Guo from Peking University, Yang Luo and
JianJun Chen from Tsinghua University for discovering and responsibly
disclosing the partial mitigation of CVE-2025-11411 in Unbound 1.24.1.
Bug Fixes:
- Additional fix for CVE-2025-11411 (possible domain hijacking attack),
to include YXDOMAIN and non-referral nodata answers in the mitigation
as well, reported by TaoFei Guo from Peking University, Yang Luo and
JianJun Chen from Tsinghua University.