rpm package
opensuse/unbound&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/unbound&distro=openSUSE%20Tumbleweed
Vulnerabilities (17)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-11411 | Med | — | < 1.24.1-1.1 | 1.24.1-1.1 | Oct 22, 2025 | NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually t | |
| CVE-2025-5994 | Hig | — | < 1.23.1-1.1 | 1.23.1-1.1 | Jul 16, 2025 | A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along | |
| CVE-2024-8508 | — | < 1.21.1-1.1 | 1.21.1-1.1 | Oct 3, 2024 | NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying | ||
| CVE-2024-43167 | Low | 2.8 | < 1.21.0-1.1 | 1.21.0-1.1 | Aug 12, 2024 | DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the expected functionality and security controls of the application. Red Hat has made a claim that there is a security risk within Red | |
| CVE-2024-33655 | Hig | 7.5 | < 1.20.0-1.1 | 1.20.0-1.1 | Jun 6, 2024 | The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in | |
| CVE-2024-1931 | — | < 1.19.2-1.1 | 1.19.2-1.1 | Mar 7, 2024 | NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop. Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher tha | ||
| CVE-2023-50868 | — | < 1.19.1-1.1 | 1.19.1-1.1 | Feb 14, 2024 | The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 51 | ||
| CVE-2023-50387 | — | < 1.19.1-1.1 | 1.19.1-1.1 | Feb 14, 2024 | Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with man | ||
| CVE-2022-3204 | — | < 1.16.3-1.1 | 1.16.3-1.1 | Sep 26, 2022 | A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by quer | ||
| CVE-2022-30698 | — | < 1.16.2-1.1 | 1.16.2-1.1 | Aug 1, 2022 | NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation in | ||
| CVE-2020-28935 | — | < 1.13.2-1.2 | 1.13.2-1.2 | Dec 7, 2020 | NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an exis | ||
| CVE-2020-12662 | — | < 1.13.2-1.2 | 1.13.2-1.2 | May 19, 2020 | Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records. | ||
| CVE-2020-12663 | — | < 1.13.2-1.2 | 1.13.2-1.2 | May 19, 2020 | Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers. | ||
| CVE-2019-18934 | — | < 1.13.2-1.2 | 1.13.2-1.2 | Nov 19, 2019 | Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in t | ||
| CVE-2019-16866 | — | < 1.13.2-1.2 | 1.13.2-1.2 | Oct 3, 2019 | Unbound before 1.9.4 accesses uninitialized memory, which allows remote attackers to trigger a crash via a crafted NOTIFY query. The source IP address of the query must match an access-control rule. | ||
| CVE-2017-15105 | — | < 1.13.2-1.2 | 1.13.2-1.2 | Jan 23, 2018 | A flaw was found in the way unbound before 1.6.8 validated wildcard-synthesized NSEC records. An improperly validated wildcard NSEC record could be used to prove the non-existence (NXDOMAIN answer) of an existing wildcard record, or trick unbound into accepting a NODATA proof. | ||
| CVE-2014-8602 | — | < 1.5.10-1.1 | 1.5.10-1.1 | Dec 11, 2014 | iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a large or infinite number of referrals. |
- affected < 1.24.1-1.1fixed 1.24.1-1.1
NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually t
- affected < 1.23.1-1.1fixed 1.23.1-1.1
A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along
- CVE-2024-8508Oct 3, 2024affected < 1.21.1-1.1fixed 1.21.1-1.1
NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying
- affected < 1.21.0-1.1fixed 1.21.0-1.1
DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the expected functionality and security controls of the application. Red Hat has made a claim that there is a security risk within Red
- affected < 1.20.0-1.1fixed 1.20.0-1.1
The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in
- CVE-2024-1931Mar 7, 2024affected < 1.19.2-1.1fixed 1.19.2-1.1
NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop. Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher tha
- CVE-2023-50868Feb 14, 2024affected < 1.19.1-1.1fixed 1.19.1-1.1
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 51
- CVE-2023-50387Feb 14, 2024affected < 1.19.1-1.1fixed 1.19.1-1.1
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with man
- CVE-2022-3204Sep 26, 2022affected < 1.16.3-1.1fixed 1.16.3-1.1
A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by quer
- CVE-2022-30698Aug 1, 2022affected < 1.16.2-1.1fixed 1.16.2-1.1
NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation in
- CVE-2020-28935Dec 7, 2020affected < 1.13.2-1.2fixed 1.13.2-1.2
NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an exis
- CVE-2020-12662May 19, 2020affected < 1.13.2-1.2fixed 1.13.2-1.2
Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.
- CVE-2020-12663May 19, 2020affected < 1.13.2-1.2fixed 1.13.2-1.2
Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers.
- CVE-2019-18934Nov 19, 2019affected < 1.13.2-1.2fixed 1.13.2-1.2
Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in t
- CVE-2019-16866Oct 3, 2019affected < 1.13.2-1.2fixed 1.13.2-1.2
Unbound before 1.9.4 accesses uninitialized memory, which allows remote attackers to trigger a crash via a crafted NOTIFY query. The source IP address of the query must match an access-control rule.
- CVE-2017-15105Jan 23, 2018affected < 1.13.2-1.2fixed 1.13.2-1.2
A flaw was found in the way unbound before 1.6.8 validated wildcard-synthesized NSEC records. An improperly validated wildcard NSEC record could be used to prove the non-existence (NXDOMAIN answer) of an existing wildcard record, or trick unbound into accepting a NODATA proof.
- CVE-2014-8602Dec 11, 2014affected < 1.5.10-1.1fixed 1.5.10-1.1
iterator.c in NLnet Labs Unbound before 1.5.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a large or infinite number of referrals.