Unbound 1.23.1 released
Wouter Wijngaards
wouter at nlnetlabs.nl
Wed Jul 16 09:17:38 UTC 2025
Hi,
Unbound 1.23.1 is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.23.1.tar.gz
sha256 6a6b117c799d8de3868643397e0fd71591f6d42f4473f598bdb22609ff362590
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.23.1.tar.gz.asc
This security release fixes the Rebirthday Attack CVE-2025-5994.
This re-opens up resolvers to a birthday paradox, for EDNS client subnet
servers that respond with non-ECS answers. It only affects Unbound when
compiled with --enable-subnet, and subnetmod is enabled with config
options that send ECS information to upstream servers.
The CVE is described here
https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt
We would like to thank Xiang Li (AOSP Lab, Nankai University) for
discovering and responsibly disclosing the vulnerability.
Bug Fixes:
- Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from
AOSP Lab Nankai University.
Best regards, Wouter
More information about the Unbound-users
mailing list