34785 – unbound security issue CVE-2025-11411 only partially fixed in previous version

Bug 34785 - unbound security issue CVE-2025-11411 only partially fixed in previous version

Summary: unbound security issue CVE-2025-11411 only partially fixed in previous version

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-12-01 09:16 CET by Nicolas Salguero
Modified:	2025-12-05 00:30 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	unbound-1.24.1-1.mga9.src.rpm
CVE:	CVE-2025-11411
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-12-01 09:16:09 CET

Reference: https://www.openwall.com/lists/oss-security/2025/11/26/4

Nicolas Salguero 2025-12-01 09:17:22 CET

Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 1.24.2
CVE: (none) => CVE-2025-11411
Source RPM: (none) => unbound-1.24.1-1.mga10.src.rpm, unbound-1.24.1-1.mga9.src.rpm

Comment 1 Nicolas Salguero 2025-12-01 10:59:22 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Possible domain hijacking via promiscuous records in the authority section. (CVE-2025-11411)

References:
https://www.openwall.com/lists/oss-security/2025/11/26/4
========================

Updated packages in core/updates_testing:
========================
lib(64)unbound-devel-1.24.2-1.mga9
lib(64)unbound8-1.24.2-1.mga9
python3-unbound-1.24.2-1.mga9
unbound-1.24.2-1.mga9

from SRPM:
unbound-1.24.2-1.mga9.src.rpm

Status comment: Fixed upstream in 1.24.2 => (none)
Source RPM: unbound-1.24.1-1.mga10.src.rpm, unbound-1.24.1-1.mga9.src.rpm => unbound-1.24.1-1.mga9.src.rpm
Version: Cauldron => 9
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)

Nicolas Salguero 2025-12-01 11:00:03 CET

Assignee: bugsquad => qa-bugs

katnatek 2025-12-01 20:33:04 CET

Keywords: (none) => advisory

Comment 2 katnatek 2025-12-03 20:52:29 CET

RH x86_64


installing lib64unbound8-1.24.2-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###################################################################################################
      1/1: lib64unbound8         ###################################################################################################
      1/1: removing lib64unbound8-1.24.1-1.mga9.x86_64
                                 ###################################################################################################

LC_ALL=C urpmi unbound python3-unbound 


installing unbound-1.24.2-1.mga9.x86_64.rpm python3-unbound-1.24.2-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###################################################################################################
      1/2: python3-unbound       ###################################################################################################
      2/2: unbound               ###################################################################################################
----------------------------------------------------------------------
More information on package unbound-1.24.2-1.mga9.x86_64
In case you install the dnscrypt-proxy package,
uncomment the indicated forward-zone block in /etc/unbound/unbound.conf
and set "do-not-query-localhost: no"

----------------------------------------------------------------------

gnutls-cli jgrey.phoenix

Provides information of certificate I use in my webpages

gnutls-serv
Warning: no private key and certificate pairs were set.
HTTP Server listening on IPv4 0.0.0.0 port 5556...done
HTTP Server listening on IPv6 :: port 5556...done

Open http://localhost:5556/ in new tab produces

* Accepted connection from IPv4 127.0.0.1 port 49044 on Wed Dec  3 13:47:49 202
|<0x309e3db0>| Received record packet of unknown type 71
Error in handshake: An unexpected TLS packet was received.

* Accepted connection from IPv4 127.0.0.1 port 49054 on Wed Dec  3 13:47:49 202
|<0x309e3db0>| Received record packet of unknown type 71
Error in handshake: An unexpected TLS packet was received.

Same results as in https://bugs.mageia.org/show_bug.cgi?id=34760#c3

Reference bug#32841 comment#6
systemctl start unbound
systemctl status unbound
● unbound.service - Unbound DNS Resolver
     Loaded: loaded (/usr/lib/systemd/system/unbound.service; disabled; preset: disabled)
     Active: active (running) since Wed 2025-12-03 13:49:45 CST; 18s ago
   Main PID: 102142 (unbound)
      Tasks: 1 (limit: 6826)
     Memory: 6.9M
        CPU: 58ms
     CGroup: /system.slice/unbound.service
             └─102142 /usr/sbin/unbound -c /etc/unbound/unbound.conf

dic 03 13:49:45 jgrey.phoenix systemd[1]: Started unbound.service.
dic 03 13:49:45 jgrey.phoenix unbound[102142]: [102142:0] notice: init module 0: validator
dic 03 13:49:45 jgrey.phoenix unbound[102142]: [102142:0] notice: init module 1: iterator
dic 03 13:49:45 jgrey.phoenix unbound[102142]: [102142:0] info: start of service (unbound 1.24.2).

still see the same information after run dig mageia.org that in https://bugs.mageia.org/show_bug.cgi?id=34700#c10

Looks good to me but still looks like I not configure well the service

katnatek 2025-12-03 22:56:19 CET

Whiteboard: (none) => MGA9-64-OK

Comment 3 Thomas Andrews 2025-12-04 16:58:48 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 4 Mageia Robot 2025-12-05 00:30:15 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0318.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.