|
| 1 | +From cd5846215e0e1760123a13a33c3447419d3fb799 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Azure Linux Security Servicing Account |
| 3 | + |
| 4 | +Date: Fri, 24 Oct 2025 06:16:16 +0000 |
| 5 | +Subject: [PATCH] Fix for CVE-2025-11411 |
| 6 | + |
| 7 | +Signed-off-by: Azure Linux Security Servicing Account < [email protected]> |
| 8 | +Upstream-reference: https://nlnetlabs.nl/downloads/unbound/patch_CVE-2025-11411.diff |
| 9 | +--- |
| 10 | + iterator/iter_scrub.c | 16 ++++++++++++++++ |
| 11 | + 1 file changed, 16 insertions(+) |
| 12 | + |
| 13 | +diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c |
| 14 | +index 5f2e303..47dc40a 100644 |
| 15 | +--- a/iterator/iter_scrub.c |
| 16 | ++++ b/iterator/iter_scrub.c |
| 17 | +@@ -570,6 +570,22 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, |
| 18 | + "RRset:", pkt, msg, prev, &rrset); |
| 19 | + continue; |
| 20 | + } |
| 21 | ++ /* If the NS set is a promiscuous NS set, scrub that |
| 22 | ++ * to remove potential for poisonous contents that |
| 23 | ++ * affects other names in the same zone. Remove |
| 24 | ++ * promiscuous NS sets in positive answers, that |
| 25 | ++ * thus have records in the answer section. Nodata |
| 26 | ++ * and nxdomain promiscuous NS sets have been removed |
| 27 | ++ * already. Since the NS rrset is scrubbed, its |
| 28 | ++ * address records are also not marked to be allowed |
| 29 | ++ * and are removed later. */ |
| 30 | ++ if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR && |
| 31 | ++ msg->an_rrsets != 0 && |
| 32 | ++ 1 /* env->cfg->iter_scrub_promiscuous */) { |
| 33 | ++ remove_rrset("normalize: removing promiscuous " |
| 34 | ++ "RRset:", pkt, msg, prev, &rrset); |
| 35 | ++ continue; |
| 36 | ++ } |
| 37 | + if(nsset == NULL) { |
| 38 | + nsset = rrset; |
| 39 | + } else { |
| 40 | +-- |
| 41 | +2.45.4 |
| 42 | + |
0 commit comments