From f0b2350b3d4bb8ad94f4253e45df38734b8a4061 Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Fri, 24 Oct 2025 06:22:01 +0000
Subject: [PATCH] Patch unbound for CVE-2025-11411

---
 SPECS/unbound/CVE-2025-11411.patch | 42 ++++++++++++++++++++++++++++++
 SPECS/unbound/unbound.spec         |  6 ++++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/unbound/CVE-2025-11411.patch

diff --git a/SPECS/unbound/CVE-2025-11411.patch b/SPECS/unbound/CVE-2025-11411.patch
new file mode 100644
index 00000000000..e06a2c97f22
--- /dev/null
+++ b/SPECS/unbound/CVE-2025-11411.patch
@@ -0,0 +1,42 @@
+From 49964b5384d34d45ae88c16161426881cf49134a Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <azurelinux-security@microsoft.com>
+Date: Fri, 24 Oct 2025 06:21:51 +0000
+Subject: [PATCH] Fix for CVE-2025-11411
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://nlnetlabs.nl/downloads/unbound/patch_CVE-2025-11411.diff
+---
+ iterator/iter_scrub.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
+index 5f2e303..47dc40a 100644
+--- a/iterator/iter_scrub.c
++++ b/iterator/iter_scrub.c
+@@ -570,6 +570,22 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
+ 					"RRset:", pkt, msg, prev, &rrset);
+ 				continue;
+ 			}
++			/* If the NS set is a promiscuous NS set, scrub that
++			 * to remove potential for poisonous contents that
++			 * affects other names in the same zone. Remove
++			 * promiscuous NS sets in positive answers, that
++			 * thus have records in the answer section. Nodata
++			 * and nxdomain promiscuous NS sets have been removed
++			 * already. Since the NS rrset is scrubbed, its
++			 * address records are also not marked to be allowed
++			 * and are removed later. */
++			if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR &&
++				msg->an_rrsets != 0 &&
++				1 /* env->cfg->iter_scrub_promiscuous */) {
++				remove_rrset("normalize: removing promiscuous "
++					"RRset:", pkt, msg, prev, &rrset);
++				continue;
++			}
+ 			if(nsset == NULL) {
+ 				nsset = rrset;
+ 			} else {
+-- 
+2.45.4
+
diff --git a/SPECS/unbound/unbound.spec b/SPECS/unbound/unbound.spec
index 6a4da1f8def..ae1548b0255 100644
--- a/SPECS/unbound/unbound.spec
+++ b/SPECS/unbound/unbound.spec
@@ -1,7 +1,7 @@
 Summary:        unbound dns server
 Name:           unbound
 Version:        1.19.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -13,6 +13,7 @@ Patch0:         CVE-2024-43168.patch
 Patch1:         CVE-2024-33655.patch
 Patch2:         CVE-2024-8508.patch
 Patch3:         CVE-2024-43167.patch
+Patch4:         CVE-2025-11411.patch
 BuildRequires:  expat-devel
 BuildRequires:  libevent-devel
 BuildRequires:  python3-devel
@@ -100,6 +101,9 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
 %{_mandir}/*
 
 %changelog
+* Fri Oct 24 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.19.1-5
+- Patch for CVE-2025-11411
+
 * Tue Oct 08 2024 Sam Meluch <sammeluch@microsoft.com> - 1.19.1-4
 - Add patches for CVE-2024-8508 and CVE-2024-43167