From 11440f496432f2b30f26efe60ea963e10e90b2ce Mon Sep 17 00:00:00 2001 From: Fedor Vorobev Date: Tue, 23 Jun 2026 17:49:03 +0200 Subject: [PATCH] Fix CVE-2026-40622 and CVE-2026-44390 More information can be found in the upstream's security advisories: https://nlnetlabs.nl/downloads/unbound/CVE-2026-40622.txt https://nlnetlabs.nl/downloads/unbound/CVE-2026-44390.txt Resolves-Vulnerability: CVE-2026-40622 Resolves: RHEL-184832 Resolves-Vulnerability: CVE-2026-44390 Resolves: RHEL-186680 --- unbound-1.25.1-CVE-2026-40622.patch | 36 +++++++++++++++++++++++++++++ unbound-1.25.1-CVE-2026-44390.patch | 20 ++++++++++++++++ unbound.spec | 12 +++++++++- 3 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 unbound-1.25.1-CVE-2026-40622.patch create mode 100644 unbound-1.25.1-CVE-2026-44390.patch diff --git a/unbound-1.25.1-CVE-2026-40622.patch b/unbound-1.25.1-CVE-2026-40622.patch new file mode 100644 index 0000000..a780b9f --- /dev/null +++ b/unbound-1.25.1-CVE-2026-40622.patch @@ -0,0 +1,36 @@ +diff --git a/unbound-1.16.2/services/cache/rrset.c b/unbound-1.16.2/services/cache/rrset.c +index 4e3d08b..b2c357f 100644 +--- a/unbound-1.16.2/services/cache/rrset.c ++++ b/unbound-1.16.2/services/cache/rrset.c +@@ -143,6 +143,16 @@ need_to_update_rrset(void* nd, void* cd, time_t timenow, int equal, int ns) + if(equal && cached->ttl >= timenow && + cached->security == sec_status_bogus) + return 0; ++ /* ghost-domain: never let an NS overwrite extend lifetime ++ * past the entry it replaces, regardless of trust. */ ++ if(ns && !TTL_IS_EXPIRED(cached->ttl, timenow) && ++ newd->ttl > cached->ttl) { ++ size_t i; ++ newd->ttl = cached->ttl; ++ for(i=0; i<(newd->count+newd->rrsig_count); i++) ++ if(newd->rr_ttl[i] > newd->ttl) ++ newd->rr_ttl[i] = newd->ttl; ++ } + return 1; + } + /* o item in cache has expired */ +diff --git a/unbound-1.16.2/util/data/msgparse.h b/unbound-1.16.2/util/data/msgparse.h +index 0c458e6..f1319ff 100644 +--- a/unbound-1.16.2/util/data/msgparse.h ++++ b/unbound-1.16.2/util/data/msgparse.h +@@ -92,6 +92,10 @@ extern time_t SERVE_EXPIRED_REPLY_TTL; + /** If we serve the original TTL or decrementing TTLs */ + extern int SERVE_ORIGINAL_TTL; + ++/** Check if TTL is expired. 0 TTL is considered expired. ++ * Used mainly to identify parts of the code that do this comparison. */ ++#define TTL_IS_EXPIRED(ttl, now) ((ttl) <= (now)) ++ + /** + * Data stored in scratch pad memory during parsing. + * Stores the data that will enter into the msgreply and packet result. diff --git a/unbound-1.25.1-CVE-2026-44390.patch b/unbound-1.25.1-CVE-2026-44390.patch new file mode 100644 index 0000000..58b914e --- /dev/null +++ b/unbound-1.25.1-CVE-2026-44390.patch @@ -0,0 +1,20 @@ +diff --git a/unbound-1.16.2/util/data/msgencode.c b/unbound-1.16.2/util/data/msgencode.c +index f9e95e6..f60b359 100644 +--- a/unbound-1.16.2/util/data/msgencode.c ++++ b/unbound-1.16.2/util/data/msgencode.c +@@ -352,7 +352,6 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs, + (p = compress_tree_lookup(tree, dname, labs, &insertpt))) { + if(!write_compressed_dname(pkt, dname, labs, p)) + return RETVAL_TRUNC; +- (*compress_count)++; + } else { + if(!dname_buffer_write(pkt, dname)) + return RETVAL_TRUNC; +@@ -360,6 +359,7 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs, + if(*compress_count < MAX_COMPRESSION_PER_MESSAGE && + !compress_tree_store(dname, labs, pos, region, p, insertpt)) + return RETVAL_OUTMEM; ++ (*compress_count)++; + return RETVAL_OK; + } + diff --git a/unbound.spec b/unbound.spec index ae305c6..ab188a4 100644 --- a/unbound.spec +++ b/unbound.spec @@ -34,7 +34,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.16.2 -Release: 5.11%{?extra_version:.%{extra_version}}%{?dist} +Release: 5.12%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://www.unbound.net/ Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz @@ -82,6 +82,10 @@ Patch7: unbound-1.20-unbound-anchor-key-38696.patch Patch8: unbound-1.25.1-CVE-2026-42944.patch # https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42959.diff Patch9: unbound-1.25.1-CVE-2026-42959.patch +# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-40622.diff +Patch10: unbound-1.25.1-CVE-2026-40622.patch +# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-44390.diff +Patch11: unbound-1.25.1-CVE-2026-44390.patch BuildRequires: gdb @@ -191,6 +195,8 @@ pushd %{pkgname} %patch7 -p2 -b .dnssec-ta-2024 %patch8 -p2 -b .CVE-2026-42944 %patch9 -p2 -b .CVE-2026-42959 +%patch10 -p2 -b .CVE-2026-40622 +%patch11 -p2 -b .CVE-2026-44390 # copy common doc files - after here, since it may be patched cp -pr doc pythonmod libunbound ../ @@ -457,6 +463,10 @@ popd %verify(not md5 size mtime) %{_sharedstatedir}/%{name}/root.key %changelog +* Tue Jun 23 2026 Fedor Vorobev - 1.16.2-5.12 +- Fix CVE-2026-40622 (RHEL-184832) +- Fix CVE-2026-44390 (RHEL-186680) + * Mon May 25 2026 Fedor Vorobev - 1.16.2-5.11 - Fix CVE-2026-42944 (RHEL‑177909) - Fix CVE-2026-42959 (RHEL-177809)