14 changed files with 8 additions and 4981 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 SOURCES/icannbundle.pem
 SOURCES/unbound-1.16.2.tar.gz
--- a/.unbound.metadata
+++ b/.unbound.metadata
@ -1 +1,2 @@
 9a2f73302a13f38dbf7cb3c5e34eb1665d2f156f SOURCES/icannbundle.pem
 9aea0e923b9d6779b5bc360094e24a4017e2bb25 SOURCES/unbound-1.16.2.tar.gz
--- a/SOURCES/icannbundle.pem
+++ b/SOURCES/icannbundle.pem
@ -1,21 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
 TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
 BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX
 DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O
 IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB
 MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb
 cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S
 G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg
 ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2
 paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7
 MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29
 iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B
 Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3
 DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH
 6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD
 2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h
 15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF
 0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg
 j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk
 -----END CERTIFICATE-----
--- a/SOURCES/remote-control.conf
+++ b/SOURCES/remote-control.conf
@ -1,9 +0,0 @@
 # Remote control config section update.
 # Previous defaults allowed any process to change settings, CVE-2024-1488
 remote-control:
    # set to an absolute path to use a unix local name pipe, certificates
    # are not used for that, so key and cert files need not be present.
    control-interface: "/run/unbound/control"
    # For local sockets this option is ignored, and TLS is not used.
    control-use-cert: "yes"
--- a/SOURCES/root.anchor
+++ b/SOURCES/root.anchor
@ -1,2 +1 @@
 .	172800	IN	DNSKEY	257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b}
 .       172800  IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
--- a/SOURCES/root.key
+++ b/SOURCES/root.key
@ -1,6 +1,5 @@
 ; // The root key in bind format. This can be read by most tools, including
 ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
 trusted-keys {
 "." 257 3 8 "AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc="; // key id = 38696
 "." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
 };
--- a/SOURCES/unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
+++ b/SOURCES/unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
--- a/SOURCES/unbound-1.20-unbound-anchor-key-38696.patch
+++ b/SOURCES/unbound-1.20-unbound-anchor-key-38696.patch
@ -1,29 +0,0 @@
 From acc84268e4156fb9a8dd36eafaf04d064ee5895a Mon Sep 17 00:00:00 2001
 From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
 Date: Thu, 25 Jul 2024 11:42:22 +0200
 Subject: [PATCH] - Add root key 38696 from 2024 for DNSSEC validation. It is
 added to the default root keys in unbound-anchor. The content can be
 inspected with `unbound-anchor -l`.
 ---
 unbound-1.20.0/smallapp/unbound-anchor.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/unbound-1.20.0/smallapp/unbound-anchor.c b/unbound-1.20.0/smallapp/unbound-anchor.c
 index 137b2e9..8738cf2 100644
 --- a/unbound-1.20.0/smallapp/unbound-anchor.c
 +++ b/unbound-1.20.0/smallapp/unbound-anchor.c
@@ -183,7 +183,9 @@ static const char DS_TRUST_ANCHOR[] =
 	/* The anchors must start on a new line with ". IN DS and end with \n"[;]
 	 * because the makedist script greps on the source here */
 	/* anchor 20326 is from 2017 */
 -". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
 +". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n"
 +	/* anchor 38696 is from 2024 */
 +". IN DS 38696 8 2 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16\n";
 /** verbosity for this application */
 static int verb = 0;
 -- 
 2.53.0
--- a/SOURCES/unbound-1.21-CVE-2024-8508.patch
+++ b/SOURCES/unbound-1.21-CVE-2024-8508.patch
@ -1,249 +0,0 @@
 From 34de24d58bb5aa6fe3551512fc17cac08f65d93e Mon Sep 17 00:00:00 2001
 From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
 Date: Thu, 3 Oct 2024 14:46:57 +0200
 Subject: [PATCH] - Fix CVE-2024-8508, unbounded name compression could lead to
 denial of service.
 ---
 unbound-1.16.2/util/data/msgencode.c | 77 +++++++++++++++++-----------
 1 file changed, 46 insertions(+), 31 deletions(-)
 diff --git a/unbound-1.16.2/util/data/msgencode.c b/unbound-1.16.2/util/data/msgencode.c
 index fe21cfb..f9e95e6 100644
 --- a/unbound-1.16.2/util/data/msgencode.c
 +++ b/unbound-1.16.2/util/data/msgencode.c
@@ -62,6 +62,10 @@
 #define RETVAL_TRUNC	-4
 /** return code that means all is peachy keen. Equal to DNS rcode NOERROR */
 #define RETVAL_OK	0
 +/** Max compressions we are willing to perform; more than that will result
 + *  in semi-compressed messages, or truncated even on TCP for huge messages, to
 + *  avoid locking the CPU for long */
 +#define MAX_COMPRESSION_PER_MESSAGE 120
 /**
  * Data structure to help domain name compression in outgoing messages.
@@ -284,15 +288,17 @@ write_compressed_dname(sldns_buffer* pkt, uint8_t* dname, int labs,
 /** compress owner name of RR, return RETVAL_OUTMEM RETVAL_TRUNC */
 static int
 -compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt, 
 -	struct regional* region, struct compress_tree_node** tree, 
 -	size_t owner_pos, uint16_t* owner_ptr, int owner_labs)
 +compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 +	struct regional* region, struct compress_tree_node** tree,
 +	size_t owner_pos, uint16_t* owner_ptr, int owner_labs,
 +	size_t* compress_count)
 {
 	struct compress_tree_node* p;
 	struct compress_tree_node** insertpt = NULL;
 	if(!*owner_ptr) {
 		/* compress first time dname */
 -		if((p = compress_tree_lookup(tree, key->rk.dname, 
 +		if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
 +			(p = compress_tree_lookup(tree, key->rk.dname,
 			owner_labs, &insertpt))) {
 			if(p->labs == owner_labs) 
 				/* avoid ptr chains, since some software is
@@ -301,6 +307,7 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 			if(!write_compressed_dname(pkt, key->rk.dname, 
 				owner_labs, p))
 				return RETVAL_TRUNC;
 +			(*compress_count)++;
 			/* check if typeclass+4 ttl + rdatalen is available */
 			if(sldns_buffer_remaining(pkt) < 4+4+2)
 				return RETVAL_TRUNC;
@@ -313,7 +320,8 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 			if(owner_pos <= PTR_MAX_OFFSET)
 				*owner_ptr = htons(PTR_CREATE(owner_pos));
 		}
 -		if(!compress_tree_store(key->rk.dname, owner_labs, 
 +		if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
 +			!compress_tree_store(key->rk.dname, owner_labs,
 			owner_pos, region, p, insertpt))
 			return RETVAL_OUTMEM;
 	} else {
@@ -333,20 +341,24 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 /** compress any domain name to the packet, return RETVAL_* */
 static int
 -compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs, 
 -	struct regional* region, struct compress_tree_node** tree)
 +compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
 +	struct regional* region, struct compress_tree_node** tree,
 +	size_t* compress_count)
 {
 	struct compress_tree_node* p;
 	struct compress_tree_node** insertpt = NULL;
 	size_t pos = sldns_buffer_position(pkt);
 -	if((p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
 +	if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
 +		(p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
 		if(!write_compressed_dname(pkt, dname, labs, p))
 			return RETVAL_TRUNC;
 +		(*compress_count)++;
 	} else {
 		if(!dname_buffer_write(pkt, dname))
 			return RETVAL_TRUNC;
 	}
 -	if(!compress_tree_store(dname, labs, pos, region, p, insertpt))
 +	if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
 +		!compress_tree_store(dname, labs, pos, region, p, insertpt))
 		return RETVAL_OUTMEM;
 	return RETVAL_OK;
 }
@@ -364,9 +376,9 @@ type_rdata_compressable(struct ub_packed_rrset_key* key)
 /** compress domain names in rdata, return RETVAL_* */
 static int
 -compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen, 
 -	struct regional* region, struct compress_tree_node** tree, 
 -	const sldns_rr_descriptor* desc)
 +compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
 +	struct regional* region, struct compress_tree_node** tree,
 +	const sldns_rr_descriptor* desc, size_t* compress_count)
 {
 	int labs, r, rdf = 0;
 	size_t dname_len, len, pos = sldns_buffer_position(pkt);
@@ -380,8 +392,8 @@ compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
 		switch(desc->_wireformat[rdf]) {
 		case LDNS_RDF_TYPE_DNAME:
 			labs = dname_count_size_labels(rdata, &dname_len);
 -			if((r=compress_any_dname(rdata, pkt, labs, region, 
 -				tree)) != RETVAL_OK)
 +			if((r=compress_any_dname(rdata, pkt, labs, region,
 +				tree, compress_count)) != RETVAL_OK)
 				return r;
 			rdata += dname_len;
 			todolen -= dname_len;
@@ -449,7 +461,8 @@ static int
 packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt, 
 	uint16_t* num_rrs, time_t timenow, struct regional* region,
 	int do_data, int do_sig, struct compress_tree_node** tree,
 -	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
 +	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
 +	size_t* compress_count)
 {
 	size_t i, j, owner_pos;
 	int r, owner_labs;
@@ -477,9 +490,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 		for(i=0; i<data->count; i++) {
 			/* rrset roundrobin */
 			j = (i + rr_offset) % data->count;
 -			if((r=compress_owner(key, pkt, region, tree, 
 -				owner_pos, &owner_ptr, owner_labs))
 -				!= RETVAL_OK)
 +			if((r=compress_owner(key, pkt, region, tree,
 +				owner_pos, &owner_ptr, owner_labs,
 +				compress_count)) != RETVAL_OK)
 				return r;
 			sldns_buffer_write(pkt, &key->rk.type, 2);
 			sldns_buffer_write(pkt, &key->rk.rrset_class, 2);
@@ -489,8 +502,8 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 			else	sldns_buffer_write_u32(pkt, data->rr_ttl[j]-adjust);
 			if(c) {
 				if((r=compress_rdata(pkt, data->rr_data[j],
 -					data->rr_len[j], region, tree, c))
 -					!= RETVAL_OK)
 +					data->rr_len[j], region, tree, c,
 +					compress_count)) != RETVAL_OK)
 					return r;
 			} else {
 				if(sldns_buffer_remaining(pkt) < data->rr_len[j])
@@ -510,9 +523,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 					return RETVAL_TRUNC;
 				sldns_buffer_write(pkt, &owner_ptr, 2);
 			} else {
 -				if((r=compress_any_dname(key->rk.dname, 
 -					pkt, owner_labs, region, tree))
 -					!= RETVAL_OK)
 +				if((r=compress_any_dname(key->rk.dname,
 +					pkt, owner_labs, region, tree,
 +					compress_count)) != RETVAL_OK)
 					return r;
 				if(sldns_buffer_remaining(pkt) < 
 					4+4+data->rr_len[i])
@@ -544,7 +557,8 @@ static int
 insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
 	sldns_buffer* pkt, size_t rrsets_before, time_t timenow, 
 	struct regional* region, struct compress_tree_node** tree,
 -	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
 +	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
 +	size_t* compress_count)
 {
 	int r;
 	size_t i, setstart;
@@ -560,7 +574,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
 			setstart = sldns_buffer_position(pkt);
 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
 				pkt, num_rrs, timenow, region, 1, 1, tree,
 -				s, qtype, dnssec, rr_offset))
 +				s, qtype, dnssec, rr_offset, compress_count))
 				!= RETVAL_OK) {
 				/* Bad, but if due to size must set TC bit */
 				/* trim off the rrset neatly. */
@@ -573,7 +587,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
 			setstart = sldns_buffer_position(pkt);
 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
 				pkt, num_rrs, timenow, region, 1, 0, tree,
 -				s, qtype, dnssec, rr_offset))
 +				s, qtype, dnssec, rr_offset, compress_count))
 				!= RETVAL_OK) {
 				sldns_buffer_set_position(pkt, setstart);
 				return r;
@@ -584,7 +598,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
 			setstart = sldns_buffer_position(pkt);
 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
 				pkt, num_rrs, timenow, region, 0, 1, tree,
 -				s, qtype, dnssec, rr_offset))
 +				s, qtype, dnssec, rr_offset, compress_count))
 				!= RETVAL_OK) {
 				sldns_buffer_set_position(pkt, setstart);
 				return r;
@@ -677,6 +691,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
 	struct compress_tree_node* tree = 0;
 	int r;
 	size_t rr_offset;
 +	size_t compress_count=0;
 	sldns_buffer_clear(buffer);
 	if(udpsize < sldns_buffer_limit(buffer))
@@ -723,7 +738,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
 		arep.rrsets = &qinfo->local_alias->rrset;
 		if((r=insert_section(&arep, 1, &ancount, buffer, 0,
 			timezero, region, &tree, LDNS_SECTION_ANSWER,
 -			qinfo->qtype, dnssec, rr_offset)) != RETVAL_OK) {
 +			qinfo->qtype, dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
 			if(r == RETVAL_TRUNC) {
 				/* create truncated message */
 				sldns_buffer_write_u16_at(buffer, 6, ancount);
@@ -738,7 +753,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
 	/* insert answer section */
 	if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer,
 		0, timenow, region, &tree, LDNS_SECTION_ANSWER, qinfo->qtype,
 -		dnssec, rr_offset)) != RETVAL_OK) {
 +		dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
 		if(r == RETVAL_TRUNC) {
 			/* create truncated message */
 			sldns_buffer_write_u16_at(buffer, 6, ancount);
@@ -756,7 +771,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
 		if((r=insert_section(rep, rep->ns_numrrsets, &nscount, buffer,
 			rep->an_numrrsets, timenow, region, &tree,
 			LDNS_SECTION_AUTHORITY, qinfo->qtype,
 -			dnssec, rr_offset)) != RETVAL_OK) {
 +			dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
 			if(r == RETVAL_TRUNC) {
 				/* create truncated message */
 				sldns_buffer_write_u16_at(buffer, 8, nscount);
@@ -773,7 +788,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
 			if((r=insert_section(rep, rep->ar_numrrsets, &arcount, buffer,
 				rep->an_numrrsets + rep->ns_numrrsets, timenow, region,
 				&tree, LDNS_SECTION_ADDITIONAL, qinfo->qtype,
 -				dnssec, rr_offset)) != RETVAL_OK) {
 +				dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
 				if(r == RETVAL_TRUNC) {
 					/* no need to set TC bit, this is the additional */
 					sldns_buffer_write_u16_at(buffer, 10, arcount);
 -- 
 2.47.0
--- a/SOURCES/unbound-1.23.1-CVE-2025-5994.patch
+++ b/SOURCES/unbound-1.23.1-CVE-2025-5994.patch
--- a/SOURCES/unbound-1.25.1-CVE-2026-42944.patch
+++ b/SOURCES/unbound-1.25.1-CVE-2026-42944.patch
@ -1,34 +0,0 @@
 diff --git a/unbound-1.16.2/util/data/msgparse.c b/unbound-1.16.2/util/data/msgparse.c
 index 5bb69d6..7a51441 100644
 --- a/unbound-1.16.2/util/data/msgparse.c
 +++ b/unbound-1.16.2/util/data/msgparse.c
@@ -957,6 +957,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
 	struct edns_data* edns, struct config_file* cfg, struct comm_point* c,
 	struct regional* region)
 {
 +	int nsid_seen = 0, padding_seen = 0;
 	/* To respond with a Keepalive option, the client connection must have
 	 * received one message with a TCP Keepalive EDNS option, and that
 	 * option must have 0 length data. Subsequent messages sent on that
@@ -987,8 +988,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
 		/* handle parse time edns options here */
 		switch(opt_code) {
 		case LDNS_EDNS_NSID:
 -			if (!cfg || !cfg->nsid)
 +			if (!cfg || !cfg->nsid || nsid_seen)
 				break;
 +			nsid_seen = 1;
 			if(!edns_opt_list_append(&edns->opt_list_out,
 						LDNS_EDNS_NSID, cfg->nsid_len,
 						cfg->nsid, region)) {
@@ -1030,8 +1032,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
 		case LDNS_EDNS_PADDING:
 			if(!cfg || !cfg->pad_responses ||
 -					!c || c->type != comm_tcp ||!c->ssl)
 +					!c || c->type != comm_tcp ||!c->ssl || padding_seen)
 				break;
 +			padding_seen = 1;
 			if(!edns_opt_list_append(&edns->opt_list_out,
 						LDNS_EDNS_PADDING,
 						0, NULL, region)) {
--- a/SOURCES/unbound-1.25.1-CVE-2026-42959.patch
+++ b/SOURCES/unbound-1.25.1-CVE-2026-42959.patch
@ -1,17 +0,0 @@
 diff --git a/unbound-1.24.2/validator/val_utils.c b/unbound-1.24.2/validator/val_utils.c
 index 549264d..4495695 100644
 --- a/unbound-1.24.2/validator/val_utils.c
 +++ b/unbound-1.24.2/validator/val_utils.c
@@ -1066,10 +1066,10 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
 			if(query_dname_compare(name, 
 				orig->rrsets[i]->rk.dname) == 0)
 			    chase->rrsets[chase->an_numrrsets
 -				+orig->ns_numrrsets+chase->ar_numrrsets++] 
 +				+chase->ns_numrrsets+chase->ar_numrrsets++]
 				= orig->rrsets[i];
 		} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
 -			chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+
 +			chase->rrsets[chase->an_numrrsets+chase->ns_numrrsets+
 				chase->ar_numrrsets++] = orig->rrsets[i];
 		}
 	}
--- a/SOURCES/unbound.conf
+++ b/SOURCES/unbound.conf
@ -989,7 +989,6 @@ remote-control:
 	# Set to no and use an absolute path as control-interface to use
 	# a unix local named pipe for unbound-control.
 	# For local sockets this option is ignored, and TLS is not used.
 	# control-use-cert: yes
 	# what interfaces are listened to for remote control.
@ -998,11 +997,14 @@ remote-control:
 	# are not used for that, so key and cert files need not be present.
 	# control-interface: 127.0.0.1
 	# control-interface: ::1
 	# moved to /etc/unbound/conf.d/remote-control.conf
 	# port number for remote control operations.
 	# control-port: 8953
 	# for localhost, you can disable use of TLS by setting this to "no"
 	# For local sockets this option is ignored, and TLS is not used.
 	control-use-cert: "no"
 	# Unbound server key file.
 	server-key-file: "/etc/unbound/unbound_server.key"
--- a/SPECS/unbound.spec
+++ b/SPECS/unbound.spec
@ -34,7 +34,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.16.2
-Release: 5.11%{?extra_version:.%{extra_version}}%{?dist}
+Release: 5%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://www.unbound.net/
 Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@ -55,7 +55,6 @@ Source15: unbound-anchor.timer
 Source16: unbound-munin.README
 Source17: unbound-anchor.service
 Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
 Source21: remote-control.conf
 # Reverts ABI change done in version 1.8.0 (bz#2027735)
 # Makes possible backward binary compatibility with a new features
@ -63,26 +62,6 @@ Patch1:   unbound-1.15-soversion2-compat.patch
 Patch2:   unbound-1.15-source-compat.patch
 # https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554
 Patch3:   unbound-1.16-CVE-2022-3204.patch
 # https://nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff
 Patch4: unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
 # https://github.com/NLnetLabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259
 Patch5: unbound-1.21-CVE-2024-8508.patch
 # The patch for CVE-2025-5994 requires certain changes fixing bugs in subnet module
 # that is why we have to backport these commits. They have their respective tests
 # backported with them.
 # https://github.com/NLnetLabs/unbound/commit/0f08cc6d5577ad4747749c55229e16df8711ee32
 # https://github.com/NLnetLabs/unbound/commit/6d0812b56731af130e8bc7e1572388934beb9b3b
 # https://github.com/NLnetLabs/unbound/commit/be626f7c5330dc414a582a04b537ea79d5c452fb
 # https://github.com/NLnetLabs/unbound/commit/5bf82f246481098a6473f296b21fc1229d276c0f
 # https://github.com/NLnetLabs/unbound/commit/a1150078f29e14b36c8e4d9d05a263a5e6abbc5b
 Patch6: unbound-1.23.1-CVE-2025-5994.patch
 # https://github.com/NLnetLabs/unbound/commit/f094f4ea3c943c5b5b2b6fa8bee0e7a8f3cfdc51
 Patch7: unbound-1.20-unbound-anchor-key-38696.patch
 # https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42944.diff
 Patch8: unbound-1.25.1-CVE-2026-42944.patch
 # https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42959.diff
 Patch9: unbound-1.25.1-CVE-2026-42959.patch
 BuildRequires: gdb
 BuildRequires: gcc, make
@ -185,12 +164,7 @@ pushd %{pkgname}
 %patch1 -p2 -b .solib2-compat
 %patch2 -p1 -b .srccompat
 %patch3 -p2 -b .CVE-2022-3204
-%patch4 -p2 -b .CVE-2023-50387-CVE-2023-50868
+
 %patch5 -p2 -b .CVE-2024-8508
 %patch6 -p2 -b .CVE-2025-5994
 %patch7 -p2 -b .dnssec-ta-2024
 %patch8 -p2 -b .CVE-2026-42944
 %patch9 -p2 -b .CVE-2026-42959
 # copy common doc files - after here, since it may be patched
 cp -pr doc pythonmod libunbound ../
@ -309,7 +283,6 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
 install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
 install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
 install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 # Link unbound-control-setup.8 manpage to unbound-control.8
 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
@ -457,36 +430,6 @@ popd
 %verify(not md5 size mtime) %{_sharedstatedir}/%{name}/root.key
 %changelog
 * Mon May 25 2026 Fedor Vorobev <fvorobev@redhat.com> - 1.16.2-5.11
 - Fix CVE-2026-42944 (RHEL‑177909)
 - Fix CVE-2026-42959 (RHEL-177809)
 * Tue Nov 11 2025 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.10
 - Add new root key 38696 (RHEL-131172)
 - Update unbound-anchor built-in dnssec key
 * Thu Jul 24 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-5.9
 - Fix RebirthDay Attack (CVE-2025-5994)
 - Resolves: RHEL-104123
 * Tue Nov 12 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.8
 - Prevent unbounded name compression (CVE-2024-8508)
 * Tue May 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.7
 - Rebuild to propagate to CentOS Stream (RHEL-25500)
 * Mon Mar 11 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.6
 - Ensure group access correction reaches also updated configs (CVE-2024-1488)
 * Wed Feb 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.3
 - Ensure only unbound group can change configuration (CVE-2024-1488)
 * Fri Feb 16 2024 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-5.1
 - Fix KeyTrap - Extreme CPU consumption in DNSSEC validator CVE-2023-50387
 - Fix Preparing an NSEC3 closest encloser proof can exhaust CPU resources CVE-2023-50868
 - Resolves: RHEL-25428
 - Resolves: RHEL-25423
 * Sat Oct 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-5
 - Stop creating wrong devel manual pages (#2135322)
`@ -1 +1,2 @@`
		`SOURCES/icannbundle.pem`
	`SOURCES/unbound-1.16.2.tar.gz`	`SOURCES/unbound-1.16.2.tar.gz`
`@ -1 +1,2 @@`
		`9a2f73302a13f38dbf7cb3c5e34eb1665d2f156f SOURCES/icannbundle.pem`
	`9aea0e923b9d6779b5bc360094e24a4017e2bb25 SOURCES/unbound-1.16.2.tar.gz`	`9aea0e923b9d6779b5bc360094e24a4017e2bb25 SOURCES/unbound-1.16.2.tar.gz`
`@ -1,2 +1 @@`
	`. 172800 IN DNSKEY 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b}`
	`. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}`	`. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}`