.gitignore

@@ -1 +1,3 @@
-SOURCES/unbound-1.16.2.tar.gz
+/unbound-1.7.3.tar.gz
+/unbound-1.16.0.tar.gz
+/unbound-1.16.2.tar.gz

.unbound.metadata

@@ -1 +0,0 @@
-9aea0e923b9d6779b5bc360094e24a4017e2bb25 SOURCES/unbound-1.16.2.tar.gz

SOURCES/unbound-1.25.1-CVE-2026-42944.patch

@@ -1,34 +0,0 @@
-diff --git a/unbound-1.16.2/util/data/msgparse.c b/unbound-1.16.2/util/data/msgparse.c
-index 5bb69d6..7a51441 100644
---- a/unbound-1.16.2/util/data/msgparse.c
-+++ b/unbound-1.16.2/util/data/msgparse.c
-@@ -957,6 +957,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
- 	struct edns_data* edns, struct config_file* cfg, struct comm_point* c,
- 	struct regional* region)
- {
-+	int nsid_seen = 0, padding_seen = 0;
- 	/* To respond with a Keepalive option, the client connection must have
- 	 * received one message with a TCP Keepalive EDNS option, and that
- 	 * option must have 0 length data. Subsequent messages sent on that
-@@ -987,8 +988,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
- 		/* handle parse time edns options here */
- 		switch(opt_code) {
- 		case LDNS_EDNS_NSID:
--			if (!cfg || !cfg->nsid)
-+			if (!cfg || !cfg->nsid || nsid_seen)
- 				break;
-+			nsid_seen = 1;
- 			if(!edns_opt_list_append(&edns->opt_list_out,
- 						LDNS_EDNS_NSID, cfg->nsid_len,
- 						cfg->nsid, region)) {
-@@ -1030,8 +1032,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
- 
- 		case LDNS_EDNS_PADDING:
- 			if(!cfg || !cfg->pad_responses ||
--					!c || c->type != comm_tcp ||!c->ssl)
-+					!c || c->type != comm_tcp ||!c->ssl || padding_seen)
- 				break;
-+			padding_seen = 1;
- 			if(!edns_opt_list_append(&edns->opt_list_out,
- 						LDNS_EDNS_PADDING,
- 						0, NULL, region)) {

SOURCES/unbound-1.25.1-CVE-2026-42959.patch

@@ -1,17 +0,0 @@
-diff --git a/unbound-1.24.2/validator/val_utils.c b/unbound-1.24.2/validator/val_utils.c
-index 549264d..4495695 100644
---- a/unbound-1.24.2/validator/val_utils.c
-+++ b/unbound-1.24.2/validator/val_utils.c
-@@ -1066,10 +1066,10 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
- 			if(query_dname_compare(name, 
- 				orig->rrsets[i]->rk.dname) == 0)
- 			    chase->rrsets[chase->an_numrrsets
--				+orig->ns_numrrsets+chase->ar_numrrsets++] 
-+				+chase->ns_numrrsets+chase->ar_numrrsets++]
- 				= orig->rrsets[i];
- 		} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
--			chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+
-+			chase->rrsets[chase->an_numrrsets+chase->ns_numrrsets+
- 				chase->ar_numrrsets++] = orig->rrsets[i];
- 		}
- 	}

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

sources

@@ -0,0 +1 @@
+SHA512 (unbound-1.16.2.tar.gz) = 0ea65ea63265be677441bd2a28df12098ec5e86c3372240c2874f9bd13752b8b818da81ae6076cf02cbeba3d36e397698a4c2b50570be1a6a8e47f57a0251572

unbound.spec

@@ -34,7 +34,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.16.2
-Release: 5.11%{?extra_version:.%{extra_version}}%{?dist}
+Release: 5.10%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://www.unbound.net/
 Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@@ -78,11 +78,6 @@ Patch5: unbound-1.21-CVE-2024-8508.patch
 Patch6: unbound-1.23.1-CVE-2025-5994.patch
 # https://github.com/NLnetLabs/unbound/commit/f094f4ea3c943c5b5b2b6fa8bee0e7a8f3cfdc51
 Patch7: unbound-1.20-unbound-anchor-key-38696.patch
-# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42944.diff
-Patch8: unbound-1.25.1-CVE-2026-42944.patch
-# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42959.diff
-Patch9: unbound-1.25.1-CVE-2026-42959.patch
-
 
 BuildRequires: gdb
 BuildRequires: gcc, make
@@ -189,8 +184,7 @@ pushd %{pkgname}
 %patch5 -p2 -b .CVE-2024-8508
 %patch6 -p2 -b .CVE-2025-5994
 %patch7 -p2 -b .dnssec-ta-2024
-%patch8 -p2 -b .CVE-2026-42944
-%patch9 -p2 -b .CVE-2026-42959
+
 
 # copy common doc files - after here, since it may be patched
 cp -pr doc pythonmod libunbound ../
@@ -457,10 +451,6 @@ popd
 %verify(not md5 size mtime) %{_sharedstatedir}/%{name}/root.key
 
 %changelog
-* Mon May 25 2026 Fedor Vorobev <fvorobev@redhat.com> - 1.16.2-5.11
-- Fix CVE-2026-42944 (RHEL‑177909)
-- Fix CVE-2026-42959 (RHEL-177809)
-
 * Tue Nov 11 2025 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.10
 - Add new root key 38696 (RHEL-131172)
 - Update unbound-anchor built-in dnssec key