CVE-2011-4869

Name	CVE-2011-4869
Description	validator/val_nsec3.c in Unbound before 1.4.13p2 does not properly perform proof processing for NSEC3-signed zones, which allows remote DNS servers to cause a denial of service (daemon crash) via a malformed response that lacks expected NSEC3 records, a different vulnerability than CVE-2011-4528.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-2370-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
unbound (PTS)	jessie, jessie (lts)	1.4.22-3+deb8u4	fixed
	stretch	1.6.0-3+deb9u2	fixed
	buster, buster (lts)	1.9.0-2+deb10u5	fixed
	buster (security)	1.9.0-2+deb10u4	fixed
	bullseye	1.13.1-1+deb11u2	fixed
	bullseye (security)	1.13.1-1+deb11u4	fixed
	bookworm (security), bookworm	1.17.1-2+deb12u2	fixed
	sid, trixie	1.22.0-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
unbound	source	lenny	1.4.6-1~lenny2		DSA-2370-1
unbound	source	squeeze	1.4.6-1+squeeze2		DSA-2370-1
unbound	source	(unstable)	1.4.14-1	medium