NIXPKGS-2026-1690

GitHub issue published 3 weeks, 3 days ago

Permalink CVE-2026-33278

9.1 CRITICAL

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): None (N)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): High (H)
• Vulnerable System Impact Integrity (VI): High (H)
• Vulnerable System Impact Availability (VA): High (H)
• Subsequent System Impact Confidentiality (SC): High (H)
• Subsequent System Impact Integrity (SI): High (H)
• Subsequent System Impact Availability (SA): High (H)
• Exploit Maturity (E): Unreported (U)
• Provider Urgency (U): Red (Red)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): None (N)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): High (H)
• Modified Vulnerable System Impact Integrity (MVI): High (H)
• Modified Vulnerable System Impact Availability (MVA): High (H)
• Modified Subsequent System Impact Confidentiality (MSC): High (H)
• Modified Subsequent System Impact Integrity (MSI): High (H)
• Modified Subsequent System Impact Availability (MSA): High (H)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)

updated 3 weeks, 3 days ago by @LeSuisse Activity log

• Created suggestion 3 weeks, 3 days ago
• @LeSuisse ignored
  16 packages

  • luaPackages.luaunbound
  • lua51Packages.luaunbound
  • lua52Packages.luaunbound
  • lua53Packages.luaunbound
  • lua54Packages.luaunbound
  • lua55Packages.luaunbound
  • luajitPackages.luaunbound
  • prometheus-unbound-exporter
  • python312Packages.pyunbound
  • python313Packages.pyunbound
  • python314Packages.pyunbound
  • unbound-with-systemd
  • haskellPackages.unbound-generics-unify
  • haskellPackages.unbound-kind-generics
  • haskellPackages.unbounded-delays
  • haskellPackages.unbound-generics
  3 weeks, 3 days ago
• @LeSuisse ignored maintainer @Scrumplex 3 weeks, 3 days ago maintainer.ignore
• @LeSuisse restored package unbound-with-systemd 3 weeks, 3 days ago
• @LeSuisse accepted 3 weeks, 3 days ago
• @LeSuisse published on GitHub 3 weeks, 3 days ago

Possible arbitrary code execution during DNSSEC validation

• https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-33278.txt vendor-advisory

---

Unbound

• <1.25.1

NIXPKGS-2026-1689

GitHub issue published 3 weeks, 3 days ago

Permalink CVE-2026-47783

8.1 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): High (H)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): High (H)
• Availability (A): High (H)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): High (H)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): High (H)

updated 3 weeks, 3 days ago by @LeSuisse Activity log

• Created suggestion 3 weeks, 3 days ago
• @LeSuisse ignored
  20 packages

  • libmemcached
  • memcachedTestHook
  • memcached-exporter
  • phpExtensions.memcached
  • php82Extensions.memcached
  • php83Extensions.memcached
  • php84Extensions.memcached
  • php85Extensions.memcached
  • perlPackages.CacheMemcached
  • perl5Packages.CacheMemcached
  • perl538Packages.CacheMemcached
  • perl540Packages.CacheMemcached
  • perlPackages.CacheMemcachedFast
  • perl5Packages.CacheMemcachedFast
  • perl538Packages.CacheMemcachedFast
  • perl540Packages.CacheMemcachedFast
  • python312Packages.python-memcached
  • python313Packages.python-memcached
  • python314Packages.python-memcached
  • chickenPackages_5.chickenEggs.memcached
  3 weeks, 3 days ago
• @LeSuisse ignored maintainer @coreyoconnor 3 weeks, 3 days ago maintainer.ignore
• @LeSuisse accepted 3 weeks, 3 days ago
• @LeSuisse published on GitHub 3 weeks, 3 days ago

In memcached before 1.6.42, username data for SASL password database …

• https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f1211…
• https://github.com/memcached/memcached/compare/1.6.41...1.6.42
• https://github.com/memcached/memcached/wiki/ReleaseNotes1642

---

memcached

• <1.6.42

NIXPKGS-2026-1688

GitHub issue published 3 weeks, 3 days ago

Permalink CVE-2026-41054

7.8 HIGH

• CVSS version (CVSS): 3.1
• Attack Vector (AV): Local (L)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): Low (L)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality (C): High (H)
• Integrity (I): High (H)
• Availability (A): High (H)
• Modified Attack Vector (MAV): Local (L)
• Modified Attack Complexity (MAC): Low (L)
• Modified Privileges Required (MPR): Low (L)
• Modified User Interaction (MUI): None (N)
• Modified Confidentiality (MC): High (H)
• Modified Scope (MS): Unchanged (U)
• Modified Integrity (MI): High (H)
• Modified Availability (MA): High (H)

updated 3 weeks, 3 days ago by @LeSuisse Activity log

• Created suggestion 3 weeks, 3 days ago
• @LeSuisse accepted 3 weeks, 3 days ago
• @LeSuisse published on GitHub 3 weeks, 3 days ago

Missing exit out of permission check in haveged could lead to root exploit

• https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-41054
• http://www.openwall.com/lists/oss-security/2026/05/19/3
• http://www.openwall.com/lists/oss-security/2026/05/19/4
• http://www.openwall.com/lists/oss-security/2026/05/19/5
• http://www.openwall.com/lists/oss-security/2026/05/20/1

---

haveged

• <1.9.14-150400.3.11.1
• <1.9.14-150600.11.6.1

libhavege2

• <1.9.14-150400.3.11.1
• <1.9.14-150600.11.6.1

haveged-devel

• <1.9.14-150400.3.11.1
• <1.9.14-150600.11.6.1

NIXPKGS-2026-1687

GitHub issue published 3 weeks, 3 days ago

Permalink CVE-2026-32792

4.6 MEDIUM

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): Present (P)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): None (N)
• Vulnerable System Impact Integrity (VI): None (N)
• Vulnerable System Impact Availability (VA): High (H)
• Subsequent System Impact Confidentiality (SC): None (N)
• Subsequent System Impact Integrity (SI): None (N)
• Subsequent System Impact Availability (SA): None (N)
• Exploit Maturity (E): Unreported (U)
• Provider Urgency (U): Green (Green)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): Present (P)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): None (N)
• Modified Vulnerable System Impact Integrity (MVI): None (N)
• Modified Vulnerable System Impact Availability (MVA): High (H)
• Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
• Modified Subsequent System Impact Integrity (MSI): Negligible (N)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)

updated 3 weeks, 3 days ago by @LeSuisse Activity log

• Created suggestion 3 weeks, 3 days ago
• @LeSuisse ignored
  16 packages

  • luaPackages.luaunbound
  • lua51Packages.luaunbound
  • lua52Packages.luaunbound
  • lua53Packages.luaunbound
  • lua54Packages.luaunbound
  • lua55Packages.luaunbound
  • luajitPackages.luaunbound
  • prometheus-unbound-exporter
  • python312Packages.pyunbound
  • python313Packages.pyunbound
  • python314Packages.pyunbound
  • haskellPackages.unbound-generics
  • unbound-with-systemd
  • haskellPackages.unbounded-delays
  • haskellPackages.unbound-kind-generics
  • haskellPackages.unbound-generics-unify
  3 weeks, 3 days ago
• @LeSuisse restored package unbound-with-systemd 3 weeks, 3 days ago
• @LeSuisse accepted 3 weeks, 3 days ago
• @LeSuisse ignored maintainer @Scrumplex 3 weeks, 3 days ago maintainer.ignore
• @LeSuisse published on GitHub 3 weeks, 3 days ago

Packet of death with DNSCrypt

• https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-32792.txt vendor-advisory

---

Unbound

• <1.25.1

NIXPKGS-2026-1686

GitHub issue published 3 weeks, 3 days ago

Permalink CVE-2026-44608

4.6 MEDIUM

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): High (H)
• Attack Requirement (AT): Present (P)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): None (N)
• Vulnerable System Impact Integrity (VI): None (N)
• Vulnerable System Impact Availability (VA): High (H)
• Subsequent System Impact Confidentiality (SC): None (N)
• Subsequent System Impact Integrity (SI): None (N)
• Subsequent System Impact Availability (SA): None (N)
• Exploit Maturity (E): Unreported (U)
• Provider Urgency (U): Amber (Amber)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): High (H)
• Modified Attack Requirement (MAT): Present (P)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): None (N)
• Modified Vulnerable System Impact Integrity (MVI): None (N)
• Modified Vulnerable System Impact Availability (MVA): High (H)
• Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
• Modified Subsequent System Impact Integrity (MSI): Negligible (N)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)

updated 3 weeks, 3 days ago by @LeSuisse Activity log

• Created suggestion 3 weeks, 3 days ago
• @LeSuisse ignored
  15 packages

  • luaPackages.luaunbound
  • lua51Packages.luaunbound
  • lua52Packages.luaunbound
  • lua53Packages.luaunbound
  • lua54Packages.luaunbound
  • lua55Packages.luaunbound
  • luajitPackages.luaunbound
  • prometheus-unbound-exporter
  • python312Packages.pyunbound
  • python313Packages.pyunbound
  • python314Packages.pyunbound
  • haskellPackages.unbound-generics
  • haskellPackages.unbounded-delays
  • haskellPackages.unbound-kind-generics
  • haskellPackages.unbound-generics-unify
  3 weeks, 3 days ago
• @LeSuisse ignored maintainer @Scrumplex 3 weeks, 3 days ago maintainer.ignore
• @LeSuisse accepted 3 weeks, 3 days ago
• @LeSuisse published on GitHub 3 weeks, 3 days ago

Use after free and crash under special conditions in RPZ code

• https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-44608.txt vendor-advisory

---

Unbound

• <1.25.1

NIXPKGS-2026-1685

GitHub issue published 3 weeks, 3 days ago

Permalink CVE-2026-40622

6.6 MEDIUM

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): None (N)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): None (N)
• Vulnerable System Impact Integrity (VI): High (H)
• Vulnerable System Impact Availability (VA): None (N)
• Subsequent System Impact Confidentiality (SC): None (N)
• Subsequent System Impact Integrity (SI): None (N)
• Subsequent System Impact Availability (SA): None (N)
• Exploit Maturity (E): Unreported (U)
• Provider Urgency (U): Amber (Amber)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): None (N)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): None (N)
• Modified Vulnerable System Impact Integrity (MVI): High (H)
• Modified Vulnerable System Impact Availability (MVA): None (N)
• Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
• Modified Subsequent System Impact Integrity (MSI): Negligible (N)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)

updated 3 weeks, 3 days ago by @LeSuisse Activity log

• Created suggestion 3 weeks, 3 days ago
• @LeSuisse ignored
  15 packages

  • luaPackages.luaunbound
  • lua51Packages.luaunbound
  • lua52Packages.luaunbound
  • lua53Packages.luaunbound
  • lua54Packages.luaunbound
  • lua55Packages.luaunbound
  • luajitPackages.luaunbound
  • prometheus-unbound-exporter
  • python312Packages.pyunbound
  • python313Packages.pyunbound
  • python314Packages.pyunbound
  • haskellPackages.unbound-generics
  • haskellPackages.unbounded-delays
  • haskellPackages.unbound-kind-generics
  • haskellPackages.unbound-generics-unify
  3 weeks, 3 days ago
• @LeSuisse ignored maintainer @Scrumplex 3 weeks, 3 days ago maintainer.ignore
• @LeSuisse accepted 3 weeks, 3 days ago
• @LeSuisse published on GitHub 3 weeks, 3 days ago

Another 'ghost domain names' attack variant

• https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-40622.txt vendor-advisory

---

Unbound

• <1.25.1

NIXPKGS-2026-1684

GitHub issue published 3 weeks, 3 days ago

Permalink CVE-2026-41292

6.6 MEDIUM

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): None (N)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): None (N)
• Vulnerable System Impact Integrity (VI): None (N)
• Vulnerable System Impact Availability (VA): High (H)
• Subsequent System Impact Confidentiality (SC): None (N)
• Subsequent System Impact Integrity (SI): None (N)
• Subsequent System Impact Availability (SA): None (N)
• Exploit Maturity (E): Unreported (U)
• Provider Urgency (U): Red (Red)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): None (N)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): None (N)
• Modified Vulnerable System Impact Integrity (MVI): None (N)
• Modified Vulnerable System Impact Availability (MVA): High (H)
• Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
• Modified Subsequent System Impact Integrity (MSI): Negligible (N)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)

updated 3 weeks, 3 days ago by @LeSuisse Activity log

• Created suggestion 3 weeks, 3 days ago
• @LeSuisse ignored
  16 packages

  • luaPackages.luaunbound
  • lua51Packages.luaunbound
  • lua52Packages.luaunbound
  • lua53Packages.luaunbound
  • lua54Packages.luaunbound
  • lua55Packages.luaunbound
  • luajitPackages.luaunbound
  • prometheus-unbound-exporter
  • python312Packages.pyunbound
  • python313Packages.pyunbound
  • unbound-with-systemd
  • haskellPackages.unbound-generics
  • haskellPackages.unbound-generics-unify
  • haskellPackages.unbound-kind-generics
  • haskellPackages.unbounded-delays
  • python314Packages.pyunbound
  3 weeks, 3 days ago
• @LeSuisse restored package unbound-with-systemd 3 weeks, 3 days ago
• @LeSuisse ignored maintainer @Scrumplex 3 weeks, 3 days ago maintainer.ignore
• @LeSuisse accepted 3 weeks, 3 days ago
• @LeSuisse published on GitHub 3 weeks, 3 days ago

Long list of incoming EDNS options degrades performance

• https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-41292.txt vendor-advisory

---

Unbound

• <1.25.1

NIXPKGS-2026-1683

GitHub issue published 3 weeks, 3 days ago

Permalink CVE-2026-42923

6.9 MEDIUM

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): None (N)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): None (N)
• Vulnerable System Impact Integrity (VI): None (N)
• Vulnerable System Impact Availability (VA): Low (L)
• Subsequent System Impact Confidentiality (SC): None (N)
• Subsequent System Impact Integrity (SI): None (N)
• Subsequent System Impact Availability (SA): None (N)
• Provider Urgency (U): Amber (Amber)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): None (N)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): None (N)
• Modified Vulnerable System Impact Integrity (MVI): None (N)
• Modified Vulnerable System Impact Availability (MVA): Low (L)
• Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
• Modified Subsequent System Impact Integrity (MSI): Negligible (N)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)
• Exploit Maturity (E): Not Defined (X)

updated 3 weeks, 3 days ago by @LeSuisse Activity log

• Created suggestion 3 weeks, 3 days ago
• @LeSuisse ignored
  15 packages

  • luaPackages.luaunbound
  • lua51Packages.luaunbound
  • lua52Packages.luaunbound
  • lua53Packages.luaunbound
  • lua54Packages.luaunbound
  • lua55Packages.luaunbound
  • luajitPackages.luaunbound
  • prometheus-unbound-exporter
  • python312Packages.pyunbound
  • python313Packages.pyunbound
  • python314Packages.pyunbound
  • haskellPackages.unbound-generics
  • haskellPackages.unbounded-delays
  • haskellPackages.unbound-kind-generics
  • haskellPackages.unbound-generics-unify
  3 weeks, 3 days ago
• @LeSuisse ignored maintainer @Scrumplex 3 weeks, 3 days ago maintainer.ignore
• @LeSuisse accepted 3 weeks, 3 days ago
• @LeSuisse published on GitHub 3 weeks, 3 days ago

Degradation of service with unbounded NSEC3 hash calculations

• https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42923.txt vendor-advisory

---

Unbound

• <1.25.1

NIXPKGS-2026-1682

GitHub issue published 3 weeks, 3 days ago

Permalink CVE-2026-42534

6.9 MEDIUM

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): None (N)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): None (N)
• Vulnerable System Impact Integrity (VI): None (N)
• Vulnerable System Impact Availability (VA): Low (L)
• Subsequent System Impact Confidentiality (SC): None (N)
• Subsequent System Impact Integrity (SI): None (N)
• Subsequent System Impact Availability (SA): None (N)
• Provider Urgency (U): Amber (Amber)
• Modified Attack Vector (MAV): Network (N)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): None (N)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): None (N)
• Modified Vulnerable System Impact Integrity (MVI): None (N)
• Modified Vulnerable System Impact Availability (MVA): Low (L)
• Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
• Modified Subsequent System Impact Integrity (MSI): Negligible (N)
• Modified Subsequent System Impact Availability (MSA): Negligible (N)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)
• Exploit Maturity (E): Not Defined (X)

updated 3 weeks, 3 days ago by @LeSuisse Activity log

• Created suggestion 3 weeks, 3 days ago
• @LeSuisse ignored
  16 packages

  • luaPackages.luaunbound
  • lua51Packages.luaunbound
  • lua52Packages.luaunbound
  • lua53Packages.luaunbound
  • lua54Packages.luaunbound
  • lua55Packages.luaunbound
  • luajitPackages.luaunbound
  • prometheus-unbound-exporter
  • python312Packages.pyunbound
  • python313Packages.pyunbound
  • unbound-with-systemd
  • python314Packages.pyunbound
  • haskellPackages.unbound-generics
  • haskellPackages.unbounded-delays
  • haskellPackages.unbound-kind-generics
  • haskellPackages.unbound-generics-unify
  3 weeks, 3 days ago
• @LeSuisse restored package unbound-with-systemd 3 weeks, 3 days ago
• @LeSuisse ignored maintainer @Scrumplex 3 weeks, 3 days ago maintainer.ignore
• @LeSuisse accepted 3 weeks, 3 days ago
• @LeSuisse published on GitHub 3 weeks, 3 days ago

Jostle logic bypass degrades resolution performance

• https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42534.txt vendor-advisory

---

Unbound

• <1.25.1

NIXPKGS-2026-1681

GitHub issue published 3 weeks, 3 days ago

Permalink CVE-2026-42960

5.7 MEDIUM

• CVSS version (CVSS): 4.0
• Attack Vector (AV): Adjacent (A)
• Attack Complexity (AC): Low (L)
• Attack Requirement (AT): Present (P)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Vulnerable System Impact Confidentiality (VC): None (N)
• Vulnerable System Impact Integrity (VI): High (H)
• Vulnerable System Impact Availability (VA): None (N)
• Subsequent System Impact Confidentiality (SC): None (N)
• Subsequent System Impact Integrity (SI): High (H)
• Subsequent System Impact Availability (SA): High (H)
• Exploit Maturity (E): POC (P)
• Provider Urgency (U): Amber (Amber)
• Modified Attack Vector (MAV): Adjacent (A)
• Modified Attack Complexity (MAC): Low (L)
• Modified Attack Requirement (MAT): Present (P)
• Modified Privileges Required (MPR): None (N)
• Modified User Interaction (MUI): None (N)
• Modified Vulnerable System Impact Confidentiality (MVC): None (N)
• Modified Vulnerable System Impact Integrity (MVI): High (H)
• Modified Vulnerable System Impact Availability (MVA): None (N)
• Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
• Modified Subsequent System Impact Integrity (MSI): High (H)
• Modified Subsequent System Impact Availability (MSA): High (H)
• Safety (S): Not Defined (X)
• Automatable (AU): Not Defined (X)
• Recovery (R): Not Defined (X)
• Value Density (V): Not Defined (X)
• Vulnerability Response Effort (RE): Not Defined (X)
• Confidentiality Req. (CR): Not Defined (X)
• Integrity Req. (IR): Not Defined (X)
• Availability Req. (AR): Not Defined (X)

updated 3 weeks, 3 days ago by @LeSuisse Activity log

• Created suggestion 3 weeks, 3 days ago
• @LeSuisse ignored
  15 packages

  • luaPackages.luaunbound
  • lua51Packages.luaunbound
  • lua52Packages.luaunbound
  • lua53Packages.luaunbound
  • lua54Packages.luaunbound
  • lua55Packages.luaunbound
  • luajitPackages.luaunbound
  • prometheus-unbound-exporter
  • python312Packages.pyunbound
  • python313Packages.pyunbound
  • python314Packages.pyunbound
  • haskellPackages.unbound-generics
  • haskellPackages.unbounded-delays
  • haskellPackages.unbound-kind-generics
  • haskellPackages.unbound-generics-unify
  3 weeks, 3 days ago
• @LeSuisse ignored maintainer @Scrumplex 3 weeks, 3 days ago maintainer.ignore
• @LeSuisse accepted 3 weeks, 3 days ago
• @LeSuisse published on GitHub 3 weeks, 3 days ago

Possible cache poisoning via promiscuous records for the authority section

• https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42960.txt vendor-advisory

---

Unbound

• <1.25.1