DNS Security Patches of 2024-02-13 - solution for Debian 11 bullseye

BIND 9 Security Release and Multi-Vendor Vulnerability Handling, CVE-2023-50387 and CVE-2023-50868 contains detailed description and also a link to the corresponding Unbound 1.19.1 Release Announcement

The problem: Debian 11.* bullseye (should be updated to 11.9 ASAP with the standard update + upgrade procedure) does not have appropriate versions of BIND & Unbound and probably will never get these.

Solution for BIND: use ISC Debian .deb repository instead of Debian Main, it has bind 9.18.24 for bullseye

Solution for Unbound: while the main repo is stuck with unbound 1.13.1, and backports repo has 1.18.smth, the “testing” repo (supposedly, for 12/13 branches) already has unbound 1.9.1-1 source package available. Following this manual for building your private, local, unofficial backports, I’ve just built a set of .deb packages on one of my Debian 11.9 servers, with all the Debian custom patches included (because I took the Debian “testing” sources so the patches are already there). Build Ok with no errors, now testing it.

Hope it helps! Regards, Andreas


Thanks for sharing, I also use Debian 11.