Main Vulnerability Database SB2025072110

SB2025072110 - Fedora 42 update for unbound

Published: July 21, 2025

Security Bulletin ID SB2025072110

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Acceptance of Extraneous Untrusted Data With Trusted Data (CVE-ID: CVE-2025-5994)

The vulnerability allows a remote attacker to perform cache poisoning attacks.

The vulnerability exists due to a logic error in the EDNS Client Subnet (ECS) implementation. A remote attacker can perform cache poisoning attacks against Unbound servers with ECS support, a.k.a. Rebirthday Attack.

Successful exploitation of the vulnerability requires that the server is compiled with '--enable-subnet' and configured to send ECS information to upstream name servers with at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2025-350a4ec835