The Debian project has issued two critical security advisories for Debian GNU/Linux 11 (Bullseye) Long Term Support (LTS) to address vulnerabilities affecting the iperf3 bandwidth measuring tool and the unbound DNS resolver.
The iperf3 advisory (DLA-4281-1) resolves two significant vulnerabilities: a heap buffer overflow and a reachable assert, both of which could be exploited by attackers. The new fixed version for iperf3 is 3.9-1+deb11u3. Users are strongly advised to upgrade their iperf3 packages to enhance security.
In the unbound advisory (DLA-4280-1), two vulnerabilities have been identified that could lead to denial of service (DoS) or cache poisoning. Specifically, the first vulnerability (CVE-2024-33655) relates to the DNSBomb attack, which can cause DoS through specially timed DNS queries. While unbound itself is not directly vulnerable to DoS, it may participate in amplification attacks. To counter this, configuration options have been added to reduce the impact of these attacks, including parameters that manage query timeouts and limits on recursive queries from individual IP addresses. The second vulnerability (CVE-2025-5994) involves the potential for a birthday paradox attack impacting resolvers that support EDNS Client Subnet (ECS). Unbound has been updated to disregard irrelevant replies to mitigate this risk. The updated version for unbound is 1.13.1-1+deb11u5.
In conclusion, both updates are vital for maintaining the security integrity of Debian 11 Bullseye. Users should promptly apply these updates to safeguard their systems against potential exploitation. For further details on these advisories, including how to apply the updates, users can refer to the respective security tracker pages and Debian's LTS wiki.
Moreover, ongoing vigilance and regular updates are essential for maintaining robust security, especially as new vulnerabilities continue to emerge. Users should stay informed about the latest security patches and best practices for their Debian systems
The iperf3 advisory (DLA-4281-1) resolves two significant vulnerabilities: a heap buffer overflow and a reachable assert, both of which could be exploited by attackers. The new fixed version for iperf3 is 3.9-1+deb11u3. Users are strongly advised to upgrade their iperf3 packages to enhance security.
In the unbound advisory (DLA-4280-1), two vulnerabilities have been identified that could lead to denial of service (DoS) or cache poisoning. Specifically, the first vulnerability (CVE-2024-33655) relates to the DNSBomb attack, which can cause DoS through specially timed DNS queries. While unbound itself is not directly vulnerable to DoS, it may participate in amplification attacks. To counter this, configuration options have been added to reduce the impact of these attacks, including parameters that manage query timeouts and limits on recursive queries from individual IP addresses. The second vulnerability (CVE-2025-5994) involves the potential for a birthday paradox attack impacting resolvers that support EDNS Client Subnet (ECS). Unbound has been updated to disregard irrelevant replies to mitigate this risk. The updated version for unbound is 1.13.1-1+deb11u5.
In conclusion, both updates are vital for maintaining the security integrity of Debian 11 Bullseye. Users should promptly apply these updates to safeguard their systems against potential exploitation. For further details on these advisories, including how to apply the updates, users can refer to the respective security tracker pages and Debian's LTS wiki.
Moreover, ongoing vigilance and regular updates are essential for maintaining robust security, especially as new vulnerabilities continue to emerge. Users should stay informed about the latest security patches and best practices for their Debian systems
Iperf3 and Unbound updates for Debian 11 LTS
The Debian project has released two security advisories for Debian GNU/Linux 11 (Bullseye) LTS to address vulnerabilities in the iperf3 bandwidth measuring tool and the unbound DNS resolver. The iperf3 advisory (DLA-4281-1) fixes two issues, including a heap buffer overflow and a reachable assert, which can be exploited by attackers. The unbound advisory (DLA-4280-1) addresses two vulnerabilities that may lead to denial of service or cache poisoning and includes configuration options to mitigate the impact of these issues.
[DLA 4281-1] iperf3 security update
[DLA 4280-1] unbound security updateIperf3 and Unbound updates for Debian 11 LTS @ Linux Compatible
