unbound (1.9.0-2+deb10u7) buster-security; urgency=high

  * Non-maintainer upload by the ELTS Team.
  * Fix CVE-2025-11411: Cache poisoning vulnerability via NS RRSet injection.
  * Improve autopkgtests:
    + Drop unnecessary restrictions for the `make check` test.
    + Improve longcheck autopkgtest.

 -- Guilhem Moulin <guilhem@debian.org>  Thu, 06 Nov 2025 17:01:04 +0100

unbound (1.9.0-2+deb10u6) buster-security; urgency=high

  * Non-maintainer upload by the ELTS Team.
  * Fix CVE-2024-33655: The DNSBomb attack, via specially timed DNS queries
    and answers, can cause a Denial of Service on resolvers and spoofed
    targets.  Unbound itself is not vulnerable for DoS, but it can be used to
    take part in a pulsing DoS amplification attack.
  * Fix CVE-2025-5994: Resolvers supporting ECS need to segregate outgoing
    queries to accommodate for different outgoing ECS information.  This
    re-opens up resolvers to a birthday paradox attack (Rebirthday Attack)
    that tries to match the DNS transaction ID in order to cache non-ECS
    poisonous replies. (Closes: #1109427)
  * Apply code fix for CVE-2019-18934: Shell code execution after receiving a
    specially crafted answer.  This issue can only be triggered if unbound was
    compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and
    used in the configuration.  Note: Debian binary packages are not built
    with `--enable-ipsecmod`, and are therefore unaffected.
  * Fix CVE-2019-25031: Configuration injection in
    create_unbound_ad_servers.sh upon a successful man-in-the-middle attack
    against a cleartext HTTP session.
  * Fix CVE-2019-25032: Integer overflow in the regional allocator via
    regional_alloc.
  * Fix CVE-2019-25033: Integer overflow in the regional allocator via the
    ALIGN_UP macro.
  * Fix CVE-2019-25034: Integer overflow in sldns_str2wire_dname_buf_origin,
    leading to an out-of-bounds write.
  * Fix CVE-2019-25035: Out-of-bounds write in sldns_bget_token_par.
  * Fix CVE-2019-25036: Assertion failure and denial of service in
    synth_cname.
  * Fix CVE-2019-25037: Assertion failure and denial of service in
    dname_pkt_copy via an invalid packet.
  * Fix CVE-2019-25038: Integer overflow in a size calculation in
    dnscrypt/dnscrypt.c.
  * Fix CVE-2019-25039: Integer overflow in a size calculation in
    respip/respip.c.
  * Fix CVE-2019-25040: Infinite loop via a compressed name in dname_pkt_copy.
  * Fix CVE-2019-25041: Assertion failure via a compressed name in
    dname_pkt_copy.
  * Fix CVE-2019-25042: Out-of-bounds write via a compressed name in
    rdata_copy.
  * Backport upstream's follow-up changes for CVE-2024-43167.
  * DEP-8: Add `Depends: dnscrypt-proxy, netcat-openbsd, xxd` to avoid
    skipping tests.

 -- Guilhem Moulin <guilhem@debian.org>  Sun, 24 Aug 2025 04:08:38 +0200

unbound (1.9.0-2+deb10u5) buster-security; urgency=medium

  * Non-maintainer upload by the Debian LTS Team.
  * Fix CVE-2024-43168:
    A heap-buffer-overflow flaw was found in the cfg_mark_ports function within
    Unbound's config_file.c, which can lead to memory corruption. This issue
    could allow an attacker with local access to provide specially crafted
    input, potentially causing the application to crash or allowing arbitrary
    code execution. This could result in a denial of service or unauthorized
    actions on the system.
  * Fix CVE-2024-43167:
    A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in
    Unbound. This issue could allow an attacker who can invoke specific
    sequences of API calls to cause a segmentation fault. When certain API
    functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are called in a
    particular order, the program attempts to read from a NULL pointer,
    leading to a crash. This issue can result in a denial of service by causing
    the application to terminate unexpectedly.
  * Fix CVE-2024-8508:
    When handling replies with very large RRsets that unbound needs to perform
    name compression for, it can spend a considerable time applying name
    compression to downstream replies, potentially leading to degraded
    performance and eventually denial of service in well orchestrated attacks.
  * d/patches/update-root-hints.patch: Update addresses for b.root-servers.net.

 -- Daniel Leidert <dleidert@debian.org>  Thu, 14 Nov 2024 20:07:09 +0100

unbound (1.9.0-2+deb10u4) buster-security; urgency=medium

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2023-50387 and CVE-2023-50868:
    Two vulnerabilities were discovered in unbound, a validating, recursive,
    caching DNS resolver. Specially crafted DNSSEC answers could lead unbound
    down a very CPU intensive and time costly DNSSEC (CVE-2023-50387) or NSEC3
    hash (CVE-2023-50868) validation path, resulting in denial of service.

 -- Markus Koschany <apo@debian.org>  Wed, 21 Feb 2024 12:00:23 +0100

unbound (1.9.0-2+deb10u3) buster-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2022-3204:
    A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation
    Attack) has been discovered in various DNS resolving software. The
    NRDelegation Attack works by having a malicious delegation with a
    considerable number of non responsive nameservers. The attack starts by
    querying a resolver for a record that relies on those unresponsive
    nameservers. The attack can cause a resolver to spend a lot of
    time/resources resolving records under a malicious delegation point where a
    considerable number of unresponsive NS records reside. It can trigger high
    CPU usage in some resolver implementations that continually look in the
    cache for resolved NS records in that delegation. This can lead to degraded
    performance and eventually denial of service in orchestrated attacks.
    Unbound does not suffer from high CPU usage, but resources are still needed
    for resolving the malicious delegation. Unbound will keep trying to resolve
    the record until hard limits are reached. Based on the nature of the attack
    and the replies, different limits could be reached. From now on Unbound
    introduces fixes for better performance when under load, by cutting
    opportunistic queries for nameserver discovery and DNSKEY prefetching and
    limiting the number of times a delegation point can issue a cache lookup
    for missing records.
  * Fix CVE-2022-30698 and CVE-2022-30699:
    NLnet Labs Unbound is vulnerable to a novel type of the "ghost domain
    names" attack. The vulnerability works by targeting an Unbound instance.
    Unbound is queried for a rogue domain name when the cached delegation
    information is about to expire. The rogue nameserver delays the response so
    that the cached delegation information is expired. Upon receiving the
    delayed answer containing the delegation information, Unbound overwrites
    the now expired entries. This action can be repeated when the delegation
    information is about to expire making the rogue delegation information
    ever-updating. From now on Unbound stores the start time for a query and
    uses that to decide if the cached delegation information can be
    overwritten.
  * Fix CVE-2020-28935:
    Unbound contains a local vulnerability that would allow for a local symlink
    attack. When writing the PID file Unbound creates the file if it is not
    there, or opens an existing file for writing. In case the file was already
    present, it would follow symlinks if the file happened to be a symlink
    instead of a regular file.

 -- Markus Koschany <apo@debian.org>  Wed, 29 Mar 2023 10:11:30 +0200

unbound (1.9.0-2+deb10u2) buster-security; urgency=high

  * Apply NLnet Labs patch for CVE-2020-12662, CVE-2020-12663

 -- Robert Edmonds <edmonds@debian.org>  Mon, 25 May 2020 16:23:43 -0400

unbound (1.9.0-2+deb10u1) buster-security; urgency=high

  * Apply NLnet Labs patch for CVE-2019-16866 (Closes: #941692)

 -- Robert Edmonds <edmonds@debian.org>  Sat, 12 Oct 2019 20:40:17 -0400

unbound (1.9.0-2) unstable; urgency=medium

  [ Simon Deziel ]
  * Disable chroot'ing (Closes: #921538)

 -- Robert Edmonds <edmonds@debian.org>  Sat, 09 Feb 2019 21:10:52 -0500

unbound (1.9.0-1) unstable; urgency=medium

  * New upstream version 1.9.0
  * Team upload
  * Include dpkg/default.mk instead of only buildflags.mk
  * Update d/watch to reflect new download location and add signature check

 -- Ondřej Surý <ondrej@debian.org>  Tue, 05 Feb 2019 09:49:04 +0000

unbound (1.8.1-1) unstable; urgency=medium

  * New upstream version 1.8.1

 -- Robert Edmonds <edmonds@debian.org>  Thu, 08 Nov 2018 16:50:36 -0500

unbound (1.8.0-1) unstable; urgency=medium

  * New upstream version 1.8.0
  * debian/: libunbound2.symbols → libunbound8.symbols
  * debian/rules: libunbound2 → libunbound8
  * debian/control: libunbound2 → libunbound8
  * daemon/daemon.c: Fix systemd service manager state change notification

 -- Robert Edmonds <edmonds@debian.org>  Sat, 15 Sep 2018 16:21:11 -0400

unbound (1.7.3-1) unstable; urgency=medium

  * New upstream version 1.7.3
    - Don't count CNAME response types received during qname minimisation as
      query restart. (Closes: #900800)

 -- Robert Edmonds <edmonds@debian.org>  Thu, 21 Jun 2018 12:45:09 -0400

unbound (1.7.2-1) unstable; urgency=medium

  [ Robert Edmonds ]
  * New upstream version 1.7.2
  * debian/control: Update Maintainer field (Closes: #899758)

  [ Vincent Bernat ]
  * daemon/daemon.c: Fix reload hangs with systemd (Closes: #892914)

 -- Robert Edmonds <edmonds@debian.org>  Wed, 20 Jun 2018 17:30:34 -0400

unbound (1.7.1-1) unstable; urgency=medium

  [ Robert Edmonds ]
  * debian/control: Update Vcs-* links to use salsa.debian.org URLs
  * New upstream version 1.7.1

  [ Simon Deziel ]
  * debian/apparmor-profile: Add capabilities to chown/chmod Unix control
    socket (Closes: #891705)
  * debian/apparmor-profile: Allow reading /var/lib/sss/mc/initgroups
  * debian/apparmor-profile: Permit unbound to notify readiness to systemd
    (Closes: #867186)
  * debian/apparmor-profile: Let unbound r/w anywhere under
    /var/lib/unbound (Closes: #882731)
  * debian/apparmor-profile: Use attach_disconnected

 -- Robert Edmonds <edmonds@debian.org>  Wed, 23 May 2018 15:41:54 -0400

unbound (1.6.7-1) unstable; urgency=medium

  * New upstream version 1.6.7

 -- Robert Edmonds <edmonds@debian.org>  Sun, 15 Oct 2017 17:46:46 -0400

unbound (1.6.6-1) unstable; urgency=medium

  * New upstream version 1.6.6
  * debian/control: Drop obsolete build-depends on dh-systemd
  * debian/control: Bump Standards-Version to 4.1.1 (no changes)

 -- Robert Edmonds <edmonds@debian.org>  Sat, 07 Oct 2017 00:40:08 -0400

unbound (1.6.5-1) unstable; urgency=high

  [ Robert Edmonds ]
  * New upstream version 1.6.5
    - Fix install of trust anchor when two anchors are present, makes both
      valid. Checks hash of DS but not signature of new key. This fixes
      installs between sep11 and oct11 2017.
  * debian/rules: Enable EDNS Client Subnet in daemon

  [ Simon Deziel ]
  * debian/unbound.service: Set PIDFile= (Closes: #867192)

  [ Antony Antony ]
  * debian/rules: Enable libevent for libunbound2 API (Closes: #871675)

 -- Robert Edmonds <edmonds@debian.org>  Tue, 22 Aug 2017 22:50:56 -0400

unbound (1.6.4-1) unstable; urgency=medium

  [ Robert Edmonds ]
  * New upstream version 1.6.4
    - Fixes 'malformed packet DoS when "use-caps-for-id" enabled'
      (Closes: #864730)
  * debian/copyright: Use https form of the copyright-format URL
  * debian/copyright: Bump NLnet Labs copyright years through 2017
  * debian/control: Bump Standards-Version to 4.0.0
  * debian/: Enable systemd support
  * debian/unbound.service: Use Type=notify process start-up type
    (Closes: #866804)
  * debian/: Enable experimental pluggable event base libunbound API
    (Closes: #859584)
  * debian/control: Add Depends on lsb-base to satisfy lintian's
    "init.d-script-needs-depends-on-lsb-base"

  [ Steve Langasek ]
  * debian/control: Build-Depend on python '-dev' packages, not '-all-dev'
    (Closes: #864334, #866770)

  [ Steven Chamberlain ]
  * Allow use of libbsd functions with configure option --with-libbsd
  * debian/: Configure with --with-libbsd (Closes: #853751)

 -- Robert Edmonds <edmonds@debian.org>  Mon, 03 Jul 2017 16:30:17 -0400

unbound (1.6.0-3) unstable; urgency=medium

  * Cherry-pick upstream commit svn r4000, "Include root trust anchor id
    20326 in unbound-anchor". (Closes: #855484)

 -- Robert Edmonds <edmonds@debian.org>  Sun, 19 Feb 2017 20:04:34 -0500

unbound (1.6.0-2) unstable; urgency=high

  [ Helmut Grohne ]
  * Only use fake_dsa when HAVE_SSL is defined (Closes: #848339)

 -- Robert Edmonds <edmonds@debian.org>  Sun, 18 Dec 2016 15:00:12 -0500

unbound (1.6.0-1) unstable; urgency=medium

  [ Robert Edmonds ]
  * New upstream version 1.6.0

  [ Helmut Grohne ]
  * Add pkg.unbound.libonly build profile. (Closes: #847130)

 -- Robert Edmonds <edmonds@debian.org>  Thu, 15 Dec 2016 15:26:15 -0500

unbound (1.5.10-3) unstable; urgency=medium

  [ Helmut Grohne ]
  * Fix FTCBFS: (Closes: #845941)
    + Convert python Build-Depends to cross-friendly ones.
    + Let dh_auto_configure pass --host to ./configure.

 -- Robert Edmonds <edmonds@debian.org>  Sun, 27 Nov 2016 14:41:30 -0500

unbound (1.5.10-2) unstable; urgency=medium

  * debian/unbound.install: Install usr/sbin/unbound-checkconf
    (Closes: #842797)

 -- Robert Edmonds <edmonds@debian.org>  Tue, 01 Nov 2016 16:37:52 -0400

unbound (1.5.10-1) unstable; urgency=medium

  * New upstream version 1.5.10
    - Fixes FTBFS with OpenSSL 1.1.0 (Closes: #828584)
  * debian/: Build libunbound against nettle (Closes: #828699)
  * debian/: Support Python 3 (Closes: #835972)
  * debian/rules: Install libunbound.pc into the libunbound-dev package
  * debian/copyright: Update

 -- Robert Edmonds <edmonds@debian.org>  Tue, 04 Oct 2016 03:43:45 -0400

unbound (1.5.9-3) unstable; urgency=medium

  [ Nicolas Braud-Santoni ]
  * debian/: Ship AppArmor profile (Closes: #518002)
  * debian/control: Use HTTPS for Vcs-Git link
  * debian/unbound.service: Add documentation to the systemd unit file
  * debian/control: Bump Standards-Version to 3.9.8 (no changes)

 -- Robert Edmonds <edmonds@debian.org>  Sat, 06 Aug 2016 14:51:52 -0400

unbound (1.5.9-2) unstable; urgency=low

  * debian/unbound.init: Call start-stop-daemon with --retry for 'stop'
    action (based on patch from Julien Cristau)
  * debian/: Add unbound.service, unbound-resolvconf.service
    (Closes: #826241) (Thanks to Michael Biebl)
  * debian/rules: Configure with --with-rootkey-file=/var/lib/unbound/root.key

 -- Robert Edmonds <edmonds@debian.org>  Sun, 24 Jul 2016 19:48:56 -0400

unbound (1.5.9-1) unstable; urgency=medium

  * Imported Upstream version 1.5.9
    - Updated L-Root IPv6 address (Closes: #818292)
  * debian/unbound.init: Add "pidfile" magic comment (Closes: #807132)
  * debian/libunbound2.symbols: Add new symbol 'ub_ctx_create_ub_event'
  * Enable DNS query name minimisation by default

 -- Robert Edmonds <edmonds@debian.org>  Fri, 10 Jun 2016 23:01:15 -0400

unbound (1.5.8-1) unstable; urgency=medium

  * Imported Upstream version 1.5.8
  * debian/libunbound2.symbols: Add new symbol 'ub_ctx_set_stub'
  * debian/unbound.postinst: Clean up permissions on the resolvconf
    forwarder hook on upgrades (Closes: #816425)

 -- Robert Edmonds <edmonds@debian.org>  Sun, 06 Mar 2016 22:52:28 -0500

unbound (1.5.7-2) unstable; urgency=medium

  * debian/control: Add dh-python to Build-Depends
  * debian/: Install contrib/update-anchor.sh, contrib/unbound_munin_
    (Closes: #573329)
  * Makefile.in: Pass PYTHON_CPPFLAGS to swig instead of CPPFLAGS (Closes:
    #809055)
  * debian/: Run "wrap-and-sort -sabt"
  * debian/resolvconf: No longer use RESOLVCONF_FORWARDERS from
    /etc/default/unbound
  * debian/unbound.postinst: Remove unbound-anchor invocation
  * debian/package-helper: Add helper script for init scripts and
    resolvconf
  * debian/unbound.init: Rewrite to use package-helper script
  * debian/unbound.default: Remove
  * debian/unbound.maintscript: Remove conffile /etc/default/unbound
  * debian/resolvconf-package: Add resolvconf packaging-event hook script
    (Closes: #777228)
  * debian/control: unbound: Depend on dns-root-data, for root trust
    anchor updates (Closes: #760461)
  * debian/rules: Disable the resolvconf update.d hook by default
  * debian/gbp.conf: Remove [dch] id-length
  * debian/NEWS.Debian: Add NEWS entry for 1.5.7-2
  * debian/unbound.postinst: Always chown /var/lib/unbound (Closes:
    #763901)
  * debian/package-helper: Invoke unbound-anchor as user/group unbound
  * debian/: unbound.doc -> unbound.docs; Actually install upstream docs
  * debian/unbound.docs: Install doc/README.DNS64
  * debian/unbound.docs: Install debian/NEWS.Debian
  * debian/package-helper: Clean old chroot files (Closes: #790392) (Patch
    from Simon Deziel)

 -- Robert Edmonds <edmonds@debian.org>  Sun, 21 Feb 2016 16:22:23 -0500

unbound (1.5.7-1) unstable; urgency=medium

  * [3cf7971b] debian/control: Vcs-Browser should point to cgit
    (Closes: #804437)
  * [66955294] Imported Upstream version 1.5.7

 -- Robert Edmonds <edmonds@debian.org>  Sat, 12 Dec 2015 14:48:03 -0500

unbound (1.5.6-1) unstable; urgency=medium

  * [0d5117d5] Imported Upstream version 1.5.4
  * [8327e145] Imported Upstream version 1.5.5
  * [eb2adc8c] Imported Upstream version 1.5.6
    - Closes: #796934, #803042.
  * [5a973651] debian/control: Update Maintainer, Uploaders for pkg-dns
  * [543459fa] debian/control: Update Vcs-Browser, Vcs-Git
  * [b69e513f] debian/: Run "wrap-and-sort -sbt"
  * [730f3622] debian/gbp.conf: Add [dch] section
  * [6b383656] debian/: Enable dnstap support

 -- Robert Edmonds <edmonds@debian.org>  Sun, 08 Nov 2015 01:26:27 -0500

unbound (1.5.3-1) experimental; urgency=medium

  * New upstream release.

 -- Robert Edmonds <edmonds@debian.org>  Sat, 14 Mar 2015 14:16:27 -0400

unbound (1.5.2-1) experimental; urgency=medium

  * New upstream release.
  * Migrate pidfile from /var/run to /run; closes: #773247.
  * Fix unbound-checkconf to recognize "python" in module-config;
    closes: #777193.

 -- Robert Edmonds <edmonds@debian.org>  Sat, 28 Feb 2015 21:04:03 -0500

unbound (1.5.1-1) experimental; urgency=medium

  * New upstream release.
    - Fix CVE-2014-8602: denial of service by making resolver chase
      endless series of delegations.

 -- Robert Edmonds <edmonds@debian.org>  Mon, 08 Dec 2014 15:08:30 -0500

unbound (1.5.0~rc1-1) experimental; urgency=medium

  * New upstream release.
  * Upload to experimental.

 -- Robert Edmonds <edmonds@debian.org>  Tue, 11 Nov 2014 19:18:44 -0500

unbound (1.4.22-2) unstable; urgency=medium

  * Drop unneeded Build-Dependency on doxygen.
  * Drop unneeded Build-Dependency on automake. (Unbound does not use
    automake.)
  * Use dh_autotools-dev_updateconfig to update the config.{guess,sub} files
    at build time; closes: #746313.

 -- Robert S. Edmonds <edmonds@debian.org>  Mon, 18 Aug 2014 16:20:28 -0400

unbound (1.4.22-1) unstable; urgency=medium

  * New upstream release.
  * Drop Build-Dependency on libldns-dev. Unbound no longer relies on
    libldns.

 -- Robert S. Edmonds <edmonds@debian.org>  Wed, 12 Mar 2014 13:21:58 -0400

unbound (1.4.21-1) unstable; urgency=low

  * New upstream release.
  * Don't compress the example config file in /usr/share/doc/unbound;
    closes: #722708.
  * Fully enable hardening options; closes: #709837.
    (Patch from Simon Deziel.)
  * Add support for .d style configuration in /etc/unbound/unbound.conf.d;
    closes: #656549.
  * Move auto-trust-anchor-file configuration for the root into the new
    /etc/unbound/unbound.conf.d directory.

 -- Robert S. Edmonds <edmonds@debian.org>  Thu, 19 Sep 2013 21:45:39 -0400

unbound (1.4.20-1) unstable; urgency=low

  * New upstream release.
    - Updates IPv4 address hint for D.ROOT-SERVERS.NET; closes: #697351.
  * Correct exit code for "/etc/init.d/unbound status"; closes: #685052.
    (Patch from micah anderson.)
  * Finish dh_python2 conversion; closes: #697575.
    (Patch from Micah Gersten.)
  * Check for multiarch Python headers; closes: #697576.
    (Patch from Micah Gersten.)
  * Automatically set up the chroot directory if enabled; closes: #579622.
    (Patch from Simon Deziel.)

 -- Robert S. Edmonds <edmonds@debian.org>  Sat, 13 Apr 2013 15:34:47 -0400

unbound (1.4.19-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Fri, 14 Dec 2012 21:33:42 -0500

unbound (1.4.18-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 05 Aug 2012 21:54:05 -0400

unbound (1.4.17-2) unstable; urgency=low

  * Build-depend on libldns-dev (>= 1.6.13~) for ECDSA support.

 -- Robert S. Edmonds <edmonds@debian.org>  Mon, 28 May 2012 14:19:57 -0400

unbound (1.4.17-1) unstable; urgency=low

  * New upstream release; closes: #674434.
  * Implement 'status' command in init script; closes: #666388.
  * Fix build system bug that negated fully hardening the build;
    closes: #658021. (Patch from Simon Ruderich.)
  * Disable ECDSA support (for now) as this requires a newer ldns than is in
    the archive.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 27 May 2012 16:41:41 -0400

unbound (1.4.16-2) unstable; urgency=low

  * Enable hardened build flags; closes: #658021.

 -- Robert S. Edmonds <edmonds@debian.org>  Sat, 21 Apr 2012 15:35:16 -0400

unbound (1.4.16-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 05 Feb 2012 20:02:24 -0500

unbound (1.4.14-2) unstable; urgency=high

  * Work around gcc bugs by disabling link time optimization on build
    architectures that are not i386/amd64.

 -- Robert S. Edmonds <edmonds@debian.org>  Wed, 21 Dec 2011 15:52:17 -0500

unbound (1.4.14-1) unstable; urgency=high

   * New upstream release.
     - CVE-2011-4528.
   * Call dh_python2 in debian/rules; closes: #652294.

 -- Robert S. Edmonds <edmonds@debian.org>  Mon, 19 Dec 2011 11:00:46 -0500

unbound (1.4.13-2) unstable; urgency=low

  * Reduce the run-time dependencies of libunbound and the unbound-*
    utilities.

 -- Robert S. Edmonds <edmonds@debian.org>  Sat, 29 Oct 2011 16:16:19 -0400

unbound (1.4.13-1) unstable; urgency=low

  * New upstream release.
  * Only install forwarders learned from resolvconf into unbound if
    RESOLVCONF_FORWARDERS is enabled in /etc/default/unbound; closes: #637198.
  * Split unbound-anchor utility into separate binary package.
  * Support multi-arch.
  * Fix FTBFS with dpkg-dev 1.16.1.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 23 Oct 2011 16:55:45 -0400

unbound (1.4.12-1) unstable; urgency=medium

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Mon, 18 Jul 2011 15:56:42 -0400

unbound (1.4.11-1) unstable; urgency=low

  * New upstream release.
  * Fix FTBFS with default python >> 2.6; closes: #625520.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 03 Jul 2011 16:32:49 -0400

unbound (1.4.10-1) unstable; urgency=low

  * New upstream release:
    - CVE-2011-1922.

 -- Robert S. Edmonds <edmonds@debian.org>  Wed, 25 May 2011 15:48:34 -0700

unbound (1.4.9-2) unstable; urgency=low

  * Build-depend on libldns-dev (>= 1.6.9-2~) for GOST support.
  * Configure without --disable-gost.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 03 Apr 2011 14:31:40 -0400

unbound (1.4.9-1) unstable; urgency=low

  * New upstream release.
  * Convert packaging to git.
  * Configure with --with-pythonmodule.
  * Configure with --with-pyunbound.
  * Build new python-unbound package; closes: #542094.
  * Automatically create and remove remote control key material on package
    configuration and package purge.
  * Set default remote control port to 53953 to avoid conflicting with the
    bind9 package's default use of port 953 for rndc.
  * Securely fetch or update the root trust anchor at postinst and before
    starting the unbound daemon if ROOT_TRUST_ANCHOR_UPDATE is set in
    /etc/default/unbound; closes: #594911.
  * If unbound is listening on a loopback address, provide this address as
    a nameserver to resolvconf if RESOLVCONF is enabled in
    /etc/default/unbound; closes: #562031.
  * Configure resolvconf discovered nameservers as forwarders if
    RESOLVCONF_FORWARDERS is enabled in /etc/default/unbound; closes: #567879.
  * Don't exit from the init script with an error if UNBOUND_ENABLE is not
    true; default UNBOUND_ENABLE to true if the default file is missing
    entirely; closes: #618815.
  * Support /etc/init.d/unbound reload; closes: #620256.

 -- Robert S. Edmonds <edmonds@debian.org>  Sat, 02 Apr 2011 22:52:16 -0400

unbound (1.4.8-2) unstable; urgency=low

  * Add build-dependency on libexpat1-dev; closes: #612261.
  * Install unbound-anchor utility in unbound package.

 -- Robert S. Edmonds <edmonds@debian.org>  Mon, 07 Feb 2011 16:06:00 -0500

unbound (1.4.8-1) unstable; urgency=low

  * New upstream release; closes: #611527.
  * Add /etc/insserv.conf.d/unbound file declaring unbound to be a name
    daemon; closes: #596488, #600118.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 06 Feb 2011 23:33:04 -0500

unbound (1.4.6-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 15 Aug 2010 18:26:43 -0400

unbound (1.4.5-1) unstable; urgency=low

  * New upstream release.
  * Add dependency on openssl to the unbound binary package; closes: #585808.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 20 Jun 2010 16:50:42 -0400

unbound (1.4.4-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Thu, 22 Apr 2010 15:24:06 -0400

unbound (1.4.3-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Thu, 11 Mar 2010 15:55:33 -0500

unbound (1.4.2-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Tue, 09 Mar 2010 14:13:31 -0500

unbound (1.4.1-2) unstable; urgency=low

  * Invoke dh_installinit with --restart-after-upgrade; closes: #563033.

 -- Robert S. Edmonds <edmonds@debian.org>  Tue, 29 Dec 2009 21:54:26 -0500

unbound (1.4.1-1) unstable; urgency=low

  * New upstream release.
  * Document copyright status of util/configparser.c, util/configparser.h;
    closes: #552066.
  * Enable libev support; closes: #552424.

 -- Robert S. Edmonds <edmonds@debian.org>  Sat, 26 Dec 2009 17:19:10 -0500

unbound (1.4.0-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Fri, 04 Dec 2009 20:32:52 -0800

unbound (1.3.4-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Wed, 07 Oct 2009 12:59:21 -0400

unbound (1.3.3-1) unstable; urgency=low

  * New upstream release.
  * Drop .la file from libunbound-dev; closes: #541640.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 23 Aug 2009 13:25:53 -0400

unbound (1.3.2-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Mon, 13 Jul 2009 05:50:47 -0400

unbound (1.3.0-1) unstable; urgency=low

  * New upstream release; closes: #533613.
  * Move pid file to /var/run; closes: #533611.
  * Use "unbound-checkconf -o pidfile" in init script to determine pid file
    location (thanks Michael Tokarev).

 -- Robert S. Edmonds <edmonds@debian.org>  Mon, 29 Jun 2009 01:10:00 -0400

unbound (1.2.1-2) unstable; urgency=low

  * Closes: #527753, #509535.

 -- Robert S. Edmonds <edmonds@debian.org>  Sat, 09 May 2009 16:46:32 -0400

unbound (1.2.1-1) unstable; urgency=low

  * New upstream release.
  * Remove init script chroot setup.

 -- Robert S. Edmonds <edmonds@debian.org>  Sat, 28 Feb 2009 19:46:09 -0500

unbound (1.0.2-1.2) unstable; urgency=low

  * Enable unbound by default (Closes: #508884)
  * Call dh_installinit with --error-handler=true (Closes: #500176)

 -- Ondřej Surý <ondrej@debian.org>  Tue, 16 Dec 2008 11:54:15 +0100

unbound (1.0.2-1.1) unstable; urgency=low

  [ Hideki Yamane (Debian-JP) ]
  * debian/{unbound.init,unbound.default}
    + set not start by default, to avoid that port 53 blocking by other name
      servers will cause install problems
  * debian/unbound.prerm
    + fix lintian "unbound: maintainer-script-hides-init-failure prerm:5" error

  [ Ondřej Surý ]
  * Non-maintainer upload.
  * Minor tweaks to patched init.d file to make it work.

 -- Ondřej Surý <ondrej@debian.org>  Mon, 15 Dec 2008 19:54:44 +0100

unbound (1.0.2-1) unstable; urgency=low

  * New upstream release;
    + stricter filtering of DNS messages to combat cache poisoning

 -- Robert S. Edmonds <edmonds@debian.org>  Mon, 25 Aug 2008 01:03:59 -0400

unbound (1.0.1-2) unstable; urgency=low

  * unbound tries too hard to chroot(); ship a default config that doesn't
    fail to start on new installs; closes: #492243.

 -- Robert S. Edmonds <edmonds@debian.org>  Sat, 02 Aug 2008 17:46:24 -0400

unbound (1.0.1-1) unstable; urgency=low

  * New upstream release.
  * Drop 'return' from init script; closes: #488650.

 -- Robert S. Edmonds <edmonds@debian.org>  Wed, 16 Jul 2008 12:38:55 -0400

unbound (1.0.0-3) unstable; urgency=low

  * Lintian clean; closes: #485438.
  * Don't chroot by default; note manual syslog configuration in
    README.Debian; closes: #486303.
  * Update to policy 3.8.0.0.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 15 Jun 2008 17:25:04 -0400

unbound (1.0.0-2) unstable; urgency=low

  * Fix Build-Deps.
  * Split unbound-host into a separate package.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 25 May 2008 16:12:21 -0400

unbound (1.0.0-1) unstable; urgency=low

  * Initial release; closes: #482277.

 -- Robert S. Edmonds <edmonds@debian.org>  Wed, 21 May 2008 14:13:28 -0400

