unbound (1.13.1-1+deb11u5) bullseye-security; urgency=high

  * Non-maintainer upload by the LTS Team.
  * Fix CVE-2024-33655: The DNSBomb attack, via specially timed DNS queries
    and answers, can cause a Denial of Service on resolvers and spoofed
    targets.  Unbound itself is not vulnerable for DoS, but it can be used to
    take part in a pulsing DoS amplification attack.
  * Fix CVE-2025-5994: Resolvers supporting ECS need to segregate outgoing
    queries to accommodate for different outgoing ECS information.  This
    re-opens up resolvers to a birthday paradox attack (Rebirthday Attack)
    that tries to match the DNS transaction ID in order to cache non-ECS
    poisonous replies. (Closes: #1109427)
  * Backport upstream's follow-up changes for CVE-2024-43168 and
    CVE-2024-43167.
  * DEP-8: Add `Depends: netcat-openbsd, xxd` to avoid skipping tests.

 -- Guilhem Moulin <guilhem@debian.org>  Sat, 23 Aug 2025 19:22:47 +0200

unbound (1.13.1-1+deb11u4) bullseye-security; urgency=medium

  * Non-maintainer upload by the Debian LTS Team.
  * d/patches/CVE-2024-8508.patch: Fix CVE-2024-8508.
    When handling replies with very large RRsets that unbound needs to perform
    name compression for, it can spend a considerable time applying name
    compression to downstream replies, potentially leading to degraded
    performance and eventually denial of service in well orchestrated attacks
    (closes: #1083282).
  * d/patches/update-root-hints.patch: Update addresses for b.root-servers.net.
  * d/patches/allow-small-keys-in-tests.patch: Allow small key sizes for tests.
  * d/patches/disable-remote-control-in-tests-with-two-instances.patch: Disable
    the remote control port in tests which require two instances to avoid the
    binding conflict.

 -- Daniel Leidert <dleidert@debian.org>  Thu, 14 Nov 2024 17:21:36 +0100

unbound (1.13.1-1+deb11u3) bullseye-security; urgency=medium

  * Non-maintainer upload by the Debian LTS Team.
  * Fix CVE-2024-43168:
    A heap-buffer-overflow flaw was found in the cfg_mark_ports function within
    Unbound's config_file.c, which can lead to memory corruption. This issue
    could allow an attacker with local access to provide specially crafted
    input, potentially causing the application to crash or allowing arbitrary
    code execution. This could result in a denial of service or unauthorized
  * Fix: CVE-2024-43167:
    A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in
    Unbound. This issue could allow an attacker who can invoke specific
    sequences of API calls to cause a segmentation fault. When certain API
    functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are called in a
    particular order, the program attempts to read from a NULL pointer,
    leading to a crash. This issue can result in a denial of service by causing

 -- Daniel Leidert <dleidert@debian.org>  Sun, 29 Sep 2024 02:28:35 +0200

unbound (1.13.1-1+deb11u2) bullseye-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Address DNSSEC protocol vulnerabilities (Closes: #1063845)
    - Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to
      exhaust CPU resources and stall DNS resolvers.
    - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.

 -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 13 Feb 2024 21:15:34 +0100

unbound (1.13.1-1+deb11u1) bullseye; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix the following security vulnerabilities.
    CVE-2022-3204:
    A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation
    Attack) has been discovered in various DNS resolving software. The
    NRDelegation Attack works by having a malicious delegation with a
    considerable number of non responsive nameservers. The attack starts by
    querying a resolver for a record that relies on those unresponsive
    nameservers. The attack can cause a resolver to spend a lot of
    time/resources resolving records under a malicious delegation point where a
    considerable number of unresponsive NS records reside. It can trigger high
    CPU usage in some resolver implementations that continually look in the
    cache for resolved NS records in that delegation. This can lead to degraded
    performance and eventually denial of service in orchestrated attacks.
    Unbound does not suffer from high CPU usage, but resources are still needed
    for resolving the malicious delegation. Unbound will keep trying to resolve
    the record until hard limits are reached. Based on the nature of the attack
    and the replies, different limits could be reached. From now on Unbound
    introduces fixes for better performance when under load, by cutting
    opportunistic queries for nameserver discovery and DNSKEY prefetching and
    limiting the number of times a delegation point can issue a cache lookup
    for missing records.
  * CVE-2022-30698 and CVE-2022-30699: (Closes: #1016493)
    Unbound is vulnerable to a novel type of the "ghost domain names" attack.
    The vulnerability works by targeting an Unbound instance.  Unbound is
    queried for a rogue domain name when the cached delegation information is
    about to expire. The rogue nameserver delays the response so that the
    cached delegation information is expired. Upon receiving the delayed answer
    containing the delegation information, Unbound overwrites the now expired
    entries. This action can be repeated when the delegation information is
    about to expire making the rogue delegation information ever-updating. From
    now on Unbound stores the start time for a query and uses that to decide if
    the cached delegation information can be overwritten.

 -- Markus Koschany <apo@debian.org>  Wed, 05 Apr 2023 23:06:47 +0200

unbound (1.13.1-1) unstable; urgency=medium

  * New upstream version 1.13.1
  * debian/gbp.conf: [import-orig] upstream-signatures = True
  * Drop debian/patches/0002-Fix-358-Squelch-udp-connect-no-route-to-host-
    errors-.patch (included in 1.13.1 release)
  * debian/copyright: 2021

 -- Robert Edmonds <edmonds@debian.org>  Tue, 09 Feb 2021 17:53:57 -0500

unbound (1.13.0-1) unstable; urgency=medium

  * New upstream version 1.13.0
    - Fix CVE-2020-28935: PID file vulnerability (Closes: #977165)
  * debian/patches/0002-Fix-358-Squelch-udp-connect-no-route-to-host-
    errors-.patch: Cherry-pick upstream commit
    5906811ff19f005110b2edbda5aa144ad5fa05b1 to suppress UDP connect()
    errors on low verbosity

 -- Robert Edmonds <edmonds@debian.org>  Wed, 23 Dec 2020 19:34:24 -0500

unbound (1.12.0-1) unstable; urgency=medium

  * New upstream version 1.12.0

 -- Robert Edmonds <edmonds@debian.org>  Mon, 19 Oct 2020 00:35:38 -0400

unbound (1.11.0-1) unstable; urgency=medium

  [ Simon Deziel ]
  * systemd: don't create a PID file
  * debian/package-helper: mount --bind systemd notify socket into chroot
    (Closes: #867187)

  [ Robert Edmonds ]
  * New upstream version 1.11.0
    - Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use
      "Requires:". (Closes: #958331)
    - Introduce "include-toplevel:" configuration option.
    - Adds its own implementation of Frame Streams for dnstap support.
  * debian/control: Remove build dependency on libfstrm-dev
  * debian/unbound.conf: Use "include-toplevel:" instead of "include:"
    (Closes: #950754)
  * debian/NEWS: Add entry for 1.11.0-1 regarding the change of
    /etc/unbound/unbound.conf to using the "include-toplevel:" directive
  * debian/patches/: Refresh patches

 -- Robert Edmonds <edmonds@debian.org>  Sun, 09 Aug 2020 20:57:15 -0400

unbound (1.10.1-1) unstable; urgency=high

  * New upstream version 1.10.1
    - Fix CVE-2020-12662: Unbound can be tricked into amplifying an incoming
      query into a large number of queries directed to a target.
    - Fix CVE-2020-12663: Malformed answers from upstream name servers can be
      used to make Unbound unresponsive.

 -- Robert Edmonds <edmonds@debian.org>  Tue, 19 May 2020 11:36:53 -0400

unbound (1.10.0-1) unstable; urgency=medium

  [ Robert Edmonds ]
  * New upstream version 1.10.0
  * Drop debian/patches/0002-Allow-use-of-libbsd-functions-with-configure-
    option-.patch (applied upstream)

  [ Stuart Prescott ]
  * Drop Python 2 module package (Closes: #938752)

 -- Robert Edmonds <edmonds@debian.org>  Sat, 18 Apr 2020 19:29:50 -0400

unbound (1.9.6-2) unstable; urgency=medium

  * debian/unbound.maintscript: Remove obsolete conffile
    /etc/unbound/unbound.conf.d/qname-minimisation.conf (Closes: #950406)

 -- Robert Edmonds <edmonds@debian.org>  Sat, 01 Feb 2020 14:44:39 -0500

unbound (1.9.6-1) unstable; urgency=medium

  [ Robert Edmonds ]
  * New upstream version 1.9.6 (Closes: #948036)
    - Fixes 'unbound crashes with "Assertion nread >= 0 failed in
      evmap_io_del_"' (Closes: #930699)
    - Fixes "unbound: Fails to answer TCP queries due to broken idle-timeout"
      (Closes: #946421)
  * debian/source/options: Remove 'single-debian-patch' option
  * debian/unbound.service: Change ExecReload to send SIGHUP rather than
    using unbound-control (Closes: #923314)
  * Enable remote-control by default (Closes: #923314)
  * Allow use of libbsd functions with configure option --with-libbsd
  * Remove "qname-minimisation: yes" config file setting, since this is
    now the default (Closes: #915056)
  * debian/package-helper: No longer invoke unbound-anchor for root trust
    anchor update (Closes: #910675)
  * debian/control: Bump Standards-Version to 4.5.0 (no changes)
  * debian/control: Remove build dependencies on autotools-dev, dh-
    autoreconf
  * debian/libunbound8.symbols: Add "* Build-Depends-Package: libunbound-
    dev"
  * Rename debian/NEWS.Debian -> debian/NEWS

  [ Matthew Palmer ]
  * Fix insecure use of start-stop-daemon --pidfile (Closes: #941573)

  [ Simon Deziel ]
  * Install Apparmor profile prior to service startup (Closes: #919511)

  [ Debian Janitor ]
  * Trim trailing whitespace.
  * Drop use of autotools-dev debhelper.
  * Bump debhelper from old 9 to 10.
  * Set field Upstream-Name in debian/copyright.

 -- Robert Edmonds <edmonds@debian.org>  Sun, 26 Jan 2020 22:45:45 -0500

unbound (1.9.4-2) unstable; urgency=medium

  * Cherry-pick upstream commit ec021e0d, "fix build with nettle-3.5"
    (Closes: #941041)

 -- Robert Edmonds <edmonds@debian.org>  Sat, 26 Oct 2019 08:00:58 -0400

unbound (1.9.4-1) unstable; urgency=high

  * New upstream version 1.9.4
    - Fix CVE-2019-16866: uninitialized memory access when parsing specially
      crafted NOTIFY query.

 -- Robert Edmonds <edmonds@debian.org>  Fri, 04 Oct 2019 00:43:19 -0400

unbound (1.9.3-1) unstable; urgency=medium

  * New upstream version 1.9.3

 -- Robert Edmonds <edmonds@debian.org>  Tue, 27 Aug 2019 14:24:11 -0400

unbound (1.9.3~rc1-1) experimental; urgency=medium

  * New upstream version 1.9.3~rc1
  * debian/control: Bump Standards-Version to 4.4.0 (no changes)

 -- Robert Edmonds <edmonds@debian.org>  Sat, 17 Aug 2019 18:01:56 -0400

unbound (1.9.0-2) unstable; urgency=medium

  [ Simon Deziel ]
  * Disable chroot'ing (Closes: #921538)

 -- Robert Edmonds <edmonds@debian.org>  Sat, 09 Feb 2019 21:10:52 -0500

unbound (1.9.0-1) unstable; urgency=medium

  * New upstream version 1.9.0
  * Team upload
  * Include dpkg/default.mk instead of only buildflags.mk
  * Update d/watch to reflect new download location and add signature check

 -- Ondřej Surý <ondrej@debian.org>  Tue, 05 Feb 2019 09:49:04 +0000

unbound (1.8.1-1) unstable; urgency=medium

  * New upstream version 1.8.1

 -- Robert Edmonds <edmonds@debian.org>  Thu, 08 Nov 2018 16:50:36 -0500

unbound (1.8.0-1) unstable; urgency=medium

  * New upstream version 1.8.0
  * debian/: libunbound2.symbols → libunbound8.symbols
  * debian/rules: libunbound2 → libunbound8
  * debian/control: libunbound2 → libunbound8
  * daemon/daemon.c: Fix systemd service manager state change notification

 -- Robert Edmonds <edmonds@debian.org>  Sat, 15 Sep 2018 16:21:11 -0400

unbound (1.7.3-1) unstable; urgency=medium

  * New upstream version 1.7.3
    - Don't count CNAME response types received during qname minimisation as
      query restart. (Closes: #900800)

 -- Robert Edmonds <edmonds@debian.org>  Thu, 21 Jun 2018 12:45:09 -0400

unbound (1.7.2-1) unstable; urgency=medium

  [ Robert Edmonds ]
  * New upstream version 1.7.2
  * debian/control: Update Maintainer field (Closes: #899758)

  [ Vincent Bernat ]
  * daemon/daemon.c: Fix reload hangs with systemd (Closes: #892914)

 -- Robert Edmonds <edmonds@debian.org>  Wed, 20 Jun 2018 17:30:34 -0400

unbound (1.7.1-1) unstable; urgency=medium

  [ Robert Edmonds ]
  * debian/control: Update Vcs-* links to use salsa.debian.org URLs
  * New upstream version 1.7.1

  [ Simon Deziel ]
  * debian/apparmor-profile: Add capabilities to chown/chmod Unix control
    socket (Closes: #891705)
  * debian/apparmor-profile: Allow reading /var/lib/sss/mc/initgroups
  * debian/apparmor-profile: Permit unbound to notify readiness to systemd
    (Closes: #867186)
  * debian/apparmor-profile: Let unbound r/w anywhere under
    /var/lib/unbound (Closes: #882731)
  * debian/apparmor-profile: Use attach_disconnected

 -- Robert Edmonds <edmonds@debian.org>  Wed, 23 May 2018 15:41:54 -0400

unbound (1.6.7-1) unstable; urgency=medium

  * New upstream version 1.6.7

 -- Robert Edmonds <edmonds@debian.org>  Sun, 15 Oct 2017 17:46:46 -0400

unbound (1.6.6-1) unstable; urgency=medium

  * New upstream version 1.6.6
  * debian/control: Drop obsolete build-depends on dh-systemd
  * debian/control: Bump Standards-Version to 4.1.1 (no changes)

 -- Robert Edmonds <edmonds@debian.org>  Sat, 07 Oct 2017 00:40:08 -0400

unbound (1.6.5-1) unstable; urgency=high

  [ Robert Edmonds ]
  * New upstream version 1.6.5
    - Fix install of trust anchor when two anchors are present, makes both
      valid. Checks hash of DS but not signature of new key. This fixes
      installs between sep11 and oct11 2017.
  * debian/rules: Enable EDNS Client Subnet in daemon

  [ Simon Deziel ]
  * debian/unbound.service: Set PIDFile= (Closes: #867192)

  [ Antony Antony ]
  * debian/rules: Enable libevent for libunbound2 API (Closes: #871675)

 -- Robert Edmonds <edmonds@debian.org>  Tue, 22 Aug 2017 22:50:56 -0400

unbound (1.6.4-1) unstable; urgency=medium

  [ Robert Edmonds ]
  * New upstream version 1.6.4
    - Fixes 'malformed packet DoS when "use-caps-for-id" enabled'
      (Closes: #864730)
  * debian/copyright: Use https form of the copyright-format URL
  * debian/copyright: Bump NLnet Labs copyright years through 2017
  * debian/control: Bump Standards-Version to 4.0.0
  * debian/: Enable systemd support
  * debian/unbound.service: Use Type=notify process start-up type
    (Closes: #866804)
  * debian/: Enable experimental pluggable event base libunbound API
    (Closes: #859584)
  * debian/control: Add Depends on lsb-base to satisfy lintian's
    "init.d-script-needs-depends-on-lsb-base"

  [ Steve Langasek ]
  * debian/control: Build-Depend on python '-dev' packages, not '-all-dev'
    (Closes: #864334, #866770)

  [ Steven Chamberlain ]
  * Allow use of libbsd functions with configure option --with-libbsd
  * debian/: Configure with --with-libbsd (Closes: #853751)

 -- Robert Edmonds <edmonds@debian.org>  Mon, 03 Jul 2017 16:30:17 -0400

unbound (1.6.0-3) unstable; urgency=medium

  * Cherry-pick upstream commit svn r4000, "Include root trust anchor id
    20326 in unbound-anchor". (Closes: #855484)

 -- Robert Edmonds <edmonds@debian.org>  Sun, 19 Feb 2017 20:04:34 -0500

unbound (1.6.0-2) unstable; urgency=high

  [ Helmut Grohne ]
  * Only use fake_dsa when HAVE_SSL is defined (Closes: #848339)

 -- Robert Edmonds <edmonds@debian.org>  Sun, 18 Dec 2016 15:00:12 -0500

unbound (1.6.0-1) unstable; urgency=medium

  [ Robert Edmonds ]
  * New upstream version 1.6.0

  [ Helmut Grohne ]
  * Add pkg.unbound.libonly build profile. (Closes: #847130)

 -- Robert Edmonds <edmonds@debian.org>  Thu, 15 Dec 2016 15:26:15 -0500

unbound (1.5.10-3) unstable; urgency=medium

  [ Helmut Grohne ]
  * Fix FTCBFS: (Closes: #845941)
    + Convert python Build-Depends to cross-friendly ones.
    + Let dh_auto_configure pass --host to ./configure.

 -- Robert Edmonds <edmonds@debian.org>  Sun, 27 Nov 2016 14:41:30 -0500

unbound (1.5.10-2) unstable; urgency=medium

  * debian/unbound.install: Install usr/sbin/unbound-checkconf
    (Closes: #842797)

 -- Robert Edmonds <edmonds@debian.org>  Tue, 01 Nov 2016 16:37:52 -0400

unbound (1.5.10-1) unstable; urgency=medium

  * New upstream version 1.5.10
    - Fixes FTBFS with OpenSSL 1.1.0 (Closes: #828584)
  * debian/: Build libunbound against nettle (Closes: #828699)
  * debian/: Support Python 3 (Closes: #835972)
  * debian/rules: Install libunbound.pc into the libunbound-dev package
  * debian/copyright: Update

 -- Robert Edmonds <edmonds@debian.org>  Tue, 04 Oct 2016 03:43:45 -0400

unbound (1.5.9-3) unstable; urgency=medium

  [ Nicolas Braud-Santoni ]
  * debian/: Ship AppArmor profile (Closes: #518002)
  * debian/control: Use HTTPS for Vcs-Git link
  * debian/unbound.service: Add documentation to the systemd unit file
  * debian/control: Bump Standards-Version to 3.9.8 (no changes)

 -- Robert Edmonds <edmonds@debian.org>  Sat, 06 Aug 2016 14:51:52 -0400

unbound (1.5.9-2) unstable; urgency=low

  * debian/unbound.init: Call start-stop-daemon with --retry for 'stop'
    action (based on patch from Julien Cristau)
  * debian/: Add unbound.service, unbound-resolvconf.service
    (Closes: #826241) (Thanks to Michael Biebl)
  * debian/rules: Configure with --with-rootkey-file=/var/lib/unbound/root.key

 -- Robert Edmonds <edmonds@debian.org>  Sun, 24 Jul 2016 19:48:56 -0400

unbound (1.5.9-1) unstable; urgency=medium

  * Imported Upstream version 1.5.9
    - Updated L-Root IPv6 address (Closes: #818292)
  * debian/unbound.init: Add "pidfile" magic comment (Closes: #807132)
  * debian/libunbound2.symbols: Add new symbol 'ub_ctx_create_ub_event'
  * Enable DNS query name minimisation by default

 -- Robert Edmonds <edmonds@debian.org>  Fri, 10 Jun 2016 23:01:15 -0400

unbound (1.5.8-1) unstable; urgency=medium

  * Imported Upstream version 1.5.8
  * debian/libunbound2.symbols: Add new symbol 'ub_ctx_set_stub'
  * debian/unbound.postinst: Clean up permissions on the resolvconf
    forwarder hook on upgrades (Closes: #816425)

 -- Robert Edmonds <edmonds@debian.org>  Sun, 06 Mar 2016 22:52:28 -0500

unbound (1.5.7-2) unstable; urgency=medium

  * debian/control: Add dh-python to Build-Depends
  * debian/: Install contrib/update-anchor.sh, contrib/unbound_munin_
    (Closes: #573329)
  * Makefile.in: Pass PYTHON_CPPFLAGS to swig instead of CPPFLAGS (Closes:
    #809055)
  * debian/: Run "wrap-and-sort -sabt"
  * debian/resolvconf: No longer use RESOLVCONF_FORWARDERS from
    /etc/default/unbound
  * debian/unbound.postinst: Remove unbound-anchor invocation
  * debian/package-helper: Add helper script for init scripts and
    resolvconf
  * debian/unbound.init: Rewrite to use package-helper script
  * debian/unbound.default: Remove
  * debian/unbound.maintscript: Remove conffile /etc/default/unbound
  * debian/resolvconf-package: Add resolvconf packaging-event hook script
    (Closes: #777228)
  * debian/control: unbound: Depend on dns-root-data, for root trust
    anchor updates (Closes: #760461)
  * debian/rules: Disable the resolvconf update.d hook by default
  * debian/gbp.conf: Remove [dch] id-length
  * debian/NEWS.Debian: Add NEWS entry for 1.5.7-2
  * debian/unbound.postinst: Always chown /var/lib/unbound (Closes:
    #763901)
  * debian/package-helper: Invoke unbound-anchor as user/group unbound
  * debian/: unbound.doc -> unbound.docs; Actually install upstream docs
  * debian/unbound.docs: Install doc/README.DNS64
  * debian/unbound.docs: Install debian/NEWS.Debian
  * debian/package-helper: Clean old chroot files (Closes: #790392) (Patch
    from Simon Deziel)

 -- Robert Edmonds <edmonds@debian.org>  Sun, 21 Feb 2016 16:22:23 -0500

unbound (1.5.7-1) unstable; urgency=medium

  * [3cf7971b] debian/control: Vcs-Browser should point to cgit
    (Closes: #804437)
  * [66955294] Imported Upstream version 1.5.7

 -- Robert Edmonds <edmonds@debian.org>  Sat, 12 Dec 2015 14:48:03 -0500

unbound (1.5.6-1) unstable; urgency=medium

  * [0d5117d5] Imported Upstream version 1.5.4
  * [8327e145] Imported Upstream version 1.5.5
  * [eb2adc8c] Imported Upstream version 1.5.6
    - Closes: #796934, #803042.
  * [5a973651] debian/control: Update Maintainer, Uploaders for pkg-dns
  * [543459fa] debian/control: Update Vcs-Browser, Vcs-Git
  * [b69e513f] debian/: Run "wrap-and-sort -sbt"
  * [730f3622] debian/gbp.conf: Add [dch] section
  * [6b383656] debian/: Enable dnstap support

 -- Robert Edmonds <edmonds@debian.org>  Sun, 08 Nov 2015 01:26:27 -0500

unbound (1.5.3-1) experimental; urgency=medium

  * New upstream release.

 -- Robert Edmonds <edmonds@debian.org>  Sat, 14 Mar 2015 14:16:27 -0400

unbound (1.5.2-1) experimental; urgency=medium

  * New upstream release.
  * Migrate pidfile from /var/run to /run; closes: #773247.
  * Fix unbound-checkconf to recognize "python" in module-config;
    closes: #777193.

 -- Robert Edmonds <edmonds@debian.org>  Sat, 28 Feb 2015 21:04:03 -0500

unbound (1.5.1-1) experimental; urgency=medium

  * New upstream release.
    - Fix CVE-2014-8602: denial of service by making resolver chase
      endless series of delegations.

 -- Robert Edmonds <edmonds@debian.org>  Mon, 08 Dec 2014 15:08:30 -0500

unbound (1.5.0~rc1-1) experimental; urgency=medium

  * New upstream release.
  * Upload to experimental.

 -- Robert Edmonds <edmonds@debian.org>  Tue, 11 Nov 2014 19:18:44 -0500

unbound (1.4.22-2) unstable; urgency=medium

  * Drop unneeded Build-Dependency on doxygen.
  * Drop unneeded Build-Dependency on automake. (Unbound does not use
    automake.)
  * Use dh_autotools-dev_updateconfig to update the config.{guess,sub} files
    at build time; closes: #746313.

 -- Robert S. Edmonds <edmonds@debian.org>  Mon, 18 Aug 2014 16:20:28 -0400

unbound (1.4.22-1) unstable; urgency=medium

  * New upstream release.
  * Drop Build-Dependency on libldns-dev. Unbound no longer relies on
    libldns.

 -- Robert S. Edmonds <edmonds@debian.org>  Wed, 12 Mar 2014 13:21:58 -0400

unbound (1.4.21-1) unstable; urgency=low

  * New upstream release.
  * Don't compress the example config file in /usr/share/doc/unbound;
    closes: #722708.
  * Fully enable hardening options; closes: #709837.
    (Patch from Simon Deziel.)
  * Add support for .d style configuration in /etc/unbound/unbound.conf.d;
    closes: #656549.
  * Move auto-trust-anchor-file configuration for the root into the new
    /etc/unbound/unbound.conf.d directory.

 -- Robert S. Edmonds <edmonds@debian.org>  Thu, 19 Sep 2013 21:45:39 -0400

unbound (1.4.20-1) unstable; urgency=low

  * New upstream release.
    - Updates IPv4 address hint for D.ROOT-SERVERS.NET; closes: #697351.
  * Correct exit code for "/etc/init.d/unbound status"; closes: #685052.
    (Patch from micah anderson.)
  * Finish dh_python2 conversion; closes: #697575.
    (Patch from Micah Gersten.)
  * Check for multiarch Python headers; closes: #697576.
    (Patch from Micah Gersten.)
  * Automatically set up the chroot directory if enabled; closes: #579622.
    (Patch from Simon Deziel.)

 -- Robert S. Edmonds <edmonds@debian.org>  Sat, 13 Apr 2013 15:34:47 -0400

unbound (1.4.19-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Fri, 14 Dec 2012 21:33:42 -0500

unbound (1.4.18-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 05 Aug 2012 21:54:05 -0400

unbound (1.4.17-2) unstable; urgency=low

  * Build-depend on libldns-dev (>= 1.6.13~) for ECDSA support.

 -- Robert S. Edmonds <edmonds@debian.org>  Mon, 28 May 2012 14:19:57 -0400

unbound (1.4.17-1) unstable; urgency=low

  * New upstream release; closes: #674434.
  * Implement 'status' command in init script; closes: #666388.
  * Fix build system bug that negated fully hardening the build;
    closes: #658021. (Patch from Simon Ruderich.)
  * Disable ECDSA support (for now) as this requires a newer ldns than is in
    the archive.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 27 May 2012 16:41:41 -0400

unbound (1.4.16-2) unstable; urgency=low

  * Enable hardened build flags; closes: #658021.

 -- Robert S. Edmonds <edmonds@debian.org>  Sat, 21 Apr 2012 15:35:16 -0400

unbound (1.4.16-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 05 Feb 2012 20:02:24 -0500

unbound (1.4.14-2) unstable; urgency=high

  * Work around gcc bugs by disabling link time optimization on build
    architectures that are not i386/amd64.

 -- Robert S. Edmonds <edmonds@debian.org>  Wed, 21 Dec 2011 15:52:17 -0500

unbound (1.4.14-1) unstable; urgency=high

   * New upstream release.
     - CVE-2011-4528.
   * Call dh_python2 in debian/rules; closes: #652294.

 -- Robert S. Edmonds <edmonds@debian.org>  Mon, 19 Dec 2011 11:00:46 -0500

unbound (1.4.13-2) unstable; urgency=low

  * Reduce the run-time dependencies of libunbound and the unbound-*
    utilities.

 -- Robert S. Edmonds <edmonds@debian.org>  Sat, 29 Oct 2011 16:16:19 -0400

unbound (1.4.13-1) unstable; urgency=low

  * New upstream release.
  * Only install forwarders learned from resolvconf into unbound if
    RESOLVCONF_FORWARDERS is enabled in /etc/default/unbound; closes: #637198.
  * Split unbound-anchor utility into separate binary package.
  * Support multi-arch.
  * Fix FTBFS with dpkg-dev 1.16.1.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 23 Oct 2011 16:55:45 -0400

unbound (1.4.12-1) unstable; urgency=medium

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Mon, 18 Jul 2011 15:56:42 -0400

unbound (1.4.11-1) unstable; urgency=low

  * New upstream release.
  * Fix FTBFS with default python >> 2.6; closes: #625520.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 03 Jul 2011 16:32:49 -0400

unbound (1.4.10-1) unstable; urgency=low

  * New upstream release:
    - CVE-2011-1922.

 -- Robert S. Edmonds <edmonds@debian.org>  Wed, 25 May 2011 15:48:34 -0700

unbound (1.4.9-2) unstable; urgency=low

  * Build-depend on libldns-dev (>= 1.6.9-2~) for GOST support.
  * Configure without --disable-gost.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 03 Apr 2011 14:31:40 -0400

unbound (1.4.9-1) unstable; urgency=low

  * New upstream release.
  * Convert packaging to git.
  * Configure with --with-pythonmodule.
  * Configure with --with-pyunbound.
  * Build new python-unbound package; closes: #542094.
  * Automatically create and remove remote control key material on package
    configuration and package purge.
  * Set default remote control port to 53953 to avoid conflicting with the
    bind9 package's default use of port 953 for rndc.
  * Securely fetch or update the root trust anchor at postinst and before
    starting the unbound daemon if ROOT_TRUST_ANCHOR_UPDATE is set in
    /etc/default/unbound; closes: #594911.
  * If unbound is listening on a loopback address, provide this address as
    a nameserver to resolvconf if RESOLVCONF is enabled in
    /etc/default/unbound; closes: #562031.
  * Configure resolvconf discovered nameservers as forwarders if
    RESOLVCONF_FORWARDERS is enabled in /etc/default/unbound; closes: #567879.
  * Don't exit from the init script with an error if UNBOUND_ENABLE is not
    true; default UNBOUND_ENABLE to true if the default file is missing
    entirely; closes: #618815.
  * Support /etc/init.d/unbound reload; closes: #620256.

 -- Robert S. Edmonds <edmonds@debian.org>  Sat, 02 Apr 2011 22:52:16 -0400

unbound (1.4.8-2) unstable; urgency=low

  * Add build-dependency on libexpat1-dev; closes: #612261.
  * Install unbound-anchor utility in unbound package.

 -- Robert S. Edmonds <edmonds@debian.org>  Mon, 07 Feb 2011 16:06:00 -0500

unbound (1.4.8-1) unstable; urgency=low

  * New upstream release; closes: #611527.
  * Add /etc/insserv.conf.d/unbound file declaring unbound to be a name
    daemon; closes: #596488, #600118.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 06 Feb 2011 23:33:04 -0500

unbound (1.4.6-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 15 Aug 2010 18:26:43 -0400

unbound (1.4.5-1) unstable; urgency=low

  * New upstream release.
  * Add dependency on openssl to the unbound binary package; closes: #585808.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 20 Jun 2010 16:50:42 -0400

unbound (1.4.4-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Thu, 22 Apr 2010 15:24:06 -0400

unbound (1.4.3-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Thu, 11 Mar 2010 15:55:33 -0500

unbound (1.4.2-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Tue, 09 Mar 2010 14:13:31 -0500

unbound (1.4.1-2) unstable; urgency=low

  * Invoke dh_installinit with --restart-after-upgrade; closes: #563033.

 -- Robert S. Edmonds <edmonds@debian.org>  Tue, 29 Dec 2009 21:54:26 -0500

unbound (1.4.1-1) unstable; urgency=low

  * New upstream release.
  * Document copyright status of util/configparser.c, util/configparser.h;
    closes: #552066.
  * Enable libev support; closes: #552424.

 -- Robert S. Edmonds <edmonds@debian.org>  Sat, 26 Dec 2009 17:19:10 -0500

unbound (1.4.0-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Fri, 04 Dec 2009 20:32:52 -0800

unbound (1.3.4-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Wed, 07 Oct 2009 12:59:21 -0400

unbound (1.3.3-1) unstable; urgency=low

  * New upstream release.
  * Drop .la file from libunbound-dev; closes: #541640.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 23 Aug 2009 13:25:53 -0400

unbound (1.3.2-1) unstable; urgency=low

  * New upstream release.

 -- Robert S. Edmonds <edmonds@debian.org>  Mon, 13 Jul 2009 05:50:47 -0400

unbound (1.3.0-1) unstable; urgency=low

  * New upstream release; closes: #533613.
  * Move pid file to /var/run; closes: #533611.
  * Use "unbound-checkconf -o pidfile" in init script to determine pid file
    location (thanks Michael Tokarev).

 -- Robert S. Edmonds <edmonds@debian.org>  Mon, 29 Jun 2009 01:10:00 -0400

unbound (1.2.1-2) unstable; urgency=low

  * Closes: #527753, #509535.

 -- Robert S. Edmonds <edmonds@debian.org>  Sat, 09 May 2009 16:46:32 -0400

unbound (1.2.1-1) unstable; urgency=low

  * New upstream release.
  * Remove init script chroot setup.

 -- Robert S. Edmonds <edmonds@debian.org>  Sat, 28 Feb 2009 19:46:09 -0500

unbound (1.0.2-1.2) unstable; urgency=low

  * Enable unbound by default (Closes: #508884)
  * Call dh_installinit with --error-handler=true (Closes: #500176)

 -- Ondřej Surý <ondrej@debian.org>  Tue, 16 Dec 2008 11:54:15 +0100

unbound (1.0.2-1.1) unstable; urgency=low

  [ Hideki Yamane (Debian-JP) ]
  * debian/{unbound.init,unbound.default}
    + set not start by default, to avoid that port 53 blocking by other name
      servers will cause install problems
  * debian/unbound.prerm
    + fix lintian "unbound: maintainer-script-hides-init-failure prerm:5" error

  [ Ondřej Surý ]
  * Non-maintainer upload.
  * Minor tweaks to patched init.d file to make it work.

 -- Ondřej Surý <ondrej@debian.org>  Mon, 15 Dec 2008 19:54:44 +0100

unbound (1.0.2-1) unstable; urgency=low

  * New upstream release;
    + stricter filtering of DNS messages to combat cache poisoning

 -- Robert S. Edmonds <edmonds@debian.org>  Mon, 25 Aug 2008 01:03:59 -0400

unbound (1.0.1-2) unstable; urgency=low

  * unbound tries too hard to chroot(); ship a default config that doesn't
    fail to start on new installs; closes: #492243.

 -- Robert S. Edmonds <edmonds@debian.org>  Sat, 02 Aug 2008 17:46:24 -0400

unbound (1.0.1-1) unstable; urgency=low

  * New upstream release.
  * Drop 'return' from init script; closes: #488650.

 -- Robert S. Edmonds <edmonds@debian.org>  Wed, 16 Jul 2008 12:38:55 -0400

unbound (1.0.0-3) unstable; urgency=low

  * Lintian clean; closes: #485438.
  * Don't chroot by default; note manual syslog configuration in
    README.Debian; closes: #486303.
  * Update to policy 3.8.0.0.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 15 Jun 2008 17:25:04 -0400

unbound (1.0.0-2) unstable; urgency=low

  * Fix Build-Deps.
  * Split unbound-host into a separate package.

 -- Robert S. Edmonds <edmonds@debian.org>  Sun, 25 May 2008 16:12:21 -0400

unbound (1.0.0-1) unstable; urgency=low

  * Initial release; closes: #482277.

 -- Robert S. Edmonds <edmonds@debian.org>  Wed, 21 May 2008 14:13:28 -0400
