File unbound-1.20-CVE-2025-11411.patch of Package unbound.41604

commit f849f83f2183641d3c75c4bba69546f21d54ff87
Author: Jorik Cronenberg <jorik.cronenberg@suse.com>
Date:   Wed Nov 12 15:12:51 2025 +0100

    [1.20] [CVE-2025-11411]

diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
index 48867e50c..5beaa0484 100644
--- a/iterator/iter_scrub.c
+++ b/iterator/iter_scrub.c
@@ -571,6 +571,22 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
 					"RRset:", pkt, msg, prev, &rrset);
 				continue;
 			}
+			/* If the NS set is a promiscuous NS set, scrub that
+			 * to remove potential for poisonous contents that
+			 * affects other names in the same zone. Remove
+			 * promiscuous NS sets in positive answers, that
+			 * thus have records in the answer section. Nodata
+			 * and nxdomain promiscuous NS sets have been removed
+			 * already. Since the NS rrset is scrubbed, its
+			 * address records are also not marked to be allowed
+			 * and are removed later. */
+			if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR &&
+				msg->an_rrsets != 0 &&
+				1 /* env->cfg->iter_scrub_promiscuous */) {
+				remove_rrset("normalize: removing promiscuous "
+					"RRset:", pkt, msg, prev, &rrset);
+				continue;
+			}
 			if(nsset == NULL) {
 				nsset = rrset;
 			} else {