There is an updated pull request by prspkt against master on the void-packages repository

https://github.com/prspkt/void-packages unbound
https://github.com/void-linux/void-packages/pull/15026

unbound: update to 1.9.4.
Fixes [CVE-2019-16866](https://nlnetlabs.nl/projects/unbound/security-advisories/#vulnerability-in-parsing-notify-queries)

A patch file from https://github.com/void-linux/void-packages/pull/15026.patch is attached