Change log for bind9 package in Ubuntu
1 → 75 of 445 results | First • Previous • Next • Last |
Published in jammy-proposed |
bind9 (1:9.18.24-0ubuntu0.22.04.1) jammy; urgency=medium * New upstream version 9.18.24 (LP: #2040459) - Updates: + Mark use of AES as the DNS COOKIE algorithm as depricated. + Mark resolver-nonbackoff-tries and resolver-retry-interval statements as depricated. + Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and 2801:1b8:10::b. + Mark dnssec-must-be-secure option as deprecated. + Honor nsupdate -v option for SOA queries by sending both the UPDATE request and the initial query over TCP. + Reduce memory consumption through dedicated jemalloc memory arenas. - Bug fixes: + Fix accidental truncation to 32 bit of statistics channel counters. + Do not schedule unsigned versions of inline-signed zones containing DNSSEC records for resigning. + Take local authoritive data into account when looking up stale data from the cache. + Fix assertion failure when lock-file used at the same time as named -X. + Fix lockfile removal issue when starting named 3+ times. + Fix validation of If-Modified-Since header in statistics channel for its length. + Add Content-Length header bounds check to avoid integer overflow. + Fix memory leaks from OpenSSL error stack. + Fix SERVFAIL responses after introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs UPDATE policies. + Fix accidental disable of stale-refresh-time feature on rndc flush. + Fix possible DNS message corruption from partial writes in TLS DNS. - See https://bind9.readthedocs.io/en/v9.18.24/notes.html for additional information. * Remove CVE patches fixed upstream: - CVE-2023-3341.patch - CVE-2023-4236.patch [ Fixed in 9.18.19 ] - 0001-CVE-2023-4408.patch - 0002-CVE-2023-5517.patch - 0003-CVE-2023-5679.patch - 0004-CVE-2023-50387-CVE-2023-50868.patch [ Fixed in 9.18.24 ] * d/p/always-use-standard-library-stdatomic.patch: Maintain use of the standard library stdatomic.h. -- Lena Voytek <email address hidden> Thu, 11 Apr 2024 14:11:18 -0700
Available diffs
Published in mantic-proposed |
bind9 (1:9.18.24-0ubuntu0.23.10.1) mantic; urgency=medium * New upstream version 9.18.24 (LP: #2040459) - Updates: + Mark use of AES as the DNS COOKIE algorithm as depricated. + Mark resolver-nonbackoff-tries and resolver-retry-interval statements as depricated. + Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and 2801:1b8:10::b. + Mark dnssec-must-be-secure option as deprecated. + Honor nsupdate -v option for SOA queries by sending both the UPDATE request and the initial query over TCP. + Reduce memory consumption through dedicated jemalloc memory arenas. - Bug fixes: + Fix accidental truncation to 32 bit of statistics channel counters. + Do not schedule unsigned versions of inline-signed zones containing DNSSEC records for resigning. + Take local authoritive data into account when looking up stale data from the cache. + Fix assertion failure when lock-file used at the same time as named -X. + Fix lockfile removal issue when starting named 3+ times. + Fix validation of If-Modified-Since header in statistics channel for its length. + Add Content-Length header bounds check to avoid integer overflow. + Fix memory leaks from OpenSSL error stack. + Fix SERVFAIL responses after introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs UPDATE policies. + Fix accidental disable of stale-refresh-time feature on rndc flush. + Fix possible DNS message corruption from partial writes in TLS DNS. - See https://bind9.readthedocs.io/en/v9.18.24/notes.html for additional information. * Remove CVE patches fixed upstream: - CVE-2023-3341.patch - CVE-2023-4236.patch [ Fixed in 9.18.19 ] - 0001-CVE-2023-4408.patch - 0002-CVE-2023-5517.patch - 0003-CVE-2023-5679.patch - 0004-CVE-2023-50387-CVE-2023-50868.patch [ Fixed in 9.18.24 ] * d/p/always-use-standard-library-stdatomic.patch: Maintain use of the standard library stdatomic.h. -- Lena Voytek <email address hidden> Tue, 09 Apr 2024 14:28:37 -0700
Available diffs
Published in oracular-release |
Published in noble-release |
Deleted in noble-proposed (Reason: Moved to noble) |
bind9 (1:9.18.24-0ubuntu5) noble; urgency=high * No change rebuild against libssl3t64, libuv1t64. -- Julian Andres Klode <email address hidden> Mon, 08 Apr 2024 16:37:41 +0200
Available diffs
bind9 (1:9.18.24-0ubuntu4) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- Steve Langasek <email address hidden> Sun, 31 Mar 2024 00:04:23 +0000
Available diffs
bind9 (1:9.18.24-0ubuntu3) noble; urgency=medium * bind9-libs: Hard-code libuv1t64 instead of libuv1. -- Matthias Klose <email address hidden> Wed, 06 Mar 2024 12:35:21 +0100
Available diffs
Superseded in noble-proposed |
bind9 (1:9.18.24-0ubuntu2) noble; urgency=medium * No-change rebuild against libssl3t64 -- Steve Langasek <email address hidden> Mon, 04 Mar 2024 17:27:42 +0000
Available diffs
bind9 (1:9.18.24-0ubuntu1) noble; urgency=medium * Updated to 9.18.21 to fix security issues. - Security Fixes: + Validating DNS messages containing a lot of DNSSEC signatures could cause excessive CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50387) + Preparing an NSEC3 closest encloser proof could cause excessive CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50868) + Parsing DNS messages with many different names could cause excessive CPU load. This has been fixed. (CVE-2023-4408) + Specific queries could cause named to crash with an assertion failure when nxdomain-redirect was enabled. This has been fixed. (CVE-2023-5517) + A bad interaction between DNS64 and serve-stale could cause named to crash with an assertion failure, when both of these features were enabled. This has been fixed. (CVE-2023-5679) + Under certain circumstances, the DNS-over-TLS client code incorrectly attempted to process more than one DNS message at a time, which could cause named to crash with an assertion failure. This has been fixed. - Bug Fixes: + The counters exported via the statistics channel were changed back to 64-bit signed values; they were being inadvertently truncated to unsigned 32-bit values since BIND 9.15.0. - See https://bind9.readthedocs.io/en/v9.18.24/notes.html for additional information -- Marc Deslauriers <email address hidden> Wed, 14 Feb 2024 14:31:05 -0500
Available diffs
bind9 (1:9.16.48-0ubuntu0.20.04.1) focal-security; urgency=medium * Updated to 9.16.48 to fix multiple security issues. - Please see the following for a list of changes, including possibly incompatible ones: https://downloads.isc.org/isc/bind9/9.16.48/doc/arm/html/notes.html - CVE-2023-4408 - CVE-2023-5517 - CVE-2023-6516 - CVE-2023-50387 - CVE-2023-50868 * Packaging changes required for 9.16.48: - Dropped patches no longer required with 9.16.48: + CVE-*.patch + fix-rebinding-protection.patch, + 0003-Print-diagnostics-on-dns_name_issubdomain-failure-in.patch + lp-1909950-fix-race-between-deactivating-handle-async-callback.patch + lp1997375-segfault-isc-nm-tcp-send.patch - Synced other patches with Debian's 1:9.16.48-1 package - debian/*.install, debian/*.links: updated with new files in 9.16.48. - debian/rules, debian/not-installed: don't delete old -dev files, just don't install them. - debian/control, debian/rules: switch packages required to build documentation. -- Marc Deslauriers <email address hidden> Wed, 14 Feb 2024 07:49:14 -0500
bind9 (1:9.18.18-0ubuntu0.22.04.2) jammy-security; urgency=medium * SECURITY UPDATE: Multiple security issues - debian/patches/0001-CVE-2023-4408.patch: Parsing large DNS messages may cause excessive CPU load. - debian/patches/0002-CVE-2023-5517.patch: Querying RFC 1918 reverse zones may cause an assertion failure when nxdomain-redirect is enabled. - debian/patches/0003-CVE-2023-5679.patch: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution. - debian/patches/0004-CVE-2023-50387-CVE-2023-50868.patch: Extreme CPU consumption in DNSSEC validator and Preparing an NSEC3 closest encloser proof can exhaust CPU resources. - CVE-2023-4408 - CVE-2023-5517 - CVE-2023-5679 - CVE-2023-50387 - CVE-2023-50868 -- Marc Deslauriers <email address hidden> Mon, 12 Feb 2024 14:29:56 -0500
bind9 (1:9.18.18-0ubuntu2.1) mantic-security; urgency=medium * SECURITY UPDATE: Multiple security issues - debian/patches/0001-CVE-2023-4408.patch: Parsing large DNS messages may cause excessive CPU load. - debian/patches/0002-CVE-2023-5517.patch: Querying RFC 1918 reverse zones may cause an assertion failure when nxdomain-redirect is enabled. - debian/patches/0003-CVE-2023-5679.patch: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution. - debian/patches/0004-CVE-2023-50387-CVE-2023-50868.patch: Extreme CPU consumption in DNSSEC validator and Preparing an NSEC3 closest encloser proof can exhaust CPU resources. - CVE-2023-4408 - CVE-2023-5517 - CVE-2023-5679 - CVE-2023-50387 - CVE-2023-50868 -- Marc Deslauriers <email address hidden> Mon, 12 Feb 2024 14:29:56 -0500
Available diffs
bind9 (1:9.18.21-0ubuntu1) noble; urgency=medium * New upstream release 9.18.21 (LP: #2040359) - Updates: + Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and 2801:1b8:10::b. + Honor nsupdate -v option when server command specified by sending both the UPDATE request and the initial query over TCP. + Mark cookie-algorithm aes as deprecated, use SipHash-2-4, instead. + Mark resolver-nonbackoff-tries and resolver-retry-interval as deprecated. + Mark dnssec-must-be-secure as deprecated. - Bug Fixes: + Do not schedule unsigned versions of inline-signed zones containing DNSSEC records for resigning. + Take local authoritative data into account when looking up stale cache data. + Fix use of named -X and lock-file at the same time. + Fix improper lock-file removal. + Fix bound checking in Content-Length header in the statistics channel. + Fix memory leaks from not clearing the OpenSSL error stack. + Fix SERVFAIL responses from introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs update policies. + Fix stale-refresh-time feature being disabled by cache flush. + Fix DNS message corruption from partial writes. - See https://bind9.readthedocs.io/en/v9.18.21/notes.html for additional information * d/p/CVE-2023-3341.patch, d/p/CVE-2023-4236.patch: Remove - fixed by upstream in version 9.18.19 * d/p/always-use-standard-library-stdatomic.patch: Maintain use of the standard library stdatomic.h -- Lena Voytek <email address hidden> Thu, 25 Jan 2024 08:37:15 -0700
Available diffs
bind9 (1:9.18.18-0ubuntu0.22.04.1) jammy; urgency=medium * New upstream release 9.18.18 (LP: #2028413) - Updates: + Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. + Mark dialup and heartbeat-interval options as deprecated. + Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. + Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. + Mark TKEY mode 2 as deprecated. + Mark delegation-only and root-delegation-only as deprecated. + Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. - Bug Fixes: + Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. + Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. + Fix the ability to read HMAC-MD5 key files (LP: #2015176). + Fix stability issues with the catalog zone implementation. + Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. + Do not return delegation from cache after stale-answer-client-timeout. + Fix failure to auto-tune clients-per-query limit in some situations. + Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. + Bring rndc read timeout back to 60 seconds from 30. + Treat libuv returning ISC_R_INVALIDPROTO as a network error. + Clean up empty-non-terminal NSEC3 records. + Fix log file rotation cleanup for absolute file path destinations. + Fix various catalog zone processing crashes. + Fix transfer hang when downloading large zones over TLS. + Fix named crash when adding a new zone into the configuration file for a name which was already configured as member zone for a catalog zone. + Delay DNSSEC key queries until all zones have finished loading. - See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional information. * d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in 9.18.16. * d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18. * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650) -- Lena Voytek <email address hidden> Wed, 20 Sep 2023 15:15:41 -0700
bind9 (1:9.18.18-0ubuntu0.23.04.1) lunar; urgency=medium * New upstream release 9.18.18 (LP: #2028413) - Updates: + Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. + Mark dialup and heartbeat-interval options as deprecated. + Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. + Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. + Mark TKEY mode 2 as deprecated. + Mark delegation-only and root-delegation-only as deprecated. + Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. - Bug Fixes: + Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. + Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. + Fix the ability to read HMAC-MD5 key files (LP: #2015176). + Fix stability issues with the catalog zone implementation. + Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. + Do not return delegation from cache after stale-answer-client-timeout. + Fix failure to auto-tune clients-per-query limit in some situations. + Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. + Bring rndc read timeout back to 60 seconds from 30. + Treat libuv returning ISC_R_INVALIDPROTO as a network error. + Clean up empty-non-terminal NSEC3 records. + Fix log file rotation cleanup for absolute file path destinations. + Fix various catalog zone processing crashes. + Fix transfer hang when downloading large zones over TLS. + Fix named crash when adding a new zone into the configuration file for a name which was already configured as member zone for a catalog zone. + Delay DNSSEC key queries until all zones have finished loading. - See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional information. * d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in 9.18.16. * d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18. * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650) -- Lena Voytek <email address hidden> Wed, 20 Sep 2023 14:52:27 -0700
Available diffs
Superseded in noble-release |
Published in mantic-release |
Deleted in mantic-proposed (Reason: Moved to mantic) |
bind9 (1:9.18.18-0ubuntu2) mantic; urgency=medium * SECURITY UPDATE: DoS via recusive packet parsing - debian/patches/CVE-2023-3341.patch: add a max depth check to lib/isc/include/isc/result.h, lib/isc/result.c, lib/isccc/cc.c. - CVE-2023-3341 * SECURITY UPDATE: Dos via DNS-over-TLS queries - debian/patches/CVE-2023-4236.patch: check return code in lib/isc/netmgr/tlsdns.c. - CVE-2023-4236 -- Marc Deslauriers <email address hidden> Wed, 20 Sep 2023 12:45:21 -0400
Available diffs
bind9 (1:9.18.12-0ubuntu0.22.04.3) jammy-security; urgency=medium * SECURITY UPDATE: DoS via recusive packet parsing - debian/patches/CVE-2023-3341.patch: add a max depth check to lib/isc/include/isc/result.h, lib/isc/result.c, lib/isccc/cc.c. - CVE-2023-3341 * SECURITY UPDATE: Dos via DNS-over-TLS queries - debian/patches/CVE-2023-4236.patch: check return code in lib/isc/netmgr/tlsdns.c. - CVE-2023-4236 -- Marc Deslauriers <email address hidden> Tue, 19 Sep 2023 07:21:46 -0400
Available diffs
bind9 (1:9.16.1-0ubuntu2.16) focal-security; urgency=medium * SECURITY UPDATE: DoS via recusive packet parsing - debian/patches/CVE-2023-3341.patch: add a max depth check to lib/isccc/include/isccc/result.h, lib/isccc/result.c, lib/isccc/cc.c. - CVE-2023-3341 -- Marc Deslauriers <email address hidden> Tue, 19 Sep 2023 07:22:19 -0400
Available diffs
bind9 (1:9.18.12-1ubuntu1.2) lunar-security; urgency=medium * SECURITY UPDATE: DoS via recusive packet parsing - debian/patches/CVE-2023-3341.patch: add a max depth check to lib/isc/include/isc/result.h, lib/isc/result.c, lib/isccc/cc.c. - CVE-2023-3341 * SECURITY UPDATE: Dos via DNS-over-TLS queries - debian/patches/CVE-2023-4236.patch: check return code in lib/isc/netmgr/tlsdns.c. - CVE-2023-4236 -- Marc Deslauriers <email address hidden> Tue, 19 Sep 2023 07:18:28 -0400
Available diffs
bind9 (1:9.18.18-0ubuntu1) mantic; urgency=medium * New upstream release 9.18.18 (LP: #2034367) - Updates: + Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. + Mark dialup and heartbeat-interval options as deprecated. + Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. + Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. - Bug Fixes: + Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. + Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. + Fix the ability to read HMAC-MD5 key files (LP: #2015176). + Fix stability issues with the catalog zone implementation. - See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional information. -- Lena Voytek <email address hidden> Tue, 05 Sep 2023 13:20:06 -0700
Available diffs
bind9 (1:9.18.16-1ubuntu4) mantic; urgency=medium * d/t/dyndb-ldap: allow writing to the dns tree (LP: #2034250) -- Andreas Hasenack <email address hidden> Tue, 05 Sep 2023 10:20:27 -0300
Available diffs
bind9 (1:9.18.16-1ubuntu3) mantic; urgency=medium * d/t/control: exclude the i386 architecture for the dyndb-ldap test, since bind9-dyndb-ldap is not available there on Ubuntu * d/t/dyndb-ldap: fix for the ldap bind9 dn entry
Available diffs
Superseded in mantic-proposed |
bind9 (1:9.18.16-1ubuntu2) mantic; urgency=medium * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650) -- Andreas Hasenack <email address hidden> Tue, 22 Aug 2023 09:24:02 -0300
Available diffs
bind9 (1:9.18.16-1ubuntu1) mantic; urgency=medium * Merge with Debian unstable (LP: #2018050). Remaining changes: - Don't build dnstap as it depends on universe packages: + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and protobuf-c-compiler (universe packages) + d/dnsutils.install: don't install dnstap + d/rules: don't build dnstap nor install dnstap.proto - Add back apport: + d/bind9.apport: add back old bind9 apport hook, but without calling attach_conffiles() since that is already done by apport itself, with confirmation from the user. + d/control, d/rules: build-depends on dh-apport and use it - d/control: remove optional libjemalloc-dev Build-Depends as it is not in main. - d/NEWS: mention relevant packaging changes - Improve dep-8 test suite (LP #2003584): + d/t/zonetest: Add dep8 test for checking the domain zone creation process + d/t/control: Add new test outline * Added Changes: - d/po/de.po: Fix German UTF-8 encoding - d/copyright: Fix lintian warnings + Remove the entry for lib/isc/hp.c lib/isc/include/isc/hp.h as they were deleted in 9.18.2 + Remove the entry for lib/isc/include/pkcs11/pkcs11.h as it is no longer bundled as of 9.17.19 + Update the location of random_test.c and add info about its public domain section + Add wildcards to folders as needed + Note that m4/ uses the FSFAP license - d/control: Remove lsb-base dependency as it is no longer needed + See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019851 -- Lena Voytek <email address hidden> Mon, 26 Jun 2023 14:25:50 -0700
Available diffs
- diff from 1:9.18.12-1ubuntu1 to 1:9.18.16-1ubuntu1 (171.5 KiB)
- diff from 1:9.18.12-1ubuntu2 to 1:9.18.16-1ubuntu1 (174.3 KiB)
Superseded in mantic-proposed |
bind9 (1:9.18.12-1ubuntu2) mantic; urgency=medium * SECURITY UPDATE: Configured cache size limit can be significantly exceeded - debian/patches/CVE-2023-2828.patch: fix cache expiry in lib/dns/rbtdb.c. - CVE-2023-2828 * SECURITY UPDATE: Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0 - debian/patches/CVE-2023-2911.patch: fix refreshing queries in lib/ns/query.c. - CVE-2023-2911 -- Marc Deslauriers <email address hidden> Tue, 20 Jun 2023 08:24:50 -0400
Available diffs
bind9 (1:9.18.12-0ubuntu0.22.10.2) kinetic-security; urgency=medium * SECURITY UPDATE: Configured cache size limit can be significantly exceeded - debian/patches/CVE-2023-2828.patch: fix cache expiry in lib/dns/rbtdb.c. - CVE-2023-2828 * SECURITY UPDATE: Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0 - debian/patches/CVE-2023-2911.patch: fix refreshing queries in lib/ns/query.c. - CVE-2023-2911 -- Marc Deslauriers <email address hidden> Tue, 20 Jun 2023 08:28:59 -0400
Available diffs
bind9 (1:9.18.12-0ubuntu0.22.04.2) jammy-security; urgency=medium * SECURITY UPDATE: Configured cache size limit can be significantly exceeded - debian/patches/CVE-2023-2828.patch: fix cache expiry in lib/dns/rbtdb.c. - CVE-2023-2828 * SECURITY UPDATE: Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0 - debian/patches/CVE-2023-2911.patch: fix refreshing queries in lib/ns/query.c. - CVE-2023-2911 -- Marc Deslauriers <email address hidden> Tue, 20 Jun 2023 08:29:34 -0400
Available diffs
bind9 (1:9.18.12-1ubuntu1.1) lunar-security; urgency=medium * SECURITY UPDATE: Configured cache size limit can be significantly exceeded - debian/patches/CVE-2023-2828.patch: fix cache expiry in lib/dns/rbtdb.c. - CVE-2023-2828 * SECURITY UPDATE: Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0 - debian/patches/CVE-2023-2911.patch: fix refreshing queries in lib/ns/query.c. - CVE-2023-2911 -- Marc Deslauriers <email address hidden> Tue, 20 Jun 2023 08:24:50 -0400
Available diffs
bind9 (1:9.16.1-0ubuntu2.15) focal-security; urgency=medium * SECURITY UPDATE: Configured cache size limit can be significantly exceeded - debian/patches/CVE-2023-2828.patch: fix cache expiry in lib/dns/rbtdb.c. - CVE-2023-2828 -- Marc Deslauriers <email address hidden> Tue, 20 Jun 2023 08:38:29 -0400
Available diffs
bind9 (1:9.18.12-0ubuntu0.22.04.1) jammy; urgency=medium * New upstream releases 9.18.2 - 9.18.12 (LP: #2003586) - Updates: + update-quota option + named -V shows supported cryptographic algorithms + Catalog Zones schema version 2 support in named + DNS error support Stale Answer and Stale NXDOMAIN Answer + Remote TLS certificate verification support + reusereport option - Bug Fixes Include: + Fix crash when using dig with +nssearch and +tcp (LP: #1258003) + Fix incomplete results using dig with +nssearch (LP: #1970252) + Fix loading of preinstalled plugins (LP: #2006972) + CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38178, CVE-2022-3094, CVE-2022-3736, CVE-2022-3924, CVE-2022-1183 + Fix thread safety in dns_dispatch + Fix ADB quota management in resolver + Fix Prohibited DNS error on allow-recursion + Fix crash when restarting server with active statschannel connection + Fix use after free for catalog zone processing + Fix leak of dns_keyfileio_t objects + Fix nslookup failure to use port option when record type ANY is used + Fix crash on dnssec-policy zone with NSEC3 and inline-signing turned on + Fix inheritance when setting remote server port + Fix assertion error when accessing statistics channel + Fix rndc dumpdb -expired for stuck cache + Fix check for other name servers after receiving FORMERR + Fix deletion of CDS after zone sign + Fix dighost query context management + Fix dig hanging due to IPv4 mapped IPv6 address + See https://bind9.readthedocs.io/en/v9_18_12/notes.html#notes-for-bind-9-18-12 for additional bug fixes and information * Improve dep-8 test suite (LP: #2003584): - d/t/zonetest: Add dep8 test for checking the domain zone creation process - d/t/control: Add new test outline * d/bind9-doc.docs: Stop installing removed file doc/misc/options.active * Remove patches for bugs LP #1964400 and LP #1964686 fixed upstream: - lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv - lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the - lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo - lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh - lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe - lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC - lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error- * Remove CVE patches fixed upstream: - debian/patches/CVE-2022-1183.patch [Included in upstream release 9.18.3] - debian/patches/CVE-2022-2795.patch - debian/patches/CVE-2022-2881.patch - debian/patches/CVE-2022-2906.patch - debian/patches/CVE-2022-3080.patch - debian/patches/CVE-2022-38178.patch [Included in upstream release 9.18.7] - debian/patches/CVE-2022-3094.patch - debian/patches/CVE-2022-3736.patch - debian/patches/CVE-2022-3924.patch [Included in upstream release 9.18.11] -- Lena Voytek <email address hidden> Wed, 08 Mar 2023 12:08:55 -0700
bind9 (1:9.18.12-0ubuntu0.22.10.1) kinetic; urgency=medium * New upstream releases 9.18.5 - 9.18.12 (LP: #2003586) - Updates: + update-quota option + named -V shows supported cryptographic algorithms - Bug Fixes Include: + Fix crash when using dig with +nssearch and +tcp (LP: #1258003) + Fix incomplete results using dig with +nssearch (LP: #1970252) + CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38178, CVE-2022-3094, CVE-2022-3736, CVE-2022-3924 + Fix thread safety in dns_dispatch + Fix ADB quota management in resolver + Fix Prohibited DNS error on allow-recursion + Fix crash when restarting server with active statschannel connection + Fix use after free for catalog zone processing + Fix leak of dns_keyfileio_t objects + Fix nslookup failure to use port option when record type ANY is used + Fix crash on dnssec-policy zone with NSEC3 and inline-signing turned on + Fix inheritance when setting remote server port + Fix assertion error when accessing statistics channel + Fix rndc dumpdb -expired for stuck cache + Fix check for other name servers after receiving FORMERR + See https://bind9.readthedocs.io/en/v9_18_12/notes.html#notes-for-bind-9-18-12 for additional bug fixes and information * Improve dep-8 test suite (LP: #2003584): - d/t/zonetest: Add dep8 test for checking the domain zone creation process - d/t/control: Add new test outline * d/bind9-doc.docs: Stop installing removed file doc/misc/options.active * d/p/0001-Disable-treat-warnings-as-errors-in-sphinx-build.patch: refresh to apply with version 9.18.8 * Remove CVE patches fixed upstream: - debian/patches/CVE-2022-2795.patch - debian/patches/CVE-2022-2881.patch - debian/patches/CVE-2022-2906.patch - debian/patches/CVE-2022-3080.patch - debian/patches/CVE-2022-38178.patch [Included in upstream release 9.18.7] - debian/patches/CVE-2022-3094.patch - debian/patches/CVE-2022-3736.patch - debian/patches/CVE-2022-3924.patch [Included in upstream release 9.18.11] -- Lena Voytek <email address hidden> Wed, 08 Mar 2023 08:49:53 -0700
Available diffs
bind9 (1:9.16.1-0ubuntu2.14) focal; urgency=medium * d/bind9.named.service: restart the named service on failure. (LP: #2006054)
Available diffs
Published in bionic-proposed |
bind9 (1:9.11.3+dfsg-1ubuntu1.19) bionic; urgency=medium * d/bind9.service: restart the bind9 service on failure. (LP: #2006054) -- Athos Ribeiro <email address hidden> Fri, 03 Mar 2023 12:42:18 -0300
Available diffs
Superseded in mantic-release |
Published in lunar-release |
Deleted in lunar-proposed (Reason: Moved to lunar) |
bind9 (1:9.18.12-1ubuntu1) lunar; urgency=medium * Merge with Debian unstable. Remaining changes: - Don't build dnstap as it depends on universe packages: + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and protobuf-c-compiler (universe packages) + d/dnsutils.install: don't install dnstap + d/rules: don't build dnstap nor install dnstap.proto - Add back apport: + d/bind9.apport: add back old bind9 apport hook, but without calling attach_conffiles() since that is already done by apport itself, with confirmation from the user. + d/control, d/rules: build-depends on dh-apport and use it - d/control: remove optional libjemalloc-dev Build-Depends as it is not in main. - d/NEWS: mention relevant packaging changes - Improve dep-8 test suite (LP #2003584): + d/t/zonetest: Add dep8 test for checking the domain zone creation process + d/t/control: Add new test outline -- Lena Voytek <email address hidden> Wed, 22 Feb 2023 10:10:14 -0700
Available diffs
Superseded in lunar-proposed |
bind9 (1:9.18.11-2ubuntu1) lunar; urgency=medium * Merge with Debian unstable (LP: #2004172). Remaining changes: - Don't build dnstap as it depends on universe packages: + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and protobuf-c-compiler (universe packages) + d/dnsutils.install: don't install dnstap + d/rules: don't build dnstap nor install dnstap.proto - Add back apport: + d/bind9.apport: add back old bind9 apport hook, but without calling attach_conffiles() since that is already done by apport itself, with confirmation from the user. + d/control, d/rules: build-depends on dh-apport and use it - d/control: remove optional libjemalloc-dev Build-Depends as it is not in main. - d/NEWS: mention relevant packaging changes - Improve dep-8 test suite (LP #2003584): + d/t/zonetest: Add dep8 test for checking the domain zone creation process + d/t/control: Add new test outline * Dropped Changes: - d/extras/apparmor.d/usr.sbin.named: Allow systemd notify access in apparmor for named [Fixed in Debian 1:9.18.11-2] -- Lena Voytek <email address hidden> Mon, 30 Jan 2023 08:37:28 -0700
Available diffs
Superseded in focal-proposed |
bind9 (1:9.16.1-0ubuntu2.13) focal; urgency=medium * d/p/lp1997375-segfault-isc-nm-tcp-send.patch: Fix segfault on isc__nm_tcpdns_send by moving the tcpdns processing to another thread. (LP: #1997375) -- Sergio Durigan Junior <email address hidden> Thu, 02 Feb 2023 13:38:24 -0500
Available diffs
bind9 (1:9.18.10-2ubuntu2) lunar; urgency=medium * Improve dep-8 test suite (LP: #2003584): - d/t/zonetest: Add dep8 test for checking the domain zone creation process - d/t/control: Add new test outline -- Lena Voytek <email address hidden> Fri, 27 Jan 2023 09:16:29 -0700
Available diffs
bind9 (1:9.18.1-1ubuntu1.3) jammy-security; urgency=medium * SECURITY UPDATE: An UPDATE message flood may cause named to exhaust all available memory - debian/patches/CVE-2022-3094.patch: add counter in bin/named/bind9.xsl, bin/named/statschannel.c, doc/arm/reference.rst, lib/ns/include/ns/server.h, lib/ns/include/ns/stats.h, lib/ns/server.c, lib/ns/update.c. - CVE-2022-3094 * SECURITY UPDATE: named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries - debian/patches/CVE-2022-3736.patch: fix logic in lib/ns/query.c. - CVE-2022-3736 * SECURITY UPDATE: named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota - debian/patches/CVE-2022-3924.patch: improve logic in lib/dns/resolver.c, lib/ns/query.c. - CVE-2022-3924 -- Marc Deslauriers <email address hidden> Tue, 24 Jan 2023 08:18:53 -0500
Available diffs
bind9 (1:9.16.1-0ubuntu2.12) focal-security; urgency=medium * SECURITY UPDATE: An UPDATE message flood may cause named to exhaust all available memory - debian/patches/CVE-2022-3094.patch: add counter in bin/named/bind9.xsl, bin/named/statschannel.c, lib/ns/include/ns/server.h, lib/ns/include/ns/stats.h, lib/ns/server.c, lib/ns/update.c. - CVE-2022-3094 -- Marc Deslauriers <email address hidden> Tue, 24 Jan 2023 08:30:54 -0500
Available diffs
bind9 (1:9.18.4-2ubuntu2.1) kinetic-security; urgency=medium * SECURITY UPDATE: An UPDATE message flood may cause named to exhaust all available memory - debian/patches/CVE-2022-3094.patch: add counter in bin/named/bind9.xsl, bin/named/statschannel.c, doc/arm/reference.rst, lib/ns/include/ns/server.h, lib/ns/include/ns/stats.h, lib/ns/server.c, lib/ns/update.c. - CVE-2022-3094 * SECURITY UPDATE: named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries - debian/patches/CVE-2022-3736.patch: fix logic in lib/ns/query.c. - CVE-2022-3736 * SECURITY UPDATE: named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota - debian/patches/CVE-2022-3924.patch: improve logic in lib/dns/resolver.c, lib/ns/query.c. - CVE-2022-3924 -- Marc Deslauriers <email address hidden> Tue, 24 Jan 2023 08:06:02 -0500
Available diffs
bind9 (1:9.18.10-2ubuntu1) lunar; urgency=medium * Merge with Debian unstable (LP: #1993375). Remaining changes: - Don't build dnstap as it depends on universe packages: + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and protobuf-c-compiler (universe packages) + d/dnsutils.install: don't install dnstap + d/rules: don't build dnstap nor install dnstap.proto - Add back apport: + d/bind9.apport: add back old bind9 apport hook, but without calling attach_conffiles() since that is already done by apport itself, with confirmation from the user. + d/control, d/rules: build-depends on dh-apport and use it - d/NEWS: mention relevant packaging changes - d/control: remove optional libjemalloc-dev Build-Depends as it is not in main. * Added Changes: - d/extras/apparmor.d/usr.sbin.named: Allow systemd notify access in apparmor for named * Dropped Changes: - fixed upstream: + debian/patches/CVE-2022-2795.patch + debian/patches/CVE-2022-2881.patch + debian/patches/CVE-2022-2906.patch + debian/patches/CVE-2022-3080.patch + debian/patches/CVE-2022-38178.patch - d/bind9.named.service: use systemd Type=forking to signal daemon init. + Changed to Type=notify with sd_notify patch in debian -- Lena Voytek <email address hidden> Tue, 10 Jan 2023 15:24:45 -0700
Available diffs
Superseded in lunar-release |
Obsolete in kinetic-release |
Deleted in kinetic-proposed (Reason: Moved to kinetic) |
bind9 (1:9.18.4-2ubuntu2) kinetic; urgency=medium * SECURITY UPDATE: Processing large delegations may severely degrade resolver performance - debian/patches/CVE-2022-2795.patch: add limit to lib/dns/resolver.c. - CVE-2022-2795 * SECURITY UPDATE: Buffer overread in statistics channel code - debian/patches/CVE-2022-2881.patch: clear buffer in lib/isc/httpd.c. - CVE-2022-2881 * SECURITY UPDATE: Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs - debian/patches/CVE-2022-2906.patch: adjust return code handling in lib/dns/openssldh_link.c. - CVE-2022-2906 * SECURITY UPDATE: resolvers configured to answer from cache with zero stale-answer-timeout may terminate unexpectedly - debian/patches/CVE-2022-3080.patch: refactor stale RRset handling in lib/ns/include/ns/query.h, lib/ns/query.c. - CVE-2022-3080 * SECURITY UPDATE: memory leaks in EdDSA DNSSEC verification code - debian/patches/CVE-2022-38178.patch: fix return handling in lib/dns/openssleddsa_link.c. - CVE-2022-38178 -- Marc Deslauriers <email address hidden> Wed, 21 Sep 2022 09:18:42 -0400
Available diffs
bind9 (1:9.18.1-1ubuntu1.2) jammy-security; urgency=medium * SECURITY UPDATE: Processing large delegations may severely degrade resolver performance - debian/patches/CVE-2022-2795.patch: add limit to lib/dns/resolver.c. - CVE-2022-2795 * SECURITY UPDATE: Buffer overread in statistics channel code - debian/patches/CVE-2022-2881.patch: clear buffer in lib/isc/httpd.c. - CVE-2022-2881 * SECURITY UPDATE: Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs - debian/patches/CVE-2022-2906.patch: adjust return code handling in lib/dns/openssldh_link.c. - CVE-2022-2906 * SECURITY UPDATE: resolvers configured to answer from cache with zero stale-answer-timeout may terminate unexpectedly - debian/patches/CVE-2022-3080.patch: refactor stale RRset handling in lib/ns/include/ns/query.h, lib/ns/query.c. - CVE-2022-3080 * SECURITY UPDATE: memory leaks in EdDSA DNSSEC verification code - debian/patches/CVE-2022-38178.patch: fix return handling in lib/dns/openssleddsa_link.c. - CVE-2022-38178 -- Marc Deslauriers <email address hidden> Tue, 20 Sep 2022 07:51:26 -0400
Available diffs
bind9 (1:9.11.3+dfsg-1ubuntu1.18) bionic-security; urgency=medium * SECURITY UPDATE: Processing large delegations may severely degrade resolver performance - debian/patches/CVE-2022-2795.patch: add limit to lib/dns/resolver.c. - CVE-2022-2795 * SECURITY UPDATE: memory leak in ECDSA DNSSEC verification code - debian/patches/CVE-2022-38177.patch: fix return handling in lib/dns/opensslecdsa_link.c. - CVE-2022-38177 * SECURITY UPDATE: memory leaks in EdDSA DNSSEC verification code - debian/patches/CVE-2022-38178.patch: fix return handling in lib/dns/openssleddsa_link.c. - CVE-2022-38178 -- Marc Deslauriers <email address hidden> Tue, 20 Sep 2022 08:11:06 -0400
Available diffs
bind9 (1:9.16.1-0ubuntu2.11) focal-security; urgency=medium * SECURITY UPDATE: Processing large delegations may severely degrade resolver performance - debian/patches/CVE-2022-2795.patch: add limit to lib/dns/resolver.c. - CVE-2022-2795 * SECURITY UPDATE: memory leak in ECDSA DNSSEC verification code - debian/patches/CVE-2022-38177.patch: fix return handling in lib/dns/opensslecdsa_link.c. - CVE-2022-38177 * SECURITY UPDATE: memory leaks in EdDSA DNSSEC verification code - debian/patches/CVE-2022-38178.patch: fix return handling in lib/dns/openssleddsa_link.c. - CVE-2022-38178 -- Marc Deslauriers <email address hidden> Tue, 20 Sep 2022 08:05:01 -0400
Available diffs
bind9 (1:9.18.4-2ubuntu1) kinetic; urgency=medium * Merge with Debian unstable (LP: #1971250) Remaining changes: - Don't build dnstap as it depends on universe packages: + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and protobuf-c-compiler (universe packages) + d/dnsutils.install: don't install dnstap + d/libdns1104.symbols: don't include dnstap symbols + d/rules: don't build dnstap nor install dnstap.proto - Add back apport: + d/bind9.apport: add back old bind9 apport hook, but without calling attach_conffiles() since that is already done by apport itself, with confirmation from the user. + d/control, d/rules: build-depends on dh-apport and use it - d/NEWS: mention some of the bigger changes in 9.16.0 packaging - d/bind9.named.service: use systemd Type=forking to signal daemon init. This fixes a regression of #900788 where services whose startup depend on name resolutions may fail due to bind9 not being ready (LP #1899902). - d/control: remove optional libjemalloc-dev Build-Depends as it is not in main. - d/NEWS: mention some of the relevant changes in 9.18.0 packaging or functionality that may affect usability. * Dropped changes: - d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe.patch, d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo.patch, d/p/lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error-.patch, d/p/lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh.patch, d/p/lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv.patch, d/p/lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC.patch, d/p/lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the.patch: Fix dig error when trying the next server after a TCP connection failure. This upstream patchset also fixes a crash when using the "host" command for numeric lookups (LP #1964400) and an infinite hang when passing a non-existent hostname to "host" (LP #1964686). [ Incorporated by upstream. ] - SECURITY UPDATE: Destroying a TLS session early causes assertion failure + debian/patches/CVE-2022-1183.patch: fix destroying logic in lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/tlsstream.c. [ Incorporated by upstream. ] -- Sergio Durigan Junior <email address hidden> Wed, 20 Jul 2022 05:28:13 -0400
Available diffs
bind9 (1:9.18.1-1ubuntu2) kinetic; urgency=medium * SECURITY UPDATE: Destroying a TLS session early causes assertion failure - debian/patches/CVE-2022-1183.patch: fix destroying logic in lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/tlsstream.c. - CVE-2022-1183 -- Marc Deslauriers <email address hidden> Tue, 17 May 2022 07:38:24 -0400
Available diffs
bind9 (1:9.18.1-1ubuntu1.1) jammy-security; urgency=medium * SECURITY UPDATE: Destroying a TLS session early causes assertion failure - debian/patches/CVE-2022-1183.patch: fix destroying logic in lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/tlsstream.c. - CVE-2022-1183 -- Marc Deslauriers <email address hidden> Tue, 17 May 2022 07:38:24 -0400
Available diffs
Superseded in kinetic-release |
Published in jammy-release |
Deleted in jammy-proposed (Reason: Moved to jammy) |
bind9 (1:9.18.1-1ubuntu1) jammy; urgency=medium * Merge with Debian unstable (LP: #1965981). Remaining changes: - Don't build dnstap as it depends on universe packages: + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and protobuf-c-compiler (universe packages) + d/dnsutils.install: don't install dnstap + d/libdns1104.symbols: don't include dnstap symbols + d/rules: don't build dnstap nor install dnstap.proto - Add back apport: + d/bind9.apport: add back old bind9 apport hook, but without calling attach_conffiles() since that is already done by apport itself, with confirmation from the user. + d/control, d/rules: build-depends on dh-apport and use it - d/NEWS: mention some of the bigger changes in 9.16.0 packaging - d/bind9.named.service: use systemd Type=forking to signal daemon init. This fixes a regression of #900788 where services whose startup depend on name resolutions may fail due to bind9 not being ready (LP #1899902). - d/control: remove optional libjemalloc-dev Build-Depends as it is not in main. - d/NEWS: mention some of the relevant changes in 9.18.0 packaging or functionality that may affect usability. * Dropped changes: - d/p/0003-Remove-spurious-debugging-true.patch: remove development leftover debugging flag from nslookup code (LP: #1961556). [ Incorporated in 9.18.1. ] - SECURITY UPDATE: cache poisoning via bogus NS records + debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of records into the cache in lib/dns/resolver.c. + CVE-2021-25220 [ Incorporated in 9.18.1. ] - SECURITY UPDATE: DoS via specially crafted TCP stream + debian/patches/CVE-2022-0396.patch: ensure correct ordering in lib/isc/netmgr/netmgr.c. + CVE-2022-0396 [ Incorporated in 9.18.1. ] - SECURITY UPDATE: DNAME insist with synth-from-dnssec enabled + debian/patches/CVE-2022-0635.patch: fix logic in lib/dns/rbtdb.c. + CVE-2022-0635 [ Incorporated in 9.18.1. ] - SECURITY UPDATE: Assertion failure on delayed DS lookup + debian/patches/CVE-2022-0667.patch: fix logic in lib/dns/resolver.c. + CVE-2022-0667 [ Incorporated in 9.18.1. ] * Added changes: - d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe.patch, d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo.patch, d/p/lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error-.patch, d/p/lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh.patch, d/p/lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv.patch, d/p/lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC.patch, d/p/lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the.patch: Fix dig error when trying the next server after a TCP connection failure. This upstream patchset also fixes a crash when using the "host" command for numeric lookups (LP: #1964400) and an infinite hang when passing a non-existent hostname to "host" (LP: #1964686). -- Sergio Durigan Junior <email address hidden> Wed, 23 Mar 2022 13:48:30 -0400
Available diffs
- diff from 1:9.18.0-2ubuntu3 to 1:9.18.1-1ubuntu1 (127.1 KiB)
bind9 (1:9.18.0-2ubuntu3) jammy; urgency=medium * SECURITY UPDATE: cache poisoning via bogus NS records - debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of records into the cache in lib/dns/resolver.c. - CVE-2021-25220 * SECURITY UPDATE: DoS via specially crafted TCP stream - debian/patches/CVE-2022-0396.patch: ensure correct ordering in lib/isc/netmgr/netmgr.c. - CVE-2022-0396 * SECURITY UPDATE: DNAME insist with synth-from-dnssec enabled - debian/patches/CVE-2022-0635.patch: fix logic in lib/dns/rbtdb.c. - CVE-2022-0635 * SECURITY UPDATE: Assertion failure on delayed DS lookup - debian/patches/CVE-2022-0667.patch: fix logic in lib/dns/resolver.c. - CVE-2022-0667 -- Marc Deslauriers <email address hidden> Thu, 17 Mar 2022 09:33:36 -0400
Available diffs
bind9 (1:9.11.3+dfsg-1ubuntu1.17) bionic-security; urgency=medium * SECURITY UPDATE: cache poisoning via bogus NS records - debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of records into the cache in lib/dns/resolver.c. - CVE-2021-25220 -- Marc Deslauriers <email address hidden> Tue, 15 Mar 2022 10:14:01 -0400
Available diffs
bind9 (1:9.16.1-0ubuntu2.10) focal-security; urgency=medium * SECURITY UPDATE: cache poisoning via bogus NS records - debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of records into the cache in lib/dns/resolver.c. - CVE-2021-25220 -- Marc Deslauriers <email address hidden> Tue, 15 Mar 2022 10:11:35 -0400
Available diffs
bind9 (1:9.16.15-1ubuntu1.2) impish-security; urgency=medium * SECURITY UPDATE: cache poisoning via bogus NS records - debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of records into the cache in lib/dns/resolver.c. - CVE-2021-25220 * SECURITY UPDATE: DoS via specially crafted TCP stream - debian/patches/CVE-2022-0396.patch: ensure correct ordering in lib/isc/netmgr/netmgr.c. - CVE-2022-0396 -- Marc Deslauriers <email address hidden> Tue, 15 Mar 2022 10:02:18 -0400
Available diffs
bind9 (1:9.18.0-2ubuntu2) jammy; urgency=medium * d/p/0003-Remove-spurious-debugging-true.patch: remove development leftover debugging flag from nslookup code (LP: #1961556). -- Athos Ribeiro <email address hidden> Tue, 22 Feb 2022 17:04:03 -0300
Available diffs
bind9 (1:9.18.0-2ubuntu1) jammy; urgency=medium * Merge with Debian unstable (LP: #1946833). Remaining changes: - Don't build dnstap as it depends on universe packages: + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and protobuf-c-compiler (universe packages) + d/dnsutils.install: don't install dnstap + d/libdns1104.symbols: don't include dnstap symbols + d/rules: don't build dnstap nor install dnstap.proto - Add back apport: + d/bind9.apport: add back old bind9 apport hook, but without calling attach_conffiles() since that is already done by apport itself, with confirmation from the user. + d/control, d/rules: build-depends on dh-apport and use it - d/NEWS: mention some of the bigger changes in 9.16.0 packaging - d/bind9.named.service: use systemd Type=forking to signal daemon init. This fixes a regression of #900788 where services whose startup depend on name resolutions may fail due to bind9 not being ready (LP #1899902). * Dropped Changes: - SECURITY UPDATE: resolver performance degradation via lame cache abuse + debian/patches/CVE-2021-25219.patch: disable lame cache in bin/named/config.c, bin/named/server.c, lib/dns/resolver.c. + CVE-2021-25219 [ Fixed in 9.17.19 ] * New Changes: - d/control: remove optional libjemalloc-dev Build-Depends as it is not in main. - d/NEWS: mention some of the relevant changes in 9.18.0 packaging or functionality that may affect usability. -- Athos Ribeiro <email address hidden> Mon, 14 Feb 2022 17:40:31 -0300
Available diffs
bind9 (1:9.16.15-1ubuntu3) jammy; urgency=medium * No-change rebuild against openssl3 -- Simon Chopin <email address hidden> Wed, 01 Dec 2021 16:06:43 +0000
Available diffs
bind9 (1:9.16.15-1ubuntu2) jammy; urgency=medium * SECURITY UPDATE: resolver performance degradation via lame cache abuse - debian/patches/CVE-2021-25219.patch: disable lame cache in bin/named/config.c, bin/named/server.c, lib/dns/resolver.c. - CVE-2021-25219 -- Marc Deslauriers <email address hidden> Mon, 01 Nov 2021 18:56:43 -0400
Available diffs
bind9 (1:9.16.8-1ubuntu3.3) hirsute-security; urgency=medium * SECURITY UPDATE: resolver performance degradation via lame cache abuse - debian/patches/CVE-2021-25219.patch: disable lame cache in bin/named/config.c, bin/named/server.c, lib/dns/resolver.c. - CVE-2021-25219 -- Marc Deslauriers <email address hidden> Wed, 27 Oct 2021 06:57:43 -0400
Available diffs
bind9 (1:9.11.3+dfsg-1ubuntu1.16) bionic-security; urgency=medium * SECURITY UPDATE: resolver performance degradation via lame cache abuse - debian/patches/CVE-2021-25219.patch: disable lame cache in bin/named/config.c, bin/named/server.c, lib/dns/resolver.c. - CVE-2021-25219 -- Marc Deslauriers <email address hidden> Wed, 27 Oct 2021 07:02:44 -0400
Available diffs
bind9 (1:9.16.1-0ubuntu2.9) focal-security; urgency=medium * SECURITY UPDATE: resolver performance degradation via lame cache abuse - debian/patches/CVE-2021-25219.patch: disable lame cache in bin/named/config.c, bin/named/server.c, lib/dns/resolver.c. - CVE-2021-25219 -- Marc Deslauriers <email address hidden> Wed, 27 Oct 2021 07:00:32 -0400
Available diffs
bind9 (1:9.16.15-1ubuntu1.1) impish-security; urgency=medium * SECURITY UPDATE: resolver performance degradation via lame cache abuse - debian/patches/CVE-2021-25219.patch: disable lame cache in bin/named/config.c, bin/named/server.c, lib/dns/resolver.c. - CVE-2021-25219 -- Marc Deslauriers <email address hidden> Wed, 27 Oct 2021 06:54:36 -0400
Available diffs
Superseded in jammy-release |
Obsolete in impish-release |
Deleted in impish-proposed (Reason: Moved to impish) |
bind9 (1:9.16.15-1ubuntu1) impish; urgency=medium * Merge with Debian unstable. Remaining changes: - Don't build dnstap as it depends on universe packages: + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and protobuf-c-compiler (universe packages) + d/dnsutils.install: don't install dnstap + d/libdns1104.symbols: don't include dnstap symbols + d/rules: don't build dnstap nor install dnstap.proto - Add back apport: + d/bind9.apport: add back old bind9 apport hook, but without calling attach_conffiles() since that is already done by apport itself, with confirmation from the user. + d/control, d/rules: buil-depends on dh-apport and use it - d/NEWS: mention some of the bigger changes in 9.16.0 packaging - d/bind9.named.service: use systemd Type=forking to signal daemon init. This fixes a regression of #900788 where services whose startup depend on name resolutions may fail due to bind9 not being ready (LP #1899902). * Drop changes: - d/t/simpletest: drop the internetsociety.org test as it requires network egress access that is not available in the Ubuntu autopkgtest farm. [Fixed in 1:9.16.11-3] - SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation + debian/patches/CVE-2020-8625.patch: properly calculate length in lib/dns/spnego.c. + CVE-2020-8625 [Fixed in 1:9.16.12-1] - SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR) + debian/patches/CVE-2021-25214.patch: immediately reject the entire transfer for certain RR in lib/dns/xfrin.c. + CVE-2021-25214 [Fixed in 1:9.16.15-1] - SECURITY UPDATE: assert via answering certain queries for DNAME records + debian/patches/CVE-2021-25215.patch: fix assert checks in lib/ns/query.c. + CVE-2021-25215 [Fixed in 1:9.16.15-1] - SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation + debian/rules: build with --disable-isc-spnego to disable internal SPNEGO and use the one from the kerberos libraries. + CVE-2021-25216 [Fixed in 1:9.16.15-1]
Available diffs
bind9 (1:9.16.8-1ubuntu3.2) impish; urgency=medium * d/bind9.named.service: use systemd Type=forking to signal daemon init. This fixes a regression of #900788 where services whose startup depend on name resolutions may fail due to bind9 not being ready (LP: #1899902). -- Athos Ribeiro <email address hidden> Fri, 18 Jun 2021 09:24:39 -0300
Available diffs
bind9 (1:9.11.3+dfsg-1ubuntu1.15) bionic-security; urgency=medium * SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR) - debian/patches/CVE-2021-25214.patch: immediately reject the entire transfer for certain RR in lib/dns/xfrin.c. - CVE-2021-25214 * SECURITY UPDATE: assert via answering certain queries for DNAME records - debian/patches/CVE-2021-25215.patch: fix assert checks in lib/ns/query.c. - CVE-2021-25215 * SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation - debian/rules: build with --disable-isc-spnego to disable internal SPNEGO and use the one from the kerberos libraries. - debian/libdns1100.symbols: removed internal SPNEGO symbols. - CVE-2021-25216 -- Marc Deslauriers <email address hidden> Tue, 27 Apr 2021 07:16:20 -0400
Available diffs
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.19) xenial-security; urgency=medium * SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR) - debian/patches/CVE-2021-25214.patch: immediately reject the entire transfer for certain RR in lib/dns/xfrin.c. - CVE-2021-25214 * SECURITY UPDATE: assert via answering certain queries for DNAME records - debian/patches/CVE-2021-25215.patch: fix assert checks in lib/ns/query.c. - CVE-2021-25215 * SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation - debian/rules: build with --disable-isc-spnego to disable internal SPNEGO and use the one from the kerberos libraries. - CVE-2021-25216 -- Marc Deslauriers <email address hidden> Tue, 27 Apr 2021 07:18:12 -0400
Available diffs
bind9 (1:9.16.6-3ubuntu1.2) groovy-security; urgency=medium * SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR) - debian/patches/CVE-2021-25214.patch: immediately reject the entire transfer for certain RR in lib/dns/xfrin.c. - CVE-2021-25214 * SECURITY UPDATE: assert via answering certain queries for DNAME records - debian/patches/CVE-2021-25215.patch: fix assert checks in lib/ns/query.c. - CVE-2021-25215 * SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation - debian/rules: build with --disable-isc-spnego to disable internal SPNEGO and use the one from the kerberos libraries. - CVE-2021-25216 -- Marc Deslauriers <email address hidden> Tue, 27 Apr 2021 07:14:19 -0400
Available diffs
Superseded in impish-release |
Deleted in impish-proposed (Reason: Moved to impish) |
Superseded in hirsute-updates |
Superseded in hirsute-security |
bind9 (1:9.16.8-1ubuntu3.1) hirsute-security; urgency=medium * SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR) - debian/patches/CVE-2021-25214.patch: immediately reject the entire transfer for certain RR in lib/dns/xfrin.c. - CVE-2021-25214 * SECURITY UPDATE: assert via answering certain queries for DNAME records - debian/patches/CVE-2021-25215.patch: fix assert checks in lib/ns/query.c. - CVE-2021-25215 * SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation - debian/rules: build with --disable-isc-spnego to disable internal SPNEGO and use the one from the kerberos libraries. - CVE-2021-25216 -- Marc Deslauriers <email address hidden> Tue, 27 Apr 2021 07:07:30 -0400
Available diffs
bind9 (1:9.16.1-0ubuntu2.8) focal-security; urgency=medium * SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR) - debian/patches/CVE-2021-25214.patch: immediately reject the entire transfer for certain RR in lib/dns/xfrin.c. - CVE-2021-25214 * SECURITY UPDATE: assert via answering certain queries for DNAME records - debian/patches/CVE-2021-25215.patch: fix assert checks in lib/ns/query.c. - CVE-2021-25215 * SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation - debian/rules: build with --disable-isc-spnego to disable internal SPNEGO and use the one from the kerberos libraries. - CVE-2021-25216 -- Marc Deslauriers <email address hidden> Tue, 27 Apr 2021 07:15:23 -0400
Available diffs
bind9 (1:9.8.1.dfsg.P1-4ubuntu0.32) precise-security; urgency=medium [ Marc Deslauriers ] * SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation - properly calculate length in lib/dns/spnego.c. - CVE-2020-8625 -- Avital Ostromich <email address hidden> Tue, 23 Feb 2021 18:56:07 -0500
Superseded in impish-release |
Obsolete in hirsute-release |
Deleted in hirsute-proposed (Reason: moved to Release) |
bind9 (1:9.16.8-1ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation - debian/patches/CVE-2020-8625.patch: properly calculate length in lib/dns/spnego.c. - CVE-2020-8625 -- Marc Deslauriers <email address hidden> Thu, 25 Feb 2021 07:29:46 -0500
Available diffs
- diff from 1:9.16.8-1ubuntu1 to 1:9.16.8-1ubuntu3 (824 bytes)
- diff from 1:9.16.8-1ubuntu2 to 1:9.16.8-1ubuntu3 (762 bytes)
Superseded in hirsute-proposed |
bind9 (1:9.16.8-1ubuntu2) hirsute; urgency=medium * No-change rebuild to drop the udeb package. -- Matthias Klose <email address hidden> Mon, 22 Feb 2021 10:44:18 +0100
Available diffs
- diff from 1:9.16.8-1ubuntu1 to 1:9.16.8-1ubuntu2 (337 bytes)
bind9 (1:9.16.1-0ubuntu2.7) focal; urgency=medium * Fix a race between deactivating socket handle and processing async callbacks, which can lead to sockets not being closed properly, exhausting TCP connection limits. (LP: #1909950) - d/p/lp-1909950-fix-race-between-deactivating-handle-async-callback.patch -- Matthew Ruffell <email address hidden> Thu, 18 Feb 2021 16:28:44 +1300
Available diffs
bind9 (1:9.16.1-0ubuntu2.6) focal-security; urgency=medium * SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation - debian/patches/CVE-2020-8625.patch: properly calculate length in lib/dns/spnego.c. - CVE-2020-8625 * This update does _not_ contain the changes from 1:9.16.1-0ubuntu2.5 in focal-proposed. -- Marc Deslauriers <email address hidden> Tue, 16 Feb 2021 15:08:33 -0500
Available diffs
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.18) xenial-security; urgency=medium * SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation - debian/patches/CVE-2020-8625.patch: properly calculate length in lib/dns/spnego.c. - CVE-2020-8625 -- Marc Deslauriers <email address hidden> Mon, 15 Feb 2021 08:09:41 -0500
Available diffs
bind9 (1:9.11.3+dfsg-1ubuntu1.14) bionic-security; urgency=medium * SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation - debian/patches/CVE-2020-8625.patch: properly calculate length in lib/dns/spnego.c. - CVE-2020-8625 -- Marc Deslauriers <email address hidden> Mon, 15 Feb 2021 08:08:25 -0500
Available diffs
bind9 (1:9.16.6-3ubuntu1.1) groovy-security; urgency=medium * SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation - debian/patches/CVE-2020-8625.patch: properly calculate length in lib/dns/spnego.c. - CVE-2020-8625 -- Marc Deslauriers <email address hidden> Mon, 15 Feb 2021 08:04:07 -0500
Available diffs
Deleted in focal-proposed (Reason: moved to -updates) |
bind9 (1:9.16.1-0ubuntu2.5) focal; urgency=medium * Fix a race between deactivating socket handle and processing async callbacks, which can lead to sockets not being closed properly, exhausting TCP connection limits. (LP: #1909950) - d/p/lp-1909950-fix-race-between-deactivating-handle-async-callback.patch -- Matthew Ruffell <email address hidden> Mon, 01 Feb 2021 16:28:44 +1300
Available diffs
1 → 75 of 445 results | First • Previous • Next • Last |