Change log for bind9 package in Ubuntu
| 1 → 75 of 445 results | First • Previous • Next • Last |
| Published in jammy-proposed |
bind9 (1:9.18.24-0ubuntu0.22.04.1) jammy; urgency=medium * New upstream version 9.18.24 (LP: #2040459) - Updates: + Mark use of AES as the DNS COOKIE algorithm as depricated. + Mark resolver-nonbackoff-tries and resolver-retry-interval statements as depricated. + Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and 2801:1b8:10::b. + Mark dnssec-must-be-secure option as deprecated. + Honor nsupdate -v option for SOA queries by sending both the UPDATE request and the initial query over TCP. + Reduce memory consumption through dedicated jemalloc memory arenas. - Bug fixes: + Fix accidental truncation to 32 bit of statistics channel counters. + Do not schedule unsigned versions of inline-signed zones containing DNSSEC records for resigning. + Take local authoritive data into account when looking up stale data from the cache. + Fix assertion failure when lock-file used at the same time as named -X. + Fix lockfile removal issue when starting named 3+ times. + Fix validation of If-Modified-Since header in statistics channel for its length. + Add Content-Length header bounds check to avoid integer overflow. + Fix memory leaks from OpenSSL error stack. + Fix SERVFAIL responses after introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs UPDATE policies. + Fix accidental disable of stale-refresh-time feature on rndc flush. + Fix possible DNS message corruption from partial writes in TLS DNS. - See https://bind9.readthedocs.io/en/v9.18.24/notes.html for additional information. * Remove CVE patches fixed upstream: - CVE-2023-3341.patch - CVE-2023-4236.patch [ Fixed in 9.18.19 ] - 0001-CVE-2023-4408.patch - 0002-CVE-2023-5517.patch - 0003-CVE-2023-5679.patch - 0004-CVE-2023-50387-CVE-2023-50868.patch [ Fixed in 9.18.24 ] * d/p/always-use-standard-library-stdatomic.patch: Maintain use of the standard library stdatomic.h. -- Lena Voytek <email address hidden> Thu, 11 Apr 2024 14:11:18 -0700
Available diffs
| Published in mantic-proposed |
bind9 (1:9.18.24-0ubuntu0.23.10.1) mantic; urgency=medium * New upstream version 9.18.24 (LP: #2040459) - Updates: + Mark use of AES as the DNS COOKIE algorithm as depricated. + Mark resolver-nonbackoff-tries and resolver-retry-interval statements as depricated. + Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and 2801:1b8:10::b. + Mark dnssec-must-be-secure option as deprecated. + Honor nsupdate -v option for SOA queries by sending both the UPDATE request and the initial query over TCP. + Reduce memory consumption through dedicated jemalloc memory arenas. - Bug fixes: + Fix accidental truncation to 32 bit of statistics channel counters. + Do not schedule unsigned versions of inline-signed zones containing DNSSEC records for resigning. + Take local authoritive data into account when looking up stale data from the cache. + Fix assertion failure when lock-file used at the same time as named -X. + Fix lockfile removal issue when starting named 3+ times. + Fix validation of If-Modified-Since header in statistics channel for its length. + Add Content-Length header bounds check to avoid integer overflow. + Fix memory leaks from OpenSSL error stack. + Fix SERVFAIL responses after introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs UPDATE policies. + Fix accidental disable of stale-refresh-time feature on rndc flush. + Fix possible DNS message corruption from partial writes in TLS DNS. - See https://bind9.readthedocs.io/en/v9.18.24/notes.html for additional information. * Remove CVE patches fixed upstream: - CVE-2023-3341.patch - CVE-2023-4236.patch [ Fixed in 9.18.19 ] - 0001-CVE-2023-4408.patch - 0002-CVE-2023-5517.patch - 0003-CVE-2023-5679.patch - 0004-CVE-2023-50387-CVE-2023-50868.patch [ Fixed in 9.18.24 ] * d/p/always-use-standard-library-stdatomic.patch: Maintain use of the standard library stdatomic.h. -- Lena Voytek <email address hidden> Tue, 09 Apr 2024 14:28:37 -0700
Available diffs
| Published in oracular-release |
| Published in noble-release |
| Deleted in noble-proposed (Reason: Moved to noble) |
bind9 (1:9.18.24-0ubuntu5) noble; urgency=high * No change rebuild against libssl3t64, libuv1t64. -- Julian Andres Klode <email address hidden> Mon, 08 Apr 2024 16:37:41 +0200
Available diffs
bind9 (1:9.18.24-0ubuntu4) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- Steve Langasek <email address hidden> Sun, 31 Mar 2024 00:04:23 +0000
Available diffs
bind9 (1:9.18.24-0ubuntu3) noble; urgency=medium * bind9-libs: Hard-code libuv1t64 instead of libuv1. -- Matthias Klose <email address hidden> Wed, 06 Mar 2024 12:35:21 +0100
Available diffs
| Superseded in noble-proposed |
bind9 (1:9.18.24-0ubuntu2) noble; urgency=medium * No-change rebuild against libssl3t64 -- Steve Langasek <email address hidden> Mon, 04 Mar 2024 17:27:42 +0000
Available diffs
bind9 (1:9.18.24-0ubuntu1) noble; urgency=medium
* Updated to 9.18.21 to fix security issues.
- Security Fixes:
+ Validating DNS messages containing a lot of DNSSEC signatures could
cause excessive CPU load, leading to a denial-of-service condition.
This has been fixed. (CVE-2023-50387)
+ Preparing an NSEC3 closest encloser proof could cause excessive CPU
load, leading to a denial-of-service condition. This has been
fixed. (CVE-2023-50868)
+ Parsing DNS messages with many different names could cause
excessive CPU load. This has been fixed. (CVE-2023-4408)
+ Specific queries could cause named to crash with an assertion
failure when nxdomain-redirect was enabled. This has been fixed.
(CVE-2023-5517)
+ A bad interaction between DNS64 and serve-stale could cause named
to crash with an assertion failure, when both of these features
were enabled. This has been fixed. (CVE-2023-5679)
+ Under certain circumstances, the DNS-over-TLS client code
incorrectly attempted to process more than one DNS message at a
time, which could cause named to crash with an assertion failure.
This has been fixed.
- Bug Fixes:
+ The counters exported via the statistics channel were changed back
to 64-bit signed values; they were being inadvertently truncated to
unsigned 32-bit values since BIND 9.15.0.
- See https://bind9.readthedocs.io/en/v9.18.24/notes.html for
additional information
-- Marc Deslauriers <email address hidden> Wed, 14 Feb 2024 14:31:05 -0500
Available diffs
bind9 (1:9.16.48-0ubuntu0.20.04.1) focal-security; urgency=medium
* Updated to 9.16.48 to fix multiple security issues.
- Please see the following for a list of changes, including possibly
incompatible ones:
https://downloads.isc.org/isc/bind9/9.16.48/doc/arm/html/notes.html
- CVE-2023-4408
- CVE-2023-5517
- CVE-2023-6516
- CVE-2023-50387
- CVE-2023-50868
* Packaging changes required for 9.16.48:
- Dropped patches no longer required with 9.16.48:
+ CVE-*.patch
+ fix-rebinding-protection.patch,
+ 0003-Print-diagnostics-on-dns_name_issubdomain-failure-in.patch
+ lp-1909950-fix-race-between-deactivating-handle-async-callback.patch
+ lp1997375-segfault-isc-nm-tcp-send.patch
- Synced other patches with Debian's 1:9.16.48-1 package
- debian/*.install, debian/*.links: updated with new files in 9.16.48.
- debian/rules, debian/not-installed: don't delete old -dev files, just
don't install them.
- debian/control, debian/rules: switch packages required to build
documentation.
-- Marc Deslauriers <email address hidden> Wed, 14 Feb 2024 07:49:14 -0500
bind9 (1:9.18.18-0ubuntu0.22.04.2) jammy-security; urgency=medium
* SECURITY UPDATE: Multiple security issues
- debian/patches/0001-CVE-2023-4408.patch: Parsing large DNS messages
may cause excessive CPU load.
- debian/patches/0002-CVE-2023-5517.patch: Querying RFC 1918 reverse
zones may cause an assertion failure when nxdomain-redirect is
enabled.
- debian/patches/0003-CVE-2023-5679.patch: Enabling both DNS64 and
serve-stale may cause an assertion failure during recursive
resolution.
- debian/patches/0004-CVE-2023-50387-CVE-2023-50868.patch: Extreme CPU
consumption in DNSSEC validator and Preparing an NSEC3 closest
encloser proof can exhaust CPU resources.
- CVE-2023-4408
- CVE-2023-5517
- CVE-2023-5679
- CVE-2023-50387
- CVE-2023-50868
-- Marc Deslauriers <email address hidden> Mon, 12 Feb 2024 14:29:56 -0500
bind9 (1:9.18.18-0ubuntu2.1) mantic-security; urgency=medium
* SECURITY UPDATE: Multiple security issues
- debian/patches/0001-CVE-2023-4408.patch: Parsing large DNS messages
may cause excessive CPU load.
- debian/patches/0002-CVE-2023-5517.patch: Querying RFC 1918 reverse
zones may cause an assertion failure when nxdomain-redirect is
enabled.
- debian/patches/0003-CVE-2023-5679.patch: Enabling both DNS64 and
serve-stale may cause an assertion failure during recursive
resolution.
- debian/patches/0004-CVE-2023-50387-CVE-2023-50868.patch: Extreme CPU
consumption in DNSSEC validator and Preparing an NSEC3 closest
encloser proof can exhaust CPU resources.
- CVE-2023-4408
- CVE-2023-5517
- CVE-2023-5679
- CVE-2023-50387
- CVE-2023-50868
-- Marc Deslauriers <email address hidden> Mon, 12 Feb 2024 14:29:56 -0500
Available diffs
bind9 (1:9.18.21-0ubuntu1) noble; urgency=medium * New upstream release 9.18.21 (LP: #2040359) - Updates: + Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and 2801:1b8:10::b. + Honor nsupdate -v option when server command specified by sending both the UPDATE request and the initial query over TCP. + Mark cookie-algorithm aes as deprecated, use SipHash-2-4, instead. + Mark resolver-nonbackoff-tries and resolver-retry-interval as deprecated. + Mark dnssec-must-be-secure as deprecated. - Bug Fixes: + Do not schedule unsigned versions of inline-signed zones containing DNSSEC records for resigning. + Take local authoritative data into account when looking up stale cache data. + Fix use of named -X and lock-file at the same time. + Fix improper lock-file removal. + Fix bound checking in Content-Length header in the statistics channel. + Fix memory leaks from not clearing the OpenSSL error stack. + Fix SERVFAIL responses from introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs update policies. + Fix stale-refresh-time feature being disabled by cache flush. + Fix DNS message corruption from partial writes. - See https://bind9.readthedocs.io/en/v9.18.21/notes.html for additional information * d/p/CVE-2023-3341.patch, d/p/CVE-2023-4236.patch: Remove - fixed by upstream in version 9.18.19 * d/p/always-use-standard-library-stdatomic.patch: Maintain use of the standard library stdatomic.h -- Lena Voytek <email address hidden> Thu, 25 Jan 2024 08:37:15 -0700
Available diffs
bind9 (1:9.18.18-0ubuntu0.22.04.1) jammy; urgency=medium * New upstream release 9.18.18 (LP: #2028413) - Updates: + Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. + Mark dialup and heartbeat-interval options as deprecated. + Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. + Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. + Mark TKEY mode 2 as deprecated. + Mark delegation-only and root-delegation-only as deprecated. + Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. - Bug Fixes: + Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. + Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. + Fix the ability to read HMAC-MD5 key files (LP: #2015176). + Fix stability issues with the catalog zone implementation. + Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. + Do not return delegation from cache after stale-answer-client-timeout. + Fix failure to auto-tune clients-per-query limit in some situations. + Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. + Bring rndc read timeout back to 60 seconds from 30. + Treat libuv returning ISC_R_INVALIDPROTO as a network error. + Clean up empty-non-terminal NSEC3 records. + Fix log file rotation cleanup for absolute file path destinations. + Fix various catalog zone processing crashes. + Fix transfer hang when downloading large zones over TLS. + Fix named crash when adding a new zone into the configuration file for a name which was already configured as member zone for a catalog zone. + Delay DNSSEC key queries until all zones have finished loading. - See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional information. * d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in 9.18.16. * d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18. * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650) -- Lena Voytek <email address hidden> Wed, 20 Sep 2023 15:15:41 -0700
bind9 (1:9.18.18-0ubuntu0.23.04.1) lunar; urgency=medium * New upstream release 9.18.18 (LP: #2028413) - Updates: + Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. + Mark dialup and heartbeat-interval options as deprecated. + Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. + Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. + Mark TKEY mode 2 as deprecated. + Mark delegation-only and root-delegation-only as deprecated. + Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. - Bug Fixes: + Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. + Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. + Fix the ability to read HMAC-MD5 key files (LP: #2015176). + Fix stability issues with the catalog zone implementation. + Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. + Do not return delegation from cache after stale-answer-client-timeout. + Fix failure to auto-tune clients-per-query limit in some situations. + Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. + Bring rndc read timeout back to 60 seconds from 30. + Treat libuv returning ISC_R_INVALIDPROTO as a network error. + Clean up empty-non-terminal NSEC3 records. + Fix log file rotation cleanup for absolute file path destinations. + Fix various catalog zone processing crashes. + Fix transfer hang when downloading large zones over TLS. + Fix named crash when adding a new zone into the configuration file for a name which was already configured as member zone for a catalog zone. + Delay DNSSEC key queries until all zones have finished loading. - See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional information. * d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in 9.18.16. * d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18. * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650) -- Lena Voytek <email address hidden> Wed, 20 Sep 2023 14:52:27 -0700
Available diffs
| Superseded in noble-release |
| Published in mantic-release |
| Deleted in mantic-proposed (Reason: Moved to mantic) |
bind9 (1:9.18.18-0ubuntu2) mantic; urgency=medium
* SECURITY UPDATE: DoS via recusive packet parsing
- debian/patches/CVE-2023-3341.patch: add a max depth check to
lib/isc/include/isc/result.h, lib/isc/result.c, lib/isccc/cc.c.
- CVE-2023-3341
* SECURITY UPDATE: Dos via DNS-over-TLS queries
- debian/patches/CVE-2023-4236.patch: check return code in
lib/isc/netmgr/tlsdns.c.
- CVE-2023-4236
-- Marc Deslauriers <email address hidden> Wed, 20 Sep 2023 12:45:21 -0400
Available diffs
bind9 (1:9.18.12-0ubuntu0.22.04.3) jammy-security; urgency=medium
* SECURITY UPDATE: DoS via recusive packet parsing
- debian/patches/CVE-2023-3341.patch: add a max depth check to
lib/isc/include/isc/result.h, lib/isc/result.c, lib/isccc/cc.c.
- CVE-2023-3341
* SECURITY UPDATE: Dos via DNS-over-TLS queries
- debian/patches/CVE-2023-4236.patch: check return code in
lib/isc/netmgr/tlsdns.c.
- CVE-2023-4236
-- Marc Deslauriers <email address hidden> Tue, 19 Sep 2023 07:21:46 -0400
Available diffs
bind9 (1:9.16.1-0ubuntu2.16) focal-security; urgency=medium
* SECURITY UPDATE: DoS via recusive packet parsing
- debian/patches/CVE-2023-3341.patch: add a max depth check to
lib/isccc/include/isccc/result.h, lib/isccc/result.c, lib/isccc/cc.c.
- CVE-2023-3341
-- Marc Deslauriers <email address hidden> Tue, 19 Sep 2023 07:22:19 -0400
Available diffs
bind9 (1:9.18.12-1ubuntu1.2) lunar-security; urgency=medium
* SECURITY UPDATE: DoS via recusive packet parsing
- debian/patches/CVE-2023-3341.patch: add a max depth check to
lib/isc/include/isc/result.h, lib/isc/result.c, lib/isccc/cc.c.
- CVE-2023-3341
* SECURITY UPDATE: Dos via DNS-over-TLS queries
- debian/patches/CVE-2023-4236.patch: check return code in
lib/isc/netmgr/tlsdns.c.
- CVE-2023-4236
-- Marc Deslauriers <email address hidden> Tue, 19 Sep 2023 07:18:28 -0400
Available diffs
bind9 (1:9.18.18-0ubuntu1) mantic; urgency=medium * New upstream release 9.18.18 (LP: #2034367) - Updates: + Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. + Mark dialup and heartbeat-interval options as deprecated. + Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. + Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. - Bug Fixes: + Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. + Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. + Fix the ability to read HMAC-MD5 key files (LP: #2015176). + Fix stability issues with the catalog zone implementation. - See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional information. -- Lena Voytek <email address hidden> Tue, 05 Sep 2023 13:20:06 -0700
Available diffs
bind9 (1:9.18.16-1ubuntu4) mantic; urgency=medium * d/t/dyndb-ldap: allow writing to the dns tree (LP: #2034250) -- Andreas Hasenack <email address hidden> Tue, 05 Sep 2023 10:20:27 -0300
Available diffs
bind9 (1:9.18.16-1ubuntu3) mantic; urgency=medium
* d/t/control: exclude the i386 architecture for the dyndb-ldap test,
since bind9-dyndb-ldap is not available there on Ubuntu
* d/t/dyndb-ldap: fix for the ldap bind9 dn entry
Available diffs
| Superseded in mantic-proposed |
bind9 (1:9.18.16-1ubuntu2) mantic; urgency=medium * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650) -- Andreas Hasenack <email address hidden> Tue, 22 Aug 2023 09:24:02 -0300
Available diffs
bind9 (1:9.18.16-1ubuntu1) mantic; urgency=medium * Merge with Debian unstable (LP: #2018050). Remaining changes: - Don't build dnstap as it depends on universe packages: + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and protobuf-c-compiler (universe packages) + d/dnsutils.install: don't install dnstap + d/rules: don't build dnstap nor install dnstap.proto - Add back apport: + d/bind9.apport: add back old bind9 apport hook, but without calling attach_conffiles() since that is already done by apport itself, with confirmation from the user. + d/control, d/rules: build-depends on dh-apport and use it - d/control: remove optional libjemalloc-dev Build-Depends as it is not in main. - d/NEWS: mention relevant packaging changes - Improve dep-8 test suite (LP #2003584): + d/t/zonetest: Add dep8 test for checking the domain zone creation process + d/t/control: Add new test outline * Added Changes: - d/po/de.po: Fix German UTF-8 encoding - d/copyright: Fix lintian warnings + Remove the entry for lib/isc/hp.c lib/isc/include/isc/hp.h as they were deleted in 9.18.2 + Remove the entry for lib/isc/include/pkcs11/pkcs11.h as it is no longer bundled as of 9.17.19 + Update the location of random_test.c and add info about its public domain section + Add wildcards to folders as needed + Note that m4/ uses the FSFAP license - d/control: Remove lsb-base dependency as it is no longer needed + See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019851 -- Lena Voytek <email address hidden> Mon, 26 Jun 2023 14:25:50 -0700
Available diffs
- diff from 1:9.18.12-1ubuntu1 to 1:9.18.16-1ubuntu1 (171.5 KiB)
- diff from 1:9.18.12-1ubuntu2 to 1:9.18.16-1ubuntu1 (174.3 KiB)
| Superseded in mantic-proposed |
bind9 (1:9.18.12-1ubuntu2) mantic; urgency=medium
* SECURITY UPDATE: Configured cache size limit can be significantly
exceeded
- debian/patches/CVE-2023-2828.patch: fix cache expiry in
lib/dns/rbtdb.c.
- CVE-2023-2828
* SECURITY UPDATE: Exceeding the recursive-clients quota may cause named
to terminate unexpectedly when stale-answer-client-timeout is set to 0
- debian/patches/CVE-2023-2911.patch: fix refreshing queries in
lib/ns/query.c.
- CVE-2023-2911
-- Marc Deslauriers <email address hidden> Tue, 20 Jun 2023 08:24:50 -0400
Available diffs
bind9 (1:9.18.12-0ubuntu0.22.10.2) kinetic-security; urgency=medium
* SECURITY UPDATE: Configured cache size limit can be significantly
exceeded
- debian/patches/CVE-2023-2828.patch: fix cache expiry in
lib/dns/rbtdb.c.
- CVE-2023-2828
* SECURITY UPDATE: Exceeding the recursive-clients quota may cause named
to terminate unexpectedly when stale-answer-client-timeout is set to 0
- debian/patches/CVE-2023-2911.patch: fix refreshing queries in
lib/ns/query.c.
- CVE-2023-2911
-- Marc Deslauriers <email address hidden> Tue, 20 Jun 2023 08:28:59 -0400
Available diffs
bind9 (1:9.18.12-0ubuntu0.22.04.2) jammy-security; urgency=medium
* SECURITY UPDATE: Configured cache size limit can be significantly
exceeded
- debian/patches/CVE-2023-2828.patch: fix cache expiry in
lib/dns/rbtdb.c.
- CVE-2023-2828
* SECURITY UPDATE: Exceeding the recursive-clients quota may cause named
to terminate unexpectedly when stale-answer-client-timeout is set to 0
- debian/patches/CVE-2023-2911.patch: fix refreshing queries in
lib/ns/query.c.
- CVE-2023-2911
-- Marc Deslauriers <email address hidden> Tue, 20 Jun 2023 08:29:34 -0400
Available diffs
bind9 (1:9.18.12-1ubuntu1.1) lunar-security; urgency=medium
* SECURITY UPDATE: Configured cache size limit can be significantly
exceeded
- debian/patches/CVE-2023-2828.patch: fix cache expiry in
lib/dns/rbtdb.c.
- CVE-2023-2828
* SECURITY UPDATE: Exceeding the recursive-clients quota may cause named
to terminate unexpectedly when stale-answer-client-timeout is set to 0
- debian/patches/CVE-2023-2911.patch: fix refreshing queries in
lib/ns/query.c.
- CVE-2023-2911
-- Marc Deslauriers <email address hidden> Tue, 20 Jun 2023 08:24:50 -0400
Available diffs
bind9 (1:9.16.1-0ubuntu2.15) focal-security; urgency=medium
* SECURITY UPDATE: Configured cache size limit can be significantly
exceeded
- debian/patches/CVE-2023-2828.patch: fix cache expiry in
lib/dns/rbtdb.c.
- CVE-2023-2828
-- Marc Deslauriers <email address hidden> Tue, 20 Jun 2023 08:38:29 -0400
Available diffs
bind9 (1:9.18.12-0ubuntu0.22.04.1) jammy; urgency=medium * New upstream releases 9.18.2 - 9.18.12 (LP: #2003586) - Updates: + update-quota option + named -V shows supported cryptographic algorithms + Catalog Zones schema version 2 support in named + DNS error support Stale Answer and Stale NXDOMAIN Answer + Remote TLS certificate verification support + reusereport option - Bug Fixes Include: + Fix crash when using dig with +nssearch and +tcp (LP: #1258003) + Fix incomplete results using dig with +nssearch (LP: #1970252) + Fix loading of preinstalled plugins (LP: #2006972) + CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38178, CVE-2022-3094, CVE-2022-3736, CVE-2022-3924, CVE-2022-1183 + Fix thread safety in dns_dispatch + Fix ADB quota management in resolver + Fix Prohibited DNS error on allow-recursion + Fix crash when restarting server with active statschannel connection + Fix use after free for catalog zone processing + Fix leak of dns_keyfileio_t objects + Fix nslookup failure to use port option when record type ANY is used + Fix crash on dnssec-policy zone with NSEC3 and inline-signing turned on + Fix inheritance when setting remote server port + Fix assertion error when accessing statistics channel + Fix rndc dumpdb -expired for stuck cache + Fix check for other name servers after receiving FORMERR + Fix deletion of CDS after zone sign + Fix dighost query context management + Fix dig hanging due to IPv4 mapped IPv6 address + See https://bind9.readthedocs.io/en/v9_18_12/notes.html#notes-for-bind-9-18-12 for additional bug fixes and information * Improve dep-8 test suite (LP: #2003584): - d/t/zonetest: Add dep8 test for checking the domain zone creation process - d/t/control: Add new test outline * d/bind9-doc.docs: Stop installing removed file doc/misc/options.active * Remove patches for bugs LP #1964400 and LP #1964686 fixed upstream: - lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv - lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the - lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo - lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh - lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe - lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC - lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error- * Remove CVE patches fixed upstream: - debian/patches/CVE-2022-1183.patch [Included in upstream release 9.18.3] - debian/patches/CVE-2022-2795.patch - debian/patches/CVE-2022-2881.patch - debian/patches/CVE-2022-2906.patch - debian/patches/CVE-2022-3080.patch - debian/patches/CVE-2022-38178.patch [Included in upstream release 9.18.7] - debian/patches/CVE-2022-3094.patch - debian/patches/CVE-2022-3736.patch - debian/patches/CVE-2022-3924.patch [Included in upstream release 9.18.11] -- Lena Voytek <email address hidden> Wed, 08 Mar 2023 12:08:55 -0700
bind9 (1:9.18.12-0ubuntu0.22.10.1) kinetic; urgency=medium * New upstream releases 9.18.5 - 9.18.12 (LP: #2003586) - Updates: + update-quota option + named -V shows supported cryptographic algorithms - Bug Fixes Include: + Fix crash when using dig with +nssearch and +tcp (LP: #1258003) + Fix incomplete results using dig with +nssearch (LP: #1970252) + CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38178, CVE-2022-3094, CVE-2022-3736, CVE-2022-3924 + Fix thread safety in dns_dispatch + Fix ADB quota management in resolver + Fix Prohibited DNS error on allow-recursion + Fix crash when restarting server with active statschannel connection + Fix use after free for catalog zone processing + Fix leak of dns_keyfileio_t objects + Fix nslookup failure to use port option when record type ANY is used + Fix crash on dnssec-policy zone with NSEC3 and inline-signing turned on + Fix inheritance when setting remote server port + Fix assertion error when accessing statistics channel + Fix rndc dumpdb -expired for stuck cache + Fix check for other name servers after receiving FORMERR + See https://bind9.readthedocs.io/en/v9_18_12/notes.html#notes-for-bind-9-18-12 for additional bug fixes and information * Improve dep-8 test suite (LP: #2003584): - d/t/zonetest: Add dep8 test for checking the domain zone creation process - d/t/control: Add new test outline * d/bind9-doc.docs: Stop installing removed file doc/misc/options.active * d/p/0001-Disable-treat-warnings-as-errors-in-sphinx-build.patch: refresh to apply with version 9.18.8 * Remove CVE patches fixed upstream: - debian/patches/CVE-2022-2795.patch - debian/patches/CVE-2022-2881.patch - debian/patches/CVE-2022-2906.patch - debian/patches/CVE-2022-3080.patch - debian/patches/CVE-2022-38178.patch [Included in upstream release 9.18.7] - debian/patches/CVE-2022-3094.patch - debian/patches/CVE-2022-3736.patch - debian/patches/CVE-2022-3924.patch [Included in upstream release 9.18.11] -- Lena Voytek <email address hidden> Wed, 08 Mar 2023 08:49:53 -0700
Available diffs
bind9 (1:9.16.1-0ubuntu2.14) focal; urgency=medium
* d/bind9.named.service: restart the named service on failure.
(LP: #2006054)
Available diffs
| Published in bionic-proposed |
bind9 (1:9.11.3+dfsg-1ubuntu1.19) bionic; urgency=medium
* d/bind9.service: restart the bind9 service on failure.
(LP: #2006054)
-- Athos Ribeiro <email address hidden> Fri, 03 Mar 2023 12:42:18 -0300
Available diffs
| Superseded in mantic-release |
| Published in lunar-release |
| Deleted in lunar-proposed (Reason: Moved to lunar) |
bind9 (1:9.18.12-1ubuntu1) lunar; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: build-depends on dh-apport and use it
- d/control: remove optional libjemalloc-dev Build-Depends as it is not in
main.
- d/NEWS: mention relevant packaging changes
- Improve dep-8 test suite (LP #2003584):
+ d/t/zonetest: Add dep8 test for checking the domain zone creation process
+ d/t/control: Add new test outline
-- Lena Voytek <email address hidden> Wed, 22 Feb 2023 10:10:14 -0700
Available diffs
| Superseded in lunar-proposed |
bind9 (1:9.18.11-2ubuntu1) lunar; urgency=medium * Merge with Debian unstable (LP: #2004172). Remaining changes: - Don't build dnstap as it depends on universe packages: + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and protobuf-c-compiler (universe packages) + d/dnsutils.install: don't install dnstap + d/rules: don't build dnstap nor install dnstap.proto - Add back apport: + d/bind9.apport: add back old bind9 apport hook, but without calling attach_conffiles() since that is already done by apport itself, with confirmation from the user. + d/control, d/rules: build-depends on dh-apport and use it - d/control: remove optional libjemalloc-dev Build-Depends as it is not in main. - d/NEWS: mention relevant packaging changes - Improve dep-8 test suite (LP #2003584): + d/t/zonetest: Add dep8 test for checking the domain zone creation process + d/t/control: Add new test outline * Dropped Changes: - d/extras/apparmor.d/usr.sbin.named: Allow systemd notify access in apparmor for named [Fixed in Debian 1:9.18.11-2] -- Lena Voytek <email address hidden> Mon, 30 Jan 2023 08:37:28 -0700
Available diffs
| Superseded in focal-proposed |
bind9 (1:9.16.1-0ubuntu2.13) focal; urgency=medium
* d/p/lp1997375-segfault-isc-nm-tcp-send.patch: Fix segfault on
isc__nm_tcpdns_send by moving the tcpdns processing to another
thread. (LP: #1997375)
-- Sergio Durigan Junior <email address hidden> Thu, 02 Feb 2023 13:38:24 -0500
Available diffs
bind9 (1:9.18.10-2ubuntu2) lunar; urgency=medium * Improve dep-8 test suite (LP: #2003584): - d/t/zonetest: Add dep8 test for checking the domain zone creation process - d/t/control: Add new test outline -- Lena Voytek <email address hidden> Fri, 27 Jan 2023 09:16:29 -0700
Available diffs
bind9 (1:9.18.1-1ubuntu1.3) jammy-security; urgency=medium
* SECURITY UPDATE: An UPDATE message flood may cause named to exhaust all
available memory
- debian/patches/CVE-2022-3094.patch: add counter in
bin/named/bind9.xsl, bin/named/statschannel.c, doc/arm/reference.rst,
lib/ns/include/ns/server.h, lib/ns/include/ns/stats.h,
lib/ns/server.c, lib/ns/update.c.
- CVE-2022-3094
* SECURITY UPDATE: named configured to answer from stale cache may
terminate unexpectedly while processing RRSIG queries
- debian/patches/CVE-2022-3736.patch: fix logic in lib/ns/query.c.
- CVE-2022-3736
* SECURITY UPDATE: named configured to answer from stale cache may
terminate unexpectedly at recursive-clients soft quota
- debian/patches/CVE-2022-3924.patch: improve logic in
lib/dns/resolver.c, lib/ns/query.c.
- CVE-2022-3924
-- Marc Deslauriers <email address hidden> Tue, 24 Jan 2023 08:18:53 -0500
Available diffs
bind9 (1:9.16.1-0ubuntu2.12) focal-security; urgency=medium
* SECURITY UPDATE: An UPDATE message flood may cause named to exhaust all
available memory
- debian/patches/CVE-2022-3094.patch: add counter in
bin/named/bind9.xsl, bin/named/statschannel.c,
lib/ns/include/ns/server.h, lib/ns/include/ns/stats.h,
lib/ns/server.c, lib/ns/update.c.
- CVE-2022-3094
-- Marc Deslauriers <email address hidden> Tue, 24 Jan 2023 08:30:54 -0500
Available diffs
bind9 (1:9.18.4-2ubuntu2.1) kinetic-security; urgency=medium
* SECURITY UPDATE: An UPDATE message flood may cause named to exhaust all
available memory
- debian/patches/CVE-2022-3094.patch: add counter in
bin/named/bind9.xsl, bin/named/statschannel.c, doc/arm/reference.rst,
lib/ns/include/ns/server.h, lib/ns/include/ns/stats.h,
lib/ns/server.c, lib/ns/update.c.
- CVE-2022-3094
* SECURITY UPDATE: named configured to answer from stale cache may
terminate unexpectedly while processing RRSIG queries
- debian/patches/CVE-2022-3736.patch: fix logic in lib/ns/query.c.
- CVE-2022-3736
* SECURITY UPDATE: named configured to answer from stale cache may
terminate unexpectedly at recursive-clients soft quota
- debian/patches/CVE-2022-3924.patch: improve logic in
lib/dns/resolver.c, lib/ns/query.c.
- CVE-2022-3924
-- Marc Deslauriers <email address hidden> Tue, 24 Jan 2023 08:06:02 -0500
Available diffs
bind9 (1:9.18.10-2ubuntu1) lunar; urgency=medium * Merge with Debian unstable (LP: #1993375). Remaining changes: - Don't build dnstap as it depends on universe packages: + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and protobuf-c-compiler (universe packages) + d/dnsutils.install: don't install dnstap + d/rules: don't build dnstap nor install dnstap.proto - Add back apport: + d/bind9.apport: add back old bind9 apport hook, but without calling attach_conffiles() since that is already done by apport itself, with confirmation from the user. + d/control, d/rules: build-depends on dh-apport and use it - d/NEWS: mention relevant packaging changes - d/control: remove optional libjemalloc-dev Build-Depends as it is not in main. * Added Changes: - d/extras/apparmor.d/usr.sbin.named: Allow systemd notify access in apparmor for named * Dropped Changes: - fixed upstream: + debian/patches/CVE-2022-2795.patch + debian/patches/CVE-2022-2881.patch + debian/patches/CVE-2022-2906.patch + debian/patches/CVE-2022-3080.patch + debian/patches/CVE-2022-38178.patch - d/bind9.named.service: use systemd Type=forking to signal daemon init. + Changed to Type=notify with sd_notify patch in debian -- Lena Voytek <email address hidden> Tue, 10 Jan 2023 15:24:45 -0700
Available diffs
| Superseded in lunar-release |
| Obsolete in kinetic-release |
| Deleted in kinetic-proposed (Reason: Moved to kinetic) |
bind9 (1:9.18.4-2ubuntu2) kinetic; urgency=medium
* SECURITY UPDATE: Processing large delegations may severely degrade
resolver performance
- debian/patches/CVE-2022-2795.patch: add limit to lib/dns/resolver.c.
- CVE-2022-2795
* SECURITY UPDATE: Buffer overread in statistics channel code
- debian/patches/CVE-2022-2881.patch: clear buffer in lib/isc/httpd.c.
- CVE-2022-2881
* SECURITY UPDATE: Memory leaks in code handling Diffie-Hellman key
exchange via TKEY RRs
- debian/patches/CVE-2022-2906.patch: adjust return code handling in
lib/dns/openssldh_link.c.
- CVE-2022-2906
* SECURITY UPDATE: resolvers configured to answer from cache with zero
stale-answer-timeout may terminate unexpectedly
- debian/patches/CVE-2022-3080.patch: refactor stale RRset handling in
lib/ns/include/ns/query.h, lib/ns/query.c.
- CVE-2022-3080
* SECURITY UPDATE: memory leaks in EdDSA DNSSEC verification code
- debian/patches/CVE-2022-38178.patch: fix return handling in
lib/dns/openssleddsa_link.c.
- CVE-2022-38178
-- Marc Deslauriers <email address hidden> Wed, 21 Sep 2022 09:18:42 -0400
Available diffs
bind9 (1:9.18.1-1ubuntu1.2) jammy-security; urgency=medium
* SECURITY UPDATE: Processing large delegations may severely degrade
resolver performance
- debian/patches/CVE-2022-2795.patch: add limit to lib/dns/resolver.c.
- CVE-2022-2795
* SECURITY UPDATE: Buffer overread in statistics channel code
- debian/patches/CVE-2022-2881.patch: clear buffer in lib/isc/httpd.c.
- CVE-2022-2881
* SECURITY UPDATE: Memory leaks in code handling Diffie-Hellman key
exchange via TKEY RRs
- debian/patches/CVE-2022-2906.patch: adjust return code handling in
lib/dns/openssldh_link.c.
- CVE-2022-2906
* SECURITY UPDATE: resolvers configured to answer from cache with zero
stale-answer-timeout may terminate unexpectedly
- debian/patches/CVE-2022-3080.patch: refactor stale RRset handling in
lib/ns/include/ns/query.h, lib/ns/query.c.
- CVE-2022-3080
* SECURITY UPDATE: memory leaks in EdDSA DNSSEC verification code
- debian/patches/CVE-2022-38178.patch: fix return handling in
lib/dns/openssleddsa_link.c.
- CVE-2022-38178
-- Marc Deslauriers <email address hidden> Tue, 20 Sep 2022 07:51:26 -0400
Available diffs
bind9 (1:9.11.3+dfsg-1ubuntu1.18) bionic-security; urgency=medium
* SECURITY UPDATE: Processing large delegations may severely degrade
resolver performance
- debian/patches/CVE-2022-2795.patch: add limit to lib/dns/resolver.c.
- CVE-2022-2795
* SECURITY UPDATE: memory leak in ECDSA DNSSEC verification code
- debian/patches/CVE-2022-38177.patch: fix return handling in
lib/dns/opensslecdsa_link.c.
- CVE-2022-38177
* SECURITY UPDATE: memory leaks in EdDSA DNSSEC verification code
- debian/patches/CVE-2022-38178.patch: fix return handling in
lib/dns/openssleddsa_link.c.
- CVE-2022-38178
-- Marc Deslauriers <email address hidden> Tue, 20 Sep 2022 08:11:06 -0400
Available diffs
bind9 (1:9.16.1-0ubuntu2.11) focal-security; urgency=medium
* SECURITY UPDATE: Processing large delegations may severely degrade
resolver performance
- debian/patches/CVE-2022-2795.patch: add limit to lib/dns/resolver.c.
- CVE-2022-2795
* SECURITY UPDATE: memory leak in ECDSA DNSSEC verification code
- debian/patches/CVE-2022-38177.patch: fix return handling in
lib/dns/opensslecdsa_link.c.
- CVE-2022-38177
* SECURITY UPDATE: memory leaks in EdDSA DNSSEC verification code
- debian/patches/CVE-2022-38178.patch: fix return handling in
lib/dns/openssleddsa_link.c.
- CVE-2022-38178
-- Marc Deslauriers <email address hidden> Tue, 20 Sep 2022 08:05:01 -0400
Available diffs
bind9 (1:9.18.4-2ubuntu1) kinetic; urgency=medium * Merge with Debian unstable (LP: #1971250) Remaining changes: - Don't build dnstap as it depends on universe packages: + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and protobuf-c-compiler (universe packages) + d/dnsutils.install: don't install dnstap + d/libdns1104.symbols: don't include dnstap symbols + d/rules: don't build dnstap nor install dnstap.proto - Add back apport: + d/bind9.apport: add back old bind9 apport hook, but without calling attach_conffiles() since that is already done by apport itself, with confirmation from the user. + d/control, d/rules: build-depends on dh-apport and use it - d/NEWS: mention some of the bigger changes in 9.16.0 packaging - d/bind9.named.service: use systemd Type=forking to signal daemon init. This fixes a regression of #900788 where services whose startup depend on name resolutions may fail due to bind9 not being ready (LP #1899902). - d/control: remove optional libjemalloc-dev Build-Depends as it is not in main. - d/NEWS: mention some of the relevant changes in 9.18.0 packaging or functionality that may affect usability. * Dropped changes: - d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe.patch, d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo.patch, d/p/lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error-.patch, d/p/lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh.patch, d/p/lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv.patch, d/p/lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC.patch, d/p/lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the.patch: Fix dig error when trying the next server after a TCP connection failure. This upstream patchset also fixes a crash when using the "host" command for numeric lookups (LP #1964400) and an infinite hang when passing a non-existent hostname to "host" (LP #1964686). [ Incorporated by upstream. ] - SECURITY UPDATE: Destroying a TLS session early causes assertion failure + debian/patches/CVE-2022-1183.patch: fix destroying logic in lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/tlsstream.c. [ Incorporated by upstream. ] -- Sergio Durigan Junior <email address hidden> Wed, 20 Jul 2022 05:28:13 -0400
Available diffs
bind9 (1:9.18.1-1ubuntu2) kinetic; urgency=medium
* SECURITY UPDATE: Destroying a TLS session early causes assertion
failure
- debian/patches/CVE-2022-1183.patch: fix destroying logic in
lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/tlsstream.c.
- CVE-2022-1183
-- Marc Deslauriers <email address hidden> Tue, 17 May 2022 07:38:24 -0400
Available diffs
bind9 (1:9.18.1-1ubuntu1.1) jammy-security; urgency=medium
* SECURITY UPDATE: Destroying a TLS session early causes assertion
failure
- debian/patches/CVE-2022-1183.patch: fix destroying logic in
lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/tlsstream.c.
- CVE-2022-1183
-- Marc Deslauriers <email address hidden> Tue, 17 May 2022 07:38:24 -0400
Available diffs
| Superseded in kinetic-release |
| Published in jammy-release |
| Deleted in jammy-proposed (Reason: Moved to jammy) |
bind9 (1:9.18.1-1ubuntu1) jammy; urgency=medium * Merge with Debian unstable (LP: #1965981). Remaining changes: - Don't build dnstap as it depends on universe packages: + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and protobuf-c-compiler (universe packages) + d/dnsutils.install: don't install dnstap + d/libdns1104.symbols: don't include dnstap symbols + d/rules: don't build dnstap nor install dnstap.proto - Add back apport: + d/bind9.apport: add back old bind9 apport hook, but without calling attach_conffiles() since that is already done by apport itself, with confirmation from the user. + d/control, d/rules: build-depends on dh-apport and use it - d/NEWS: mention some of the bigger changes in 9.16.0 packaging - d/bind9.named.service: use systemd Type=forking to signal daemon init. This fixes a regression of #900788 where services whose startup depend on name resolutions may fail due to bind9 not being ready (LP #1899902). - d/control: remove optional libjemalloc-dev Build-Depends as it is not in main. - d/NEWS: mention some of the relevant changes in 9.18.0 packaging or functionality that may affect usability. * Dropped changes: - d/p/0003-Remove-spurious-debugging-true.patch: remove development leftover debugging flag from nslookup code (LP: #1961556). [ Incorporated in 9.18.1. ] - SECURITY UPDATE: cache poisoning via bogus NS records + debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of records into the cache in lib/dns/resolver.c. + CVE-2021-25220 [ Incorporated in 9.18.1. ] - SECURITY UPDATE: DoS via specially crafted TCP stream + debian/patches/CVE-2022-0396.patch: ensure correct ordering in lib/isc/netmgr/netmgr.c. + CVE-2022-0396 [ Incorporated in 9.18.1. ] - SECURITY UPDATE: DNAME insist with synth-from-dnssec enabled + debian/patches/CVE-2022-0635.patch: fix logic in lib/dns/rbtdb.c. + CVE-2022-0635 [ Incorporated in 9.18.1. ] - SECURITY UPDATE: Assertion failure on delayed DS lookup + debian/patches/CVE-2022-0667.patch: fix logic in lib/dns/resolver.c. + CVE-2022-0667 [ Incorporated in 9.18.1. ] * Added changes: - d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe.patch, d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo.patch, d/p/lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error-.patch, d/p/lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh.patch, d/p/lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv.patch, d/p/lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC.patch, d/p/lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the.patch: Fix dig error when trying the next server after a TCP connection failure. This upstream patchset also fixes a crash when using the "host" command for numeric lookups (LP: #1964400) and an infinite hang when passing a non-existent hostname to "host" (LP: #1964686). -- Sergio Durigan Junior <email address hidden> Wed, 23 Mar 2022 13:48:30 -0400
Available diffs
- diff from 1:9.18.0-2ubuntu3 to 1:9.18.1-1ubuntu1 (127.1 KiB)
bind9 (1:9.18.0-2ubuntu3) jammy; urgency=medium
* SECURITY UPDATE: cache poisoning via bogus NS records
- debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of
records into the cache in lib/dns/resolver.c.
- CVE-2021-25220
* SECURITY UPDATE: DoS via specially crafted TCP stream
- debian/patches/CVE-2022-0396.patch: ensure correct ordering in
lib/isc/netmgr/netmgr.c.
- CVE-2022-0396
* SECURITY UPDATE: DNAME insist with synth-from-dnssec enabled
- debian/patches/CVE-2022-0635.patch: fix logic in lib/dns/rbtdb.c.
- CVE-2022-0635
* SECURITY UPDATE: Assertion failure on delayed DS lookup
- debian/patches/CVE-2022-0667.patch: fix logic in lib/dns/resolver.c.
- CVE-2022-0667
-- Marc Deslauriers <email address hidden> Thu, 17 Mar 2022 09:33:36 -0400
Available diffs
bind9 (1:9.11.3+dfsg-1ubuntu1.17) bionic-security; urgency=medium
* SECURITY UPDATE: cache poisoning via bogus NS records
- debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of
records into the cache in lib/dns/resolver.c.
- CVE-2021-25220
-- Marc Deslauriers <email address hidden> Tue, 15 Mar 2022 10:14:01 -0400
Available diffs
bind9 (1:9.16.1-0ubuntu2.10) focal-security; urgency=medium
* SECURITY UPDATE: cache poisoning via bogus NS records
- debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of
records into the cache in lib/dns/resolver.c.
- CVE-2021-25220
-- Marc Deslauriers <email address hidden> Tue, 15 Mar 2022 10:11:35 -0400
Available diffs
bind9 (1:9.16.15-1ubuntu1.2) impish-security; urgency=medium
* SECURITY UPDATE: cache poisoning via bogus NS records
- debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of
records into the cache in lib/dns/resolver.c.
- CVE-2021-25220
* SECURITY UPDATE: DoS via specially crafted TCP stream
- debian/patches/CVE-2022-0396.patch: ensure correct ordering in
lib/isc/netmgr/netmgr.c.
- CVE-2022-0396
-- Marc Deslauriers <email address hidden> Tue, 15 Mar 2022 10:02:18 -0400
Available diffs
bind9 (1:9.18.0-2ubuntu2) jammy; urgency=medium
* d/p/0003-Remove-spurious-debugging-true.patch: remove development leftover
debugging flag from nslookup code (LP: #1961556).
-- Athos Ribeiro <email address hidden> Tue, 22 Feb 2022 17:04:03 -0300
Available diffs
bind9 (1:9.18.0-2ubuntu1) jammy; urgency=medium * Merge with Debian unstable (LP: #1946833). Remaining changes: - Don't build dnstap as it depends on universe packages: + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and protobuf-c-compiler (universe packages) + d/dnsutils.install: don't install dnstap + d/libdns1104.symbols: don't include dnstap symbols + d/rules: don't build dnstap nor install dnstap.proto - Add back apport: + d/bind9.apport: add back old bind9 apport hook, but without calling attach_conffiles() since that is already done by apport itself, with confirmation from the user. + d/control, d/rules: build-depends on dh-apport and use it - d/NEWS: mention some of the bigger changes in 9.16.0 packaging - d/bind9.named.service: use systemd Type=forking to signal daemon init. This fixes a regression of #900788 where services whose startup depend on name resolutions may fail due to bind9 not being ready (LP #1899902). * Dropped Changes: - SECURITY UPDATE: resolver performance degradation via lame cache abuse + debian/patches/CVE-2021-25219.patch: disable lame cache in bin/named/config.c, bin/named/server.c, lib/dns/resolver.c. + CVE-2021-25219 [ Fixed in 9.17.19 ] * New Changes: - d/control: remove optional libjemalloc-dev Build-Depends as it is not in main. - d/NEWS: mention some of the relevant changes in 9.18.0 packaging or functionality that may affect usability. -- Athos Ribeiro <email address hidden> Mon, 14 Feb 2022 17:40:31 -0300
Available diffs
bind9 (1:9.16.15-1ubuntu3) jammy; urgency=medium * No-change rebuild against openssl3 -- Simon Chopin <email address hidden> Wed, 01 Dec 2021 16:06:43 +0000
Available diffs
bind9 (1:9.16.15-1ubuntu2) jammy; urgency=medium
* SECURITY UPDATE: resolver performance degradation via lame cache abuse
- debian/patches/CVE-2021-25219.patch: disable lame cache in
bin/named/config.c, bin/named/server.c, lib/dns/resolver.c.
- CVE-2021-25219
-- Marc Deslauriers <email address hidden> Mon, 01 Nov 2021 18:56:43 -0400
Available diffs
bind9 (1:9.16.8-1ubuntu3.3) hirsute-security; urgency=medium
* SECURITY UPDATE: resolver performance degradation via lame cache abuse
- debian/patches/CVE-2021-25219.patch: disable lame cache in
bin/named/config.c, bin/named/server.c, lib/dns/resolver.c.
- CVE-2021-25219
-- Marc Deslauriers <email address hidden> Wed, 27 Oct 2021 06:57:43 -0400
Available diffs
bind9 (1:9.11.3+dfsg-1ubuntu1.16) bionic-security; urgency=medium
* SECURITY UPDATE: resolver performance degradation via lame cache abuse
- debian/patches/CVE-2021-25219.patch: disable lame cache in
bin/named/config.c, bin/named/server.c, lib/dns/resolver.c.
- CVE-2021-25219
-- Marc Deslauriers <email address hidden> Wed, 27 Oct 2021 07:02:44 -0400
Available diffs
bind9 (1:9.16.1-0ubuntu2.9) focal-security; urgency=medium
* SECURITY UPDATE: resolver performance degradation via lame cache abuse
- debian/patches/CVE-2021-25219.patch: disable lame cache in
bin/named/config.c, bin/named/server.c, lib/dns/resolver.c.
- CVE-2021-25219
-- Marc Deslauriers <email address hidden> Wed, 27 Oct 2021 07:00:32 -0400
Available diffs
bind9 (1:9.16.15-1ubuntu1.1) impish-security; urgency=medium
* SECURITY UPDATE: resolver performance degradation via lame cache abuse
- debian/patches/CVE-2021-25219.patch: disable lame cache in
bin/named/config.c, bin/named/server.c, lib/dns/resolver.c.
- CVE-2021-25219
-- Marc Deslauriers <email address hidden> Wed, 27 Oct 2021 06:54:36 -0400
Available diffs
| Superseded in jammy-release |
| Obsolete in impish-release |
| Deleted in impish-proposed (Reason: Moved to impish) |
bind9 (1:9.16.15-1ubuntu1) impish; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/bind9.named.service: use systemd Type=forking to signal daemon init.
This fixes a regression of #900788 where services whose startup depend
on name resolutions may fail due to bind9 not being ready (LP #1899902).
* Drop changes:
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
[Fixed in 1:9.16.11-3]
- SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
+ debian/patches/CVE-2020-8625.patch: properly calculate length in
lib/dns/spnego.c.
+ CVE-2020-8625
[Fixed in 1:9.16.12-1]
- SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
+ debian/patches/CVE-2021-25214.patch: immediately reject the entire
transfer for certain RR in lib/dns/xfrin.c.
+ CVE-2021-25214
[Fixed in 1:9.16.15-1]
- SECURITY UPDATE: assert via answering certain queries for DNAME records
+ debian/patches/CVE-2021-25215.patch: fix assert checks in
lib/ns/query.c.
+ CVE-2021-25215
[Fixed in 1:9.16.15-1]
- SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
+ debian/rules: build with --disable-isc-spnego to disable internal
SPNEGO and use the one from the kerberos libraries.
+ CVE-2021-25216
[Fixed in 1:9.16.15-1]
Available diffs
bind9 (1:9.16.8-1ubuntu3.2) impish; urgency=medium
* d/bind9.named.service: use systemd Type=forking to signal daemon init. This
fixes a regression of #900788 where services whose startup depend on name
resolutions may fail due to bind9 not being ready (LP: #1899902).
-- Athos Ribeiro <email address hidden> Fri, 18 Jun 2021 09:24:39 -0300
Available diffs
bind9 (1:9.11.3+dfsg-1ubuntu1.15) bionic-security; urgency=medium
* SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
- debian/patches/CVE-2021-25214.patch: immediately reject the entire
transfer for certain RR in lib/dns/xfrin.c.
- CVE-2021-25214
* SECURITY UPDATE: assert via answering certain queries for DNAME records
- debian/patches/CVE-2021-25215.patch: fix assert checks in
lib/ns/query.c.
- CVE-2021-25215
* SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
- debian/rules: build with --disable-isc-spnego to disable internal
SPNEGO and use the one from the kerberos libraries.
- debian/libdns1100.symbols: removed internal SPNEGO symbols.
- CVE-2021-25216
-- Marc Deslauriers <email address hidden> Tue, 27 Apr 2021 07:16:20 -0400
Available diffs
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.19) xenial-security; urgency=medium
* SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
- debian/patches/CVE-2021-25214.patch: immediately reject the entire
transfer for certain RR in lib/dns/xfrin.c.
- CVE-2021-25214
* SECURITY UPDATE: assert via answering certain queries for DNAME records
- debian/patches/CVE-2021-25215.patch: fix assert checks in
lib/ns/query.c.
- CVE-2021-25215
* SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
- debian/rules: build with --disable-isc-spnego to disable internal
SPNEGO and use the one from the kerberos libraries.
- CVE-2021-25216
-- Marc Deslauriers <email address hidden> Tue, 27 Apr 2021 07:18:12 -0400
Available diffs
bind9 (1:9.16.6-3ubuntu1.2) groovy-security; urgency=medium
* SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
- debian/patches/CVE-2021-25214.patch: immediately reject the entire
transfer for certain RR in lib/dns/xfrin.c.
- CVE-2021-25214
* SECURITY UPDATE: assert via answering certain queries for DNAME records
- debian/patches/CVE-2021-25215.patch: fix assert checks in
lib/ns/query.c.
- CVE-2021-25215
* SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
- debian/rules: build with --disable-isc-spnego to disable internal
SPNEGO and use the one from the kerberos libraries.
- CVE-2021-25216
-- Marc Deslauriers <email address hidden> Tue, 27 Apr 2021 07:14:19 -0400
Available diffs
| Superseded in impish-release |
| Deleted in impish-proposed (Reason: Moved to impish) |
| Superseded in hirsute-updates |
| Superseded in hirsute-security |
bind9 (1:9.16.8-1ubuntu3.1) hirsute-security; urgency=medium
* SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
- debian/patches/CVE-2021-25214.patch: immediately reject the entire
transfer for certain RR in lib/dns/xfrin.c.
- CVE-2021-25214
* SECURITY UPDATE: assert via answering certain queries for DNAME records
- debian/patches/CVE-2021-25215.patch: fix assert checks in
lib/ns/query.c.
- CVE-2021-25215
* SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
- debian/rules: build with --disable-isc-spnego to disable internal
SPNEGO and use the one from the kerberos libraries.
- CVE-2021-25216
-- Marc Deslauriers <email address hidden> Tue, 27 Apr 2021 07:07:30 -0400
Available diffs
bind9 (1:9.16.1-0ubuntu2.8) focal-security; urgency=medium
* SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
- debian/patches/CVE-2021-25214.patch: immediately reject the entire
transfer for certain RR in lib/dns/xfrin.c.
- CVE-2021-25214
* SECURITY UPDATE: assert via answering certain queries for DNAME records
- debian/patches/CVE-2021-25215.patch: fix assert checks in
lib/ns/query.c.
- CVE-2021-25215
* SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
- debian/rules: build with --disable-isc-spnego to disable internal
SPNEGO and use the one from the kerberos libraries.
- CVE-2021-25216
-- Marc Deslauriers <email address hidden> Tue, 27 Apr 2021 07:15:23 -0400
Available diffs
bind9 (1:9.8.1.dfsg.P1-4ubuntu0.32) precise-security; urgency=medium
[ Marc Deslauriers ]
* SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
- properly calculate length in lib/dns/spnego.c.
- CVE-2020-8625
-- Avital Ostromich <email address hidden> Tue, 23 Feb 2021 18:56:07 -0500
| Superseded in impish-release |
| Obsolete in hirsute-release |
| Deleted in hirsute-proposed (Reason: moved to Release) |
bind9 (1:9.16.8-1ubuntu3) hirsute; urgency=medium
* SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
- debian/patches/CVE-2020-8625.patch: properly calculate length in
lib/dns/spnego.c.
- CVE-2020-8625
-- Marc Deslauriers <email address hidden> Thu, 25 Feb 2021 07:29:46 -0500
Available diffs
- diff from 1:9.16.8-1ubuntu1 to 1:9.16.8-1ubuntu3 (824 bytes)
- diff from 1:9.16.8-1ubuntu2 to 1:9.16.8-1ubuntu3 (762 bytes)
| Superseded in hirsute-proposed |
bind9 (1:9.16.8-1ubuntu2) hirsute; urgency=medium * No-change rebuild to drop the udeb package. -- Matthias Klose <email address hidden> Mon, 22 Feb 2021 10:44:18 +0100
Available diffs
- diff from 1:9.16.8-1ubuntu1 to 1:9.16.8-1ubuntu2 (337 bytes)
bind9 (1:9.16.1-0ubuntu2.7) focal; urgency=medium
* Fix a race between deactivating socket handle and processing
async callbacks, which can lead to sockets not being closed
properly, exhausting TCP connection limits. (LP: #1909950)
- d/p/lp-1909950-fix-race-between-deactivating-handle-async-callback.patch
-- Matthew Ruffell <email address hidden> Thu, 18 Feb 2021 16:28:44 +1300
Available diffs
bind9 (1:9.16.1-0ubuntu2.6) focal-security; urgency=medium
* SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
- debian/patches/CVE-2020-8625.patch: properly calculate length in
lib/dns/spnego.c.
- CVE-2020-8625
* This update does _not_ contain the changes from 1:9.16.1-0ubuntu2.5 in
focal-proposed.
-- Marc Deslauriers <email address hidden> Tue, 16 Feb 2021 15:08:33 -0500
Available diffs
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.18) xenial-security; urgency=medium
* SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
- debian/patches/CVE-2020-8625.patch: properly calculate length in
lib/dns/spnego.c.
- CVE-2020-8625
-- Marc Deslauriers <email address hidden> Mon, 15 Feb 2021 08:09:41 -0500
Available diffs
bind9 (1:9.11.3+dfsg-1ubuntu1.14) bionic-security; urgency=medium
* SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
- debian/patches/CVE-2020-8625.patch: properly calculate length in
lib/dns/spnego.c.
- CVE-2020-8625
-- Marc Deslauriers <email address hidden> Mon, 15 Feb 2021 08:08:25 -0500
Available diffs
bind9 (1:9.16.6-3ubuntu1.1) groovy-security; urgency=medium
* SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
- debian/patches/CVE-2020-8625.patch: properly calculate length in
lib/dns/spnego.c.
- CVE-2020-8625
-- Marc Deslauriers <email address hidden> Mon, 15 Feb 2021 08:04:07 -0500
Available diffs
| Deleted in focal-proposed (Reason: moved to -updates) |
bind9 (1:9.16.1-0ubuntu2.5) focal; urgency=medium
* Fix a race between deactivating socket handle and processing
async callbacks, which can lead to sockets not being closed
properly, exhausting TCP connection limits. (LP: #1909950)
- d/p/lp-1909950-fix-race-between-deactivating-handle-async-callback.patch
-- Matthew Ruffell <email address hidden> Mon, 01 Feb 2021 16:28:44 +1300
Available diffs
| 1 → 75 of 445 results | First • Previous • Next • Last |
