-
bind9 (1:9.18.24-0ubuntu0.22.04.1) jammy; urgency=medium
* New upstream version 9.18.24 (LP: #2040459)
- Updates:
+ Mark use of AES as the DNS COOKIE algorithm as depricated.
+ Mark resolver-nonbackoff-tries and resolver-retry-interval statements
as depricated.
+ Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and
2801:1b8:10::b.
+ Mark dnssec-must-be-secure option as deprecated.
+ Honor nsupdate -v option for SOA queries by sending both the UPDATE
request and the initial query over TCP.
+ Reduce memory consumption through dedicated jemalloc memory arenas.
- Bug fixes:
+ Fix accidental truncation to 32 bit of statistics channel counters.
+ Do not schedule unsigned versions of inline-signed zones containing
DNSSEC records for resigning.
+ Take local authoritive data into account when looking up stale data
from the cache.
+ Fix assertion failure when lock-file used at the same time as named -X.
+ Fix lockfile removal issue when starting named 3+ times.
+ Fix validation of If-Modified-Since header in statistics channel for
its length.
+ Add Content-Length header bounds check to avoid integer overflow.
+ Fix memory leaks from OpenSSL error stack.
+ Fix SERVFAIL responses after introduction of krb5-subdomain-self-rhs
and ms-subdomain-self-rhs UPDATE policies.
+ Fix accidental disable of stale-refresh-time feature on rndc flush.
+ Fix possible DNS message corruption from partial writes in TLS DNS.
- See https://bind9.readthedocs.io/en/v9.18.24/notes.html for additional
information.
* Remove CVE patches fixed upstream:
- CVE-2023-3341.patch
- CVE-2023-4236.patch
[ Fixed in 9.18.19 ]
- 0001-CVE-2023-4408.patch
- 0002-CVE-2023-5517.patch
- 0003-CVE-2023-5679.patch
- 0004-CVE-2023-50387-CVE-2023-50868.patch
[ Fixed in 9.18.24 ]
* d/p/always-use-standard-library-stdatomic.patch: Maintain use of the
standard library stdatomic.h.
-- Lena Voytek <email address hidden> Thu, 11 Apr 2024 14:11:18 -0700
-
bind9 (1:9.18.18-0ubuntu0.22.04.2) jammy-security; urgency=medium
* SECURITY UPDATE: Multiple security issues
- debian/patches/0001-CVE-2023-4408.patch: Parsing large DNS messages
may cause excessive CPU load.
- debian/patches/0002-CVE-2023-5517.patch: Querying RFC 1918 reverse
zones may cause an assertion failure when nxdomain-redirect is
enabled.
- debian/patches/0003-CVE-2023-5679.patch: Enabling both DNS64 and
serve-stale may cause an assertion failure during recursive
resolution.
- debian/patches/0004-CVE-2023-50387-CVE-2023-50868.patch: Extreme CPU
consumption in DNSSEC validator and Preparing an NSEC3 closest
encloser proof can exhaust CPU resources.
- CVE-2023-4408
- CVE-2023-5517
- CVE-2023-5679
- CVE-2023-50387
- CVE-2023-50868
-- Marc Deslauriers <email address hidden> Mon, 12 Feb 2024 14:29:56 -0500
-
bind9 (1:9.18.18-0ubuntu0.22.04.1) jammy; urgency=medium
* New upstream release 9.18.18 (LP: #2028413)
- Updates:
+ Mark a primary server as temporarily unreachable when a TCP connection
response to an SOA query times out, matching behavior of a refused TCP
connection.
+ Mark dialup and heartbeat-interval options as deprecated.
+ Retry DNS queries without an EDNS COOKIE when the first response is
FORMERR with the EDNS COOKIE that was sent originally.
+ Use NS records for the relaxed QNAME minimization mode to reduce the
number of queries from named.
+ Mark TKEY mode 2 as deprecated.
+ Mark delegation-only and root-delegation-only as deprecated.
+ Run RPZ and catalog zone updates on specialized offload threads to
reduce blocked query processing time.
- Bug Fixes:
+ Fix assertion failure from processing already-queued queries while
server is being reconfigured or cache is being flushed.
+ Fix failure to load zones containing resource records with a TTL value
larger than 86400 seconds when dnssec-policy is set to insecure.
+ Fix the ability to read HMAC-MD5 key files (LP: #2015176).
+ Fix stability issues with the catalog zone implementation.
+ Fix bind9 getting stuck when listen-on statement for HTTP is removed
from configuration.
+ Do not return delegation from cache after stale-answer-client-timeout.
+ Fix failure to auto-tune clients-per-query limit in some situations.
+ Fix proper timeouts when using max-transfer-time-in and
max-transfer-idle-in statements.
+ Bring rndc read timeout back to 60 seconds from 30.
+ Treat libuv returning ISC_R_INVALIDPROTO as a network error.
+ Clean up empty-non-terminal NSEC3 records.
+ Fix log file rotation cleanup for absolute file path destinations.
+ Fix various catalog zone processing crashes.
+ Fix transfer hang when downloading large zones over TLS.
+ Fix named crash when adding a new zone into the configuration file for
a name which was already configured as member zone for a catalog zone.
+ Delay DNSSEC key queries until all zones have finished loading.
- See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional
information.
* d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in
9.18.16.
* d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18.
* d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650)
-- Lena Voytek <email address hidden> Wed, 20 Sep 2023 15:15:41 -0700
-
bind9 (1:9.18.12-0ubuntu0.22.04.3) jammy-security; urgency=medium
* SECURITY UPDATE: DoS via recusive packet parsing
- debian/patches/CVE-2023-3341.patch: add a max depth check to
lib/isc/include/isc/result.h, lib/isc/result.c, lib/isccc/cc.c.
- CVE-2023-3341
* SECURITY UPDATE: Dos via DNS-over-TLS queries
- debian/patches/CVE-2023-4236.patch: check return code in
lib/isc/netmgr/tlsdns.c.
- CVE-2023-4236
-- Marc Deslauriers <email address hidden> Tue, 19 Sep 2023 07:21:46 -0400
-
bind9 (1:9.18.12-0ubuntu0.22.04.2) jammy-security; urgency=medium
* SECURITY UPDATE: Configured cache size limit can be significantly
exceeded
- debian/patches/CVE-2023-2828.patch: fix cache expiry in
lib/dns/rbtdb.c.
- CVE-2023-2828
* SECURITY UPDATE: Exceeding the recursive-clients quota may cause named
to terminate unexpectedly when stale-answer-client-timeout is set to 0
- debian/patches/CVE-2023-2911.patch: fix refreshing queries in
lib/ns/query.c.
- CVE-2023-2911
-- Marc Deslauriers <email address hidden> Tue, 20 Jun 2023 08:29:34 -0400
-
bind9 (1:9.18.12-0ubuntu0.22.04.1) jammy; urgency=medium
* New upstream releases 9.18.2 - 9.18.12 (LP: #2003586)
- Updates:
+ update-quota option
+ named -V shows supported cryptographic algorithms
+ Catalog Zones schema version 2 support in named
+ DNS error support Stale Answer and Stale NXDOMAIN Answer
+ Remote TLS certificate verification support
+ reusereport option
- Bug Fixes Include:
+ Fix crash when using dig with +nssearch and +tcp (LP: #1258003)
+ Fix incomplete results using dig with +nssearch (LP: #1970252)
+ Fix loading of preinstalled plugins (LP: #2006972)
+ CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080,
CVE-2022-38178, CVE-2022-3094, CVE-2022-3736, CVE-2022-3924,
CVE-2022-1183
+ Fix thread safety in dns_dispatch
+ Fix ADB quota management in resolver
+ Fix Prohibited DNS error on allow-recursion
+ Fix crash when restarting server with active statschannel connection
+ Fix use after free for catalog zone processing
+ Fix leak of dns_keyfileio_t objects
+ Fix nslookup failure to use port option when record type ANY is used
+ Fix crash on dnssec-policy zone with NSEC3 and inline-signing turned on
+ Fix inheritance when setting remote server port
+ Fix assertion error when accessing statistics channel
+ Fix rndc dumpdb -expired for stuck cache
+ Fix check for other name servers after receiving FORMERR
+ Fix deletion of CDS after zone sign
+ Fix dighost query context management
+ Fix dig hanging due to IPv4 mapped IPv6 address
+ See https://bind9.readthedocs.io/en/v9_18_12/notes.html#notes-for-bind-9-18-12
for additional bug fixes and information
* Improve dep-8 test suite (LP: #2003584):
- d/t/zonetest: Add dep8 test for checking the domain zone creation process
- d/t/control: Add new test outline
* d/bind9-doc.docs: Stop installing removed file doc/misc/options.active
* Remove patches for bugs LP #1964400 and LP #1964686 fixed upstream:
- lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv
- lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the
- lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo
- lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh
- lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe
- lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC
- lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error-
* Remove CVE patches fixed upstream:
- debian/patches/CVE-2022-1183.patch
[Included in upstream release 9.18.3]
- debian/patches/CVE-2022-2795.patch
- debian/patches/CVE-2022-2881.patch
- debian/patches/CVE-2022-2906.patch
- debian/patches/CVE-2022-3080.patch
- debian/patches/CVE-2022-38178.patch
[Included in upstream release 9.18.7]
- debian/patches/CVE-2022-3094.patch
- debian/patches/CVE-2022-3736.patch
- debian/patches/CVE-2022-3924.patch
[Included in upstream release 9.18.11]
-- Lena Voytek <email address hidden> Wed, 08 Mar 2023 12:08:55 -0700
-
bind9 (1:9.18.1-1ubuntu1.3) jammy-security; urgency=medium
* SECURITY UPDATE: An UPDATE message flood may cause named to exhaust all
available memory
- debian/patches/CVE-2022-3094.patch: add counter in
bin/named/bind9.xsl, bin/named/statschannel.c, doc/arm/reference.rst,
lib/ns/include/ns/server.h, lib/ns/include/ns/stats.h,
lib/ns/server.c, lib/ns/update.c.
- CVE-2022-3094
* SECURITY UPDATE: named configured to answer from stale cache may
terminate unexpectedly while processing RRSIG queries
- debian/patches/CVE-2022-3736.patch: fix logic in lib/ns/query.c.
- CVE-2022-3736
* SECURITY UPDATE: named configured to answer from stale cache may
terminate unexpectedly at recursive-clients soft quota
- debian/patches/CVE-2022-3924.patch: improve logic in
lib/dns/resolver.c, lib/ns/query.c.
- CVE-2022-3924
-- Marc Deslauriers <email address hidden> Tue, 24 Jan 2023 08:18:53 -0500
-
bind9 (1:9.18.1-1ubuntu1.2) jammy-security; urgency=medium
* SECURITY UPDATE: Processing large delegations may severely degrade
resolver performance
- debian/patches/CVE-2022-2795.patch: add limit to lib/dns/resolver.c.
- CVE-2022-2795
* SECURITY UPDATE: Buffer overread in statistics channel code
- debian/patches/CVE-2022-2881.patch: clear buffer in lib/isc/httpd.c.
- CVE-2022-2881
* SECURITY UPDATE: Memory leaks in code handling Diffie-Hellman key
exchange via TKEY RRs
- debian/patches/CVE-2022-2906.patch: adjust return code handling in
lib/dns/openssldh_link.c.
- CVE-2022-2906
* SECURITY UPDATE: resolvers configured to answer from cache with zero
stale-answer-timeout may terminate unexpectedly
- debian/patches/CVE-2022-3080.patch: refactor stale RRset handling in
lib/ns/include/ns/query.h, lib/ns/query.c.
- CVE-2022-3080
* SECURITY UPDATE: memory leaks in EdDSA DNSSEC verification code
- debian/patches/CVE-2022-38178.patch: fix return handling in
lib/dns/openssleddsa_link.c.
- CVE-2022-38178
-- Marc Deslauriers <email address hidden> Tue, 20 Sep 2022 07:51:26 -0400
-
bind9 (1:9.18.1-1ubuntu1.1) jammy-security; urgency=medium
* SECURITY UPDATE: Destroying a TLS session early causes assertion
failure
- debian/patches/CVE-2022-1183.patch: fix destroying logic in
lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/tlsstream.c.
- CVE-2022-1183
-- Marc Deslauriers <email address hidden> Tue, 17 May 2022 07:38:24 -0400
-
bind9 (1:9.18.1-1ubuntu1) jammy; urgency=medium
* Merge with Debian unstable (LP: #1965981). Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: build-depends on dh-apport and use it
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/bind9.named.service: use systemd Type=forking to signal daemon init.
This fixes a regression of #900788 where services whose startup depend
on name resolutions may fail due to bind9 not being ready (LP #1899902).
- d/control: remove optional libjemalloc-dev Build-Depends as it is not in
main.
- d/NEWS: mention some of the relevant changes in 9.18.0 packaging
or functionality that may affect usability.
* Dropped changes:
- d/p/0003-Remove-spurious-debugging-true.patch: remove development leftover
debugging flag from nslookup code (LP: #1961556).
[ Incorporated in 9.18.1. ]
- SECURITY UPDATE: cache poisoning via bogus NS records
+ debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of
records into the cache in lib/dns/resolver.c.
+ CVE-2021-25220
[ Incorporated in 9.18.1. ]
- SECURITY UPDATE: DoS via specially crafted TCP stream
+ debian/patches/CVE-2022-0396.patch: ensure correct ordering in
lib/isc/netmgr/netmgr.c.
+ CVE-2022-0396
[ Incorporated in 9.18.1. ]
- SECURITY UPDATE: DNAME insist with synth-from-dnssec enabled
+ debian/patches/CVE-2022-0635.patch: fix logic in lib/dns/rbtdb.c.
+ CVE-2022-0635
[ Incorporated in 9.18.1. ]
- SECURITY UPDATE: Assertion failure on delayed DS lookup
+ debian/patches/CVE-2022-0667.patch: fix logic in lib/dns/resolver.c.
+ CVE-2022-0667
[ Incorporated in 9.18.1. ]
* Added changes:
- d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe.patch,
d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo.patch,
d/p/lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error-.patch,
d/p/lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh.patch,
d/p/lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv.patch,
d/p/lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC.patch,
d/p/lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the.patch:
Fix dig error when trying the next server after a TCP connection
failure. This upstream patchset also fixes a crash when using
the "host" command for numeric lookups (LP: #1964400) and an
infinite hang when passing a non-existent hostname to "host" (LP:
#1964686).
-- Sergio Durigan Junior <email address hidden> Wed, 23 Mar 2022 13:48:30 -0400
-
bind9 (1:9.18.0-2ubuntu3) jammy; urgency=medium
* SECURITY UPDATE: cache poisoning via bogus NS records
- debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of
records into the cache in lib/dns/resolver.c.
- CVE-2021-25220
* SECURITY UPDATE: DoS via specially crafted TCP stream
- debian/patches/CVE-2022-0396.patch: ensure correct ordering in
lib/isc/netmgr/netmgr.c.
- CVE-2022-0396
* SECURITY UPDATE: DNAME insist with synth-from-dnssec enabled
- debian/patches/CVE-2022-0635.patch: fix logic in lib/dns/rbtdb.c.
- CVE-2022-0635
* SECURITY UPDATE: Assertion failure on delayed DS lookup
- debian/patches/CVE-2022-0667.patch: fix logic in lib/dns/resolver.c.
- CVE-2022-0667
-- Marc Deslauriers <email address hidden> Thu, 17 Mar 2022 09:33:36 -0400
-
bind9 (1:9.18.0-2ubuntu2) jammy; urgency=medium
* d/p/0003-Remove-spurious-debugging-true.patch: remove development leftover
debugging flag from nslookup code (LP: #1961556).
-- Athos Ribeiro <email address hidden> Tue, 22 Feb 2022 17:04:03 -0300
-
bind9 (1:9.18.0-2ubuntu1) jammy; urgency=medium
* Merge with Debian unstable (LP: #1946833). Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: build-depends on dh-apport and use it
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/bind9.named.service: use systemd Type=forking to signal daemon init.
This fixes a regression of #900788 where services whose startup depend
on name resolutions may fail due to bind9 not being ready (LP #1899902).
* Dropped Changes:
- SECURITY UPDATE: resolver performance degradation via lame cache abuse
+ debian/patches/CVE-2021-25219.patch: disable lame cache in
bin/named/config.c, bin/named/server.c, lib/dns/resolver.c.
+ CVE-2021-25219
[ Fixed in 9.17.19 ]
* New Changes:
- d/control: remove optional libjemalloc-dev Build-Depends as it is not in
main.
- d/NEWS: mention some of the relevant changes in 9.18.0 packaging
or functionality that may affect usability.
-- Athos Ribeiro <email address hidden> Mon, 14 Feb 2022 17:40:31 -0300
-
bind9 (1:9.16.15-1ubuntu3) jammy; urgency=medium
* No-change rebuild against openssl3
-- Simon Chopin <email address hidden> Wed, 01 Dec 2021 16:06:43 +0000
-
bind9 (1:9.16.15-1ubuntu2) jammy; urgency=medium
* SECURITY UPDATE: resolver performance degradation via lame cache abuse
- debian/patches/CVE-2021-25219.patch: disable lame cache in
bin/named/config.c, bin/named/server.c, lib/dns/resolver.c.
- CVE-2021-25219
-- Marc Deslauriers <email address hidden> Mon, 01 Nov 2021 18:56:43 -0400
-
bind9 (1:9.16.15-1ubuntu1) impish; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: buil-depends on dh-apport and use it
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/bind9.named.service: use systemd Type=forking to signal daemon init.
This fixes a regression of #900788 where services whose startup depend
on name resolutions may fail due to bind9 not being ready (LP #1899902).
* Drop changes:
- d/t/simpletest: drop the internetsociety.org test as it requires
network egress access that is not available in the Ubuntu autopkgtest
farm.
[Fixed in 1:9.16.11-3]
- SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
+ debian/patches/CVE-2020-8625.patch: properly calculate length in
lib/dns/spnego.c.
+ CVE-2020-8625
[Fixed in 1:9.16.12-1]
- SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
+ debian/patches/CVE-2021-25214.patch: immediately reject the entire
transfer for certain RR in lib/dns/xfrin.c.
+ CVE-2021-25214
[Fixed in 1:9.16.15-1]
- SECURITY UPDATE: assert via answering certain queries for DNAME records
+ debian/patches/CVE-2021-25215.patch: fix assert checks in
lib/ns/query.c.
+ CVE-2021-25215
[Fixed in 1:9.16.15-1]
- SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
+ debian/rules: build with --disable-isc-spnego to disable internal
SPNEGO and use the one from the kerberos libraries.
+ CVE-2021-25216
[Fixed in 1:9.16.15-1]
bind9 (1:9.16.15-1) unstable; urgency=high
* New upstream version 9.16.15 (Closes: #987741, #987742, #987743)
+ CVE-2021-25214: A malformed incoming IXFR transfer could trigger an
assertion failure in ``named``, causing it to quit abnormally.
+ CVE-2021-25215: ``named`` crashed when a DNAME record placed in the
ANSWER section during DNAME chasing turned out to be the final
answer to a client query.
+ CVE-2021-25216: When a server's configuration set the
``tkey-gssapi-keytab`` or ``tkey-gssapi-credential`` option, a
specially crafted GSS-TSIG query could cause a buffer overflow in
the ISC implementation of SPNEGO (a protocol enabling negotiation of
the security mechanism used for GSSAPI authentication).
* Add patches to implement I-D draft-hardaker-dnsop-nsec3-guidance
bind9 (1:9.16.13-1) unstable; urgency=medium
* New upstream version 9.16.13
* Add upstream patches to fix TCP timeouts firing too early
bind9 (1:9.16.12-3) unstable; urgency=medium
* Add most important patches from upcoming 9.16.13 release
bind9 (1:9.16.12-2) unstable; urgency=medium
* Add patch to fix sphinx-build failure on Ubuntu Xenial
bind9 (1:9.16.12-1) unstable; urgency=high
* New upstream version 9.16.12
+ [CVE-2020-8625]: Fix off-by-one bug in ISC SPNEGO implementation.
(Closes: #983004)
* Adjust the bind9-libs and bind9-dev packages for new upstream library
names
bind9 (1:9.16.11-3) unstable; urgency=medium
* Split the simple validation test to separate file and mark it as flaky
(Closes: #976045)
bind9 (1:9.16.11-2) unstable; urgency=medium
* Cherry-pick upstream commit to fix segfault with named ACLs used in
allow-update (Closes: #980786)
bind9 (1:9.16.11-1) unstable; urgency=medium
* Add the ISC code-signing key for 2021-2022
* New upstream version 9.16.11
bind9 (1:9.16.10-1) unstable; urgency=medium
* New upstream version 9.16.10
bind9 (1:9.16.9-1) unstable; urgency=medium
* New upstream version 9.16.9
-- Athos Ribeiro <email address hidden> Mon, 12 Jul 2021 20:26:40 -0300
