-
bind9 (1:9.18.12-0ubuntu0.22.10.2) kinetic-security; urgency=medium
* SECURITY UPDATE: Configured cache size limit can be significantly
exceeded
- debian/patches/CVE-2023-2828.patch: fix cache expiry in
lib/dns/rbtdb.c.
- CVE-2023-2828
* SECURITY UPDATE: Exceeding the recursive-clients quota may cause named
to terminate unexpectedly when stale-answer-client-timeout is set to 0
- debian/patches/CVE-2023-2911.patch: fix refreshing queries in
lib/ns/query.c.
- CVE-2023-2911
-- Marc Deslauriers <email address hidden> Tue, 20 Jun 2023 08:28:59 -0400
-
bind9 (1:9.18.12-0ubuntu0.22.10.1) kinetic; urgency=medium
* New upstream releases 9.18.5 - 9.18.12 (LP: #2003586)
- Updates:
+ update-quota option
+ named -V shows supported cryptographic algorithms
- Bug Fixes Include:
+ Fix crash when using dig with +nssearch and +tcp (LP: #1258003)
+ Fix incomplete results using dig with +nssearch (LP: #1970252)
+ CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080,
CVE-2022-38178, CVE-2022-3094, CVE-2022-3736, CVE-2022-3924
+ Fix thread safety in dns_dispatch
+ Fix ADB quota management in resolver
+ Fix Prohibited DNS error on allow-recursion
+ Fix crash when restarting server with active statschannel connection
+ Fix use after free for catalog zone processing
+ Fix leak of dns_keyfileio_t objects
+ Fix nslookup failure to use port option when record type ANY is used
+ Fix crash on dnssec-policy zone with NSEC3 and inline-signing turned on
+ Fix inheritance when setting remote server port
+ Fix assertion error when accessing statistics channel
+ Fix rndc dumpdb -expired for stuck cache
+ Fix check for other name servers after receiving FORMERR
+ See https://bind9.readthedocs.io/en/v9_18_12/notes.html#notes-for-bind-9-18-12
for additional bug fixes and information
* Improve dep-8 test suite (LP: #2003584):
- d/t/zonetest: Add dep8 test for checking the domain zone creation process
- d/t/control: Add new test outline
* d/bind9-doc.docs: Stop installing removed file doc/misc/options.active
* d/p/0001-Disable-treat-warnings-as-errors-in-sphinx-build.patch: refresh to
apply with version 9.18.8
* Remove CVE patches fixed upstream:
- debian/patches/CVE-2022-2795.patch
- debian/patches/CVE-2022-2881.patch
- debian/patches/CVE-2022-2906.patch
- debian/patches/CVE-2022-3080.patch
- debian/patches/CVE-2022-38178.patch
[Included in upstream release 9.18.7]
- debian/patches/CVE-2022-3094.patch
- debian/patches/CVE-2022-3736.patch
- debian/patches/CVE-2022-3924.patch
[Included in upstream release 9.18.11]
-- Lena Voytek <email address hidden> Wed, 08 Mar 2023 08:49:53 -0700
-
bind9 (1:9.18.4-2ubuntu2.1) kinetic-security; urgency=medium
* SECURITY UPDATE: An UPDATE message flood may cause named to exhaust all
available memory
- debian/patches/CVE-2022-3094.patch: add counter in
bin/named/bind9.xsl, bin/named/statschannel.c, doc/arm/reference.rst,
lib/ns/include/ns/server.h, lib/ns/include/ns/stats.h,
lib/ns/server.c, lib/ns/update.c.
- CVE-2022-3094
* SECURITY UPDATE: named configured to answer from stale cache may
terminate unexpectedly while processing RRSIG queries
- debian/patches/CVE-2022-3736.patch: fix logic in lib/ns/query.c.
- CVE-2022-3736
* SECURITY UPDATE: named configured to answer from stale cache may
terminate unexpectedly at recursive-clients soft quota
- debian/patches/CVE-2022-3924.patch: improve logic in
lib/dns/resolver.c, lib/ns/query.c.
- CVE-2022-3924
-- Marc Deslauriers <email address hidden> Tue, 24 Jan 2023 08:06:02 -0500
-
bind9 (1:9.18.4-2ubuntu2) kinetic; urgency=medium
* SECURITY UPDATE: Processing large delegations may severely degrade
resolver performance
- debian/patches/CVE-2022-2795.patch: add limit to lib/dns/resolver.c.
- CVE-2022-2795
* SECURITY UPDATE: Buffer overread in statistics channel code
- debian/patches/CVE-2022-2881.patch: clear buffer in lib/isc/httpd.c.
- CVE-2022-2881
* SECURITY UPDATE: Memory leaks in code handling Diffie-Hellman key
exchange via TKEY RRs
- debian/patches/CVE-2022-2906.patch: adjust return code handling in
lib/dns/openssldh_link.c.
- CVE-2022-2906
* SECURITY UPDATE: resolvers configured to answer from cache with zero
stale-answer-timeout may terminate unexpectedly
- debian/patches/CVE-2022-3080.patch: refactor stale RRset handling in
lib/ns/include/ns/query.h, lib/ns/query.c.
- CVE-2022-3080
* SECURITY UPDATE: memory leaks in EdDSA DNSSEC verification code
- debian/patches/CVE-2022-38178.patch: fix return handling in
lib/dns/openssleddsa_link.c.
- CVE-2022-38178
-- Marc Deslauriers <email address hidden> Wed, 21 Sep 2022 09:18:42 -0400
-
bind9 (1:9.18.4-2ubuntu1) kinetic; urgency=medium
* Merge with Debian unstable (LP: #1971250)
Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: build-depends on dh-apport and use it
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/bind9.named.service: use systemd Type=forking to signal daemon init.
This fixes a regression of #900788 where services whose startup depend
on name resolutions may fail due to bind9 not being ready (LP #1899902).
- d/control: remove optional libjemalloc-dev Build-Depends as it is not in
main.
- d/NEWS: mention some of the relevant changes in 9.18.0 packaging
or functionality that may affect usability.
* Dropped changes:
- d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe.patch,
d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo.patch,
d/p/lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error-.patch,
d/p/lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh.patch,
d/p/lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv.patch,
d/p/lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC.patch,
d/p/lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the.patch:
Fix dig error when trying the next server after a TCP connection
failure. This upstream patchset also fixes a crash when using
the "host" command for numeric lookups (LP #1964400) and an
infinite hang when passing a non-existent hostname to "host" (LP
#1964686).
[ Incorporated by upstream. ]
- SECURITY UPDATE: Destroying a TLS session early causes assertion
failure
+ debian/patches/CVE-2022-1183.patch: fix destroying logic in
lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/tlsstream.c.
[ Incorporated by upstream. ]
-- Sergio Durigan Junior <email address hidden> Wed, 20 Jul 2022 05:28:13 -0400
-
bind9 (1:9.18.1-1ubuntu2) kinetic; urgency=medium
* SECURITY UPDATE: Destroying a TLS session early causes assertion
failure
- debian/patches/CVE-2022-1183.patch: fix destroying logic in
lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/tlsstream.c.
- CVE-2022-1183
-- Marc Deslauriers <email address hidden> Tue, 17 May 2022 07:38:24 -0400
-
bind9 (1:9.18.1-1ubuntu1) jammy; urgency=medium
* Merge with Debian unstable (LP: #1965981). Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/libdns1104.symbols: don't include dnstap symbols
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: build-depends on dh-apport and use it
- d/NEWS: mention some of the bigger changes in 9.16.0 packaging
- d/bind9.named.service: use systemd Type=forking to signal daemon init.
This fixes a regression of #900788 where services whose startup depend
on name resolutions may fail due to bind9 not being ready (LP #1899902).
- d/control: remove optional libjemalloc-dev Build-Depends as it is not in
main.
- d/NEWS: mention some of the relevant changes in 9.18.0 packaging
or functionality that may affect usability.
* Dropped changes:
- d/p/0003-Remove-spurious-debugging-true.patch: remove development leftover
debugging flag from nslookup code (LP: #1961556).
[ Incorporated in 9.18.1. ]
- SECURITY UPDATE: cache poisoning via bogus NS records
+ debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of
records into the cache in lib/dns/resolver.c.
+ CVE-2021-25220
[ Incorporated in 9.18.1. ]
- SECURITY UPDATE: DoS via specially crafted TCP stream
+ debian/patches/CVE-2022-0396.patch: ensure correct ordering in
lib/isc/netmgr/netmgr.c.
+ CVE-2022-0396
[ Incorporated in 9.18.1. ]
- SECURITY UPDATE: DNAME insist with synth-from-dnssec enabled
+ debian/patches/CVE-2022-0635.patch: fix logic in lib/dns/rbtdb.c.
+ CVE-2022-0635
[ Incorporated in 9.18.1. ]
- SECURITY UPDATE: Assertion failure on delayed DS lookup
+ debian/patches/CVE-2022-0667.patch: fix logic in lib/dns/resolver.c.
+ CVE-2022-0667
[ Incorporated in 9.18.1. ]
* Added changes:
- d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe.patch,
d/p/lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo.patch,
d/p/lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error-.patch,
d/p/lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh.patch,
d/p/lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv.patch,
d/p/lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC.patch,
d/p/lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the.patch:
Fix dig error when trying the next server after a TCP connection
failure. This upstream patchset also fixes a crash when using
the "host" command for numeric lookups (LP: #1964400) and an
infinite hang when passing a non-existent hostname to "host" (LP:
#1964686).
-- Sergio Durigan Junior <email address hidden> Wed, 23 Mar 2022 13:48:30 -0400
