Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [ Reason ] New upstream version update, the upstream CHANGES are: --- 9.16.28 released --- 5856. [bug] The "starting maxtime timer" message related to outgoing zone transfers was incorrectly logged at the ERROR level instead of DEBUG(1). [GL #3208] 5852. [func] Add new "reuseport" option to enable/disable load balancing of sockets. [GL #3249] 5843. [bug] When an UPDATE targets a zone that is not configured, the requested zone name is now logged in the "not authoritative" error message, so that it is easier to track down problematic update clients. [GL #3209] 5836. [bug] Quote the dns64 prefix in error messages that complain about problems with it, to avoid confusion with the following dns64 ACLs. [GL #3210] 5834. [cleanup] C99 variable-length arrays are difficult to use safely, so avoid them except in test code. [GL #3201] 5828. [bug] Replace single TCP write timer with per-TCP write timers. [GL #3200] 5824. [bug] Invalid dnssec-policy definitions were being accepted where the defined keys did not cover both KSK and ZSK roles for a given algorithm. This is now checked for and the dnssec-policy is rejected if both roles are not present for all algorithms in use. [GL #3142] And the user-friendly release notes: Notes for BIND 9.16.28 - ---------------------- New Features ~~~~~~~~~~~ - - Add a new configuration option ``reuseport`` to disable load balancing on sockets in situations where processing of Response Policy Zones (RPZ), Catalog Zones, or large zone transfers can cause service disruptions. See the BIND 9 ARM for more detail. :gl:`#3249` Bug Fixes ~~~~~~~~ - - Invalid ``dnssec-policy`` definitions, where the defined keys did not cover both KSK and ZSK roles for a given algorithm, were being accepted. These are now checked, and the ``dnssec-policy`` is rejected if both roles are not present for all algorithms in use. :gl:`#3142` - - Handling of TCP write timeouts has been improved to track the timeout for each TCP write separately, leading to a faster connection teardown in case the other party is not reading the data. :gl:`#3200` [ Impact ] The package will be updated when there's a new BIND 9 release containing security vulnerabilities. [ Tests ] Upstream runs automated test suite covering many different platforms and also runs a manually-triggered more extensive checks in their CI platform. [ Risks ] [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] There are two extra related changes: * Drop the libldap2-dev Build-Depends (it's not used at all) * Add more string dependency on libuv1 There are new flags (as enum members) that are being used because the BIND 9 is compiled with libuv1 >= 1.40.0, but this is something not caught by dpkg-gensymbols mechanism because that can look only at the exported symbols. When the flags that were available at the compile time are used with older libuv1 at runtime, it causes assertion failure with "invalid argument": udp.c:229: fatal error: uv_udp_init_ex failed: invalid argument [ Other info ] FTR I am BIND 9 packager and upstream at the same time. There were no reports of regressions from the users using BIND 9.16.28 from ISC provided packages or compiled from source. -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmJntMRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u WcKkVg//QNOtb5iqRRuTAAz/Lqd3Sd6Vdvex3KxpeBt+a1PhEjM1RHntYAhifWMa mmyIR0oCuxHLe8WbbJIuFKvktsV9aaRTKVF1HzLedSl0k3TY6lTyNemwZ7U159mF wJavJ6CsFpYz5+K0HNoVI5/Rlaw/K890oyLtio4KLmfYai/eewsS5a9j0NDakw8S GgBxJDWyCynf6PA1yuiUKEsb2QBLme2v/9pSTW3V72vZzgXZmDS8UryPX/FhMbX2 Aqn8h/llnsSfKv4zymygjdazoWNgqm+WGV+oB1dhmTnYqA0Uft9WQ/S4rdKdJLFp +Atlo6eZv4CieMIMaFYT2u0D4YodWxb8jjoUVGlZbA44YLEh3VY56kiY64RpAWlV UkXxGbBvsqjb7rvydX71uAX7ZjVNOb/VXRh73H6o8UTg8LnSSb1AawJHeEZURchM aRkCQJR1pjxbgpSuk/ph5g3ErPNXdtH8cQ0Uw51blb5/lRSBZCjdBlqNWiVUhYgb ImACk8koo/RxEqk1QVyiEpDX1fZ67LUXC5xTE2l0Nc3i/NKa5UYgc8+Tgs9JONjN ywnGuG18TvrAWu0nhnprfwXyQhGBBbrvXzZQBiIm1UjxFj0m7BviQPvrY640C0dl 4rLkTgrmOAt/6HktZuDEY1JxXMUFmqLOyTWjevSAQMEF1LXFa+g= =hs25 -----END PGP SIGNATURE-----
bind9_9.16.28-1~deb11u1.debdiff.xz
Description: application/xz
bind9_9.16.28-1~deb11u1_source.debdiff.xz
Description: application/xz
bind9_9.16.28-1~deb11u1_amd64.debdiff.xz
Description: application/xz