[Freeipa] [Bug 2028413] Re: MRE updates of bind9 for focal, jammy and lunar
This bug was fixed in the package bind-dyndb-ldap - 11.10-4ubuntu0.3 --- bind-dyndb-ldap (11.10-4ubuntu0.3) lunar; urgency=medium * d/p/remove-rpz_attach.patch: Remove rpz_attach to fix build failure against bind9 9.18.13+ (LP: #2028413) -- Lena Voytek Thu, 21 Sep 2023 07:24:11 -0700 ** Changed in: bind9 (Ubuntu Jammy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2028413 Title: MRE updates of bind9 for focal, jammy and lunar Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Focal: Triaged Status in bind9 source package in Focal: Triaged Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Lunar: Fix Released Status in bind9 source package in Lunar: Fix Released Bug description: This bug tracks an update for the bind9 package, moving to versions: * lunar (23.04): bind9 9.18.18 * jammy (22.04): bind9 9.18.18 * focal (20.04): bind9 9.16.43 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] 9.18.13-9.18.18 for lunar and jammy: Updates: Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. Mark dialup and heartbeat-interval options as deprecated. Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. Mark TKEY mode 2 as deprecated. Mark delegation-only and root-delegation-only as deprecated. Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. Bug Fixes: Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. Fix the ability to read HMAC-MD5 key files (LP: #2015176). Fix stability issues with the catalog zone implementation. Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. Do not return delegation from cache after stale-answer-client-timeout. Fix failure to auto-tune clients-per-query limit in some situations. Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. Bring rndc read timeout back to 60 seconds from 30. Treat libuv returning ISC_R_INVALIDPROTO as a network error. Clean up empty-non-terminal NSEC3 records. Fix log file rotation cleanup for absolute file path destinations. Fix various catalog zone processing crashes. Fix transfer hang when downloading large zones over TLS. Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone. Delay DNSSEC key queries until all zones have finished loading. CVE Fixes - already available as patches: CVE-2023-2828 CVE-2023-2911 For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for- bind-9-18-18 While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management, neither of which should change how bind9 works, but are worth keeping an eye on in case any regressions arise. [Test Plan] DEP-8 test results: simpletest PASS validation FLAKY non-zero exit status 1 zonetest PASS dyndb-ldap PASS validation is known to be broken in its current state, both due to a need for internet access and incorrect output checking, so the failure is expected. [Other Information] Note to SRU team: this update must happen together with src:bind-dyndb-ldap, and in a particular order: - first src:bind9 must be accepted - once src:bind9 is fully built in all architectures, *then* src:bind-dyndb-ldap can be accepted. In other words, src:bind-dyndb-ldap must build with the new src:bind9 version. - it is expected that until both packages are in proposed and built in the correct order, DEP8 tests will fail. That's our safeguard against mistakenly releasing them out of sync [Regression Potential] Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. To
[Freeipa] [Bug 2028413] Re: MRE updates of bind9 for focal, jammy and lunar
This bug was fixed in the package bind9 - 1:9.18.18-0ubuntu0.22.04.1 --- bind9 (1:9.18.18-0ubuntu0.22.04.1) jammy; urgency=medium * New upstream release 9.18.18 (LP: #2028413) - Updates: + Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. + Mark dialup and heartbeat-interval options as deprecated. + Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. + Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. + Mark TKEY mode 2 as deprecated. + Mark delegation-only and root-delegation-only as deprecated. + Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. - Bug Fixes: + Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. + Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. + Fix the ability to read HMAC-MD5 key files (LP: #2015176). + Fix stability issues with the catalog zone implementation. + Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. + Do not return delegation from cache after stale-answer-client-timeout. + Fix failure to auto-tune clients-per-query limit in some situations. + Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. + Bring rndc read timeout back to 60 seconds from 30. + Treat libuv returning ISC_R_INVALIDPROTO as a network error. + Clean up empty-non-terminal NSEC3 records. + Fix log file rotation cleanup for absolute file path destinations. + Fix various catalog zone processing crashes. + Fix transfer hang when downloading large zones over TLS. + Fix named crash when adding a new zone into the configuration file for a name which was already configured as member zone for a catalog zone. + Delay DNSSEC key queries until all zones have finished loading. - See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional information. * d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in 9.18.16. * d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18. * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650) -- Lena Voytek Wed, 20 Sep 2023 15:15:41 -0700 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2028413 Title: MRE updates of bind9 for focal, jammy and lunar Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Focal: Triaged Status in bind9 source package in Focal: Triaged Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Lunar: Fix Released Status in bind9 source package in Lunar: Fix Released Bug description: This bug tracks an update for the bind9 package, moving to versions: * lunar (23.04): bind9 9.18.18 * jammy (22.04): bind9 9.18.18 * focal (20.04): bind9 9.16.43 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] 9.18.13-9.18.18 for lunar and jammy: Updates: Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. Mark dialup and heartbeat-interval options as deprecated. Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. Mark TKEY mode 2 as deprecated. Mark delegation-only and root-delegation-only as deprecated. Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. Bug Fixes: Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. Fix the ability to read HMAC-MD5 key files (LP: #2015176). Fix stability issues with the catalog zone implementation. Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. Do not return delegation from cache after
[Freeipa] [Bug 2028413] Re: MRE updates of bind9 for focal, jammy and lunar
This bug was fixed in the package bind-dyndb-ldap - 11.9-5ubuntu0.22.04.4 --- bind-dyndb-ldap (11.9-5ubuntu0.22.04.4) jammy; urgency=medium * d/p/remove-rpz_attach.patch: Remove rpz_attach to fix build failure against bind9 9.18.13+ (LP: #2028413) -- Lena Voytek Thu, 21 Sep 2023 07:26:59 -0700 ** Changed in: bind-dyndb-ldap (Ubuntu Jammy) Status: Fix Committed => Fix Released ** Changed in: bind-dyndb-ldap (Ubuntu Lunar) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2028413 Title: MRE updates of bind9 for focal, jammy and lunar Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Focal: Triaged Status in bind9 source package in Focal: Triaged Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Lunar: Fix Released Status in bind9 source package in Lunar: Fix Released Bug description: This bug tracks an update for the bind9 package, moving to versions: * lunar (23.04): bind9 9.18.18 * jammy (22.04): bind9 9.18.18 * focal (20.04): bind9 9.16.43 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] 9.18.13-9.18.18 for lunar and jammy: Updates: Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. Mark dialup and heartbeat-interval options as deprecated. Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. Mark TKEY mode 2 as deprecated. Mark delegation-only and root-delegation-only as deprecated. Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. Bug Fixes: Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. Fix the ability to read HMAC-MD5 key files (LP: #2015176). Fix stability issues with the catalog zone implementation. Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. Do not return delegation from cache after stale-answer-client-timeout. Fix failure to auto-tune clients-per-query limit in some situations. Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. Bring rndc read timeout back to 60 seconds from 30. Treat libuv returning ISC_R_INVALIDPROTO as a network error. Clean up empty-non-terminal NSEC3 records. Fix log file rotation cleanup for absolute file path destinations. Fix various catalog zone processing crashes. Fix transfer hang when downloading large zones over TLS. Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone. Delay DNSSEC key queries until all zones have finished loading. CVE Fixes - already available as patches: CVE-2023-2828 CVE-2023-2911 For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for- bind-9-18-18 While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management, neither of which should change how bind9 works, but are worth keeping an eye on in case any regressions arise. [Test Plan] DEP-8 test results: simpletest PASS validation FLAKY non-zero exit status 1 zonetest PASS dyndb-ldap PASS validation is known to be broken in its current state, both due to a need for internet access and incorrect output checking, so the failure is expected. [Other Information] Note to SRU team: this update must happen together with src:bind-dyndb-ldap, and in a particular order: - first src:bind9 must be accepted - once src:bind9 is fully built in all architectures, *then* src:bind-dyndb-ldap can be accepted. In other words, src:bind-dyndb-ldap must build with the new src:bind9 version. - it is expected that until both packages are in proposed and built in the correct order, DEP8 tests will fail. That's our safeguard against mistakenly releasing them out of sync [Regression Potential] Upstream has an extensive build and integration test suite.
[Freeipa] [Bug 2028413] Update Released
The verification of the Stable Release Update for bind9 has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2028413 Title: MRE updates of bind9 for focal, jammy and lunar Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Focal: Triaged Status in bind9 source package in Focal: Triaged Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Lunar: Fix Released Status in bind9 source package in Lunar: Fix Released Bug description: This bug tracks an update for the bind9 package, moving to versions: * lunar (23.04): bind9 9.18.18 * jammy (22.04): bind9 9.18.18 * focal (20.04): bind9 9.16.43 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] 9.18.13-9.18.18 for lunar and jammy: Updates: Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. Mark dialup and heartbeat-interval options as deprecated. Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. Mark TKEY mode 2 as deprecated. Mark delegation-only and root-delegation-only as deprecated. Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. Bug Fixes: Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. Fix the ability to read HMAC-MD5 key files (LP: #2015176). Fix stability issues with the catalog zone implementation. Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. Do not return delegation from cache after stale-answer-client-timeout. Fix failure to auto-tune clients-per-query limit in some situations. Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. Bring rndc read timeout back to 60 seconds from 30. Treat libuv returning ISC_R_INVALIDPROTO as a network error. Clean up empty-non-terminal NSEC3 records. Fix log file rotation cleanup for absolute file path destinations. Fix various catalog zone processing crashes. Fix transfer hang when downloading large zones over TLS. Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone. Delay DNSSEC key queries until all zones have finished loading. CVE Fixes - already available as patches: CVE-2023-2828 CVE-2023-2911 For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for- bind-9-18-18 While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management, neither of which should change how bind9 works, but are worth keeping an eye on in case any regressions arise. [Test Plan] DEP-8 test results: simpletest PASS validation FLAKY non-zero exit status 1 zonetest PASS dyndb-ldap PASS validation is known to be broken in its current state, both due to a need for internet access and incorrect output checking, so the failure is expected. [Other Information] Note to SRU team: this update must happen together with src:bind-dyndb-ldap, and in a particular order: - first src:bind9 must be accepted - once src:bind9 is fully built in all architectures, *then* src:bind-dyndb-ldap can be accepted. In other words, src:bind-dyndb-ldap must build with the new src:bind9 version. - it is expected that until both packages are in proposed and built in the correct order, DEP8 tests will fail. That's our safeguard against mistakenly releasing them out of sync [Regression Potential] Upstream has an extensive build and integration test suite. So regressions would likely arise from
[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration
This bug was fixed in the package bind9 - 1:9.18.18-0ubuntu0.22.04.1 --- bind9 (1:9.18.18-0ubuntu0.22.04.1) jammy; urgency=medium * New upstream release 9.18.18 (LP: #2028413) - Updates: + Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. + Mark dialup and heartbeat-interval options as deprecated. + Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. + Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. + Mark TKEY mode 2 as deprecated. + Mark delegation-only and root-delegation-only as deprecated. + Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. - Bug Fixes: + Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. + Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. + Fix the ability to read HMAC-MD5 key files (LP: #2015176). + Fix stability issues with the catalog zone implementation. + Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. + Do not return delegation from cache after stale-answer-client-timeout. + Fix failure to auto-tune clients-per-query limit in some situations. + Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. + Bring rndc read timeout back to 60 seconds from 30. + Treat libuv returning ISC_R_INVALIDPROTO as a network error. + Clean up empty-non-terminal NSEC3 records. + Fix log file rotation cleanup for absolute file path destinations. + Fix various catalog zone processing crashes. + Fix transfer hang when downloading large zones over TLS. + Fix named crash when adding a new zone into the configuration file for a name which was already configured as member zone for a catalog zone. + Delay DNSSEC key queries until all zones have finished loading. - See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional information. * d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in 9.18.16. * d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18. * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650) -- Lena Voytek Wed, 20 Sep 2023 15:15:41 -0700 ** Changed in: bind9 (Ubuntu Jammy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2032650 Title: Add DEP8 tests for bind-dyndb-ldap integration Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Lunar: Fix Committed Status in bind9 source package in Lunar: Fix Released Status in bind-dyndb-ldap source package in Mantic: Fix Released Status in bind9 source package in Mantic: Fix Released Bug description: [ Impact ] bind-dyndb-ldap breaks very frequently with bind9 updates. Both must have DEP8 tests so these breakages can be caught before a release. [ Test Plan ] For both packages, the test plan consists in having the new dyndb-ldap DEP8 test run and succeed. [ Where problems could occur ] With this new DEP8 change, a bind9 update can be blocked by a bind-dyndb-ldap failure to build or run with it. While this is exactly the intent (not leave a broken bind-dyndb-ldap package in the release), there is a history indicating that bind- dyndb-ldap can be late in catching up to bind9 changes. We may reach a situation where an important bind9 security update, for example, will be blocked by a failing dyndb-ldap test, and it may be difficult to fix bind-dyndb-ldap in time, specially if the security update is under embargo and the bind-dyndb-ldap developers do not yet have details of the changes. [ Other Info ] The same test is to be applied to the bind9 package, and is already in mantic. But SRUs for DEP8 changes only are frowned upon, so the plan is to upload it to proposed and block it there, but AFTER bind-dyndb-ldap has been released. The tight coupling between bind9 and bind-dyndb-ldap is problematic (see [1], [2] and [3]). The moment a new bind9 hits proposed with this test, it fill fail until a new bind-dyndb-ldap is rebuilt with that proposed version. One option would perhaps to accept
[Freeipa] [Bug 2028413] Re: MRE updates of bind9 for focal, jammy and lunar
This bug was fixed in the package bind9 - 1:9.18.18-0ubuntu0.23.04.1 --- bind9 (1:9.18.18-0ubuntu0.23.04.1) lunar; urgency=medium * New upstream release 9.18.18 (LP: #2028413) - Updates: + Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. + Mark dialup and heartbeat-interval options as deprecated. + Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. + Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. + Mark TKEY mode 2 as deprecated. + Mark delegation-only and root-delegation-only as deprecated. + Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. - Bug Fixes: + Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. + Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. + Fix the ability to read HMAC-MD5 key files (LP: #2015176). + Fix stability issues with the catalog zone implementation. + Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. + Do not return delegation from cache after stale-answer-client-timeout. + Fix failure to auto-tune clients-per-query limit in some situations. + Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. + Bring rndc read timeout back to 60 seconds from 30. + Treat libuv returning ISC_R_INVALIDPROTO as a network error. + Clean up empty-non-terminal NSEC3 records. + Fix log file rotation cleanup for absolute file path destinations. + Fix various catalog zone processing crashes. + Fix transfer hang when downloading large zones over TLS. + Fix named crash when adding a new zone into the configuration file for a name which was already configured as member zone for a catalog zone. + Delay DNSSEC key queries until all zones have finished loading. - See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional information. * d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in 9.18.16. * d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18. * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650) -- Lena Voytek Wed, 20 Sep 2023 14:52:27 -0700 ** Changed in: bind9 (Ubuntu Lunar) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-2828 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-2911 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3341 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2028413 Title: MRE updates of bind9 for focal, jammy and lunar Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Focal: Triaged Status in bind9 source package in Focal: Triaged Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Lunar: Fix Released Status in bind9 source package in Lunar: Fix Released Bug description: This bug tracks an update for the bind9 package, moving to versions: * lunar (23.04): bind9 9.18.18 * jammy (22.04): bind9 9.18.18 * focal (20.04): bind9 9.16.43 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] 9.18.13-9.18.18 for lunar and jammy: Updates: Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. Mark dialup and heartbeat-interval options as deprecated. Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. Mark TKEY mode 2 as deprecated. Mark delegation-only and root-delegation-only as deprecated. Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. Bug Fixes: Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when
[Freeipa] [Bug 2032650] Update Released
The verification of the Stable Release Update for bind9 has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2032650 Title: Add DEP8 tests for bind-dyndb-ldap integration Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Lunar: Fix Committed Status in bind9 source package in Lunar: Fix Released Status in bind-dyndb-ldap source package in Mantic: Fix Released Status in bind9 source package in Mantic: Fix Released Bug description: [ Impact ] bind-dyndb-ldap breaks very frequently with bind9 updates. Both must have DEP8 tests so these breakages can be caught before a release. [ Test Plan ] For both packages, the test plan consists in having the new dyndb-ldap DEP8 test run and succeed. [ Where problems could occur ] With this new DEP8 change, a bind9 update can be blocked by a bind-dyndb-ldap failure to build or run with it. While this is exactly the intent (not leave a broken bind-dyndb-ldap package in the release), there is a history indicating that bind- dyndb-ldap can be late in catching up to bind9 changes. We may reach a situation where an important bind9 security update, for example, will be blocked by a failing dyndb-ldap test, and it may be difficult to fix bind-dyndb-ldap in time, specially if the security update is under embargo and the bind-dyndb-ldap developers do not yet have details of the changes. [ Other Info ] The same test is to be applied to the bind9 package, and is already in mantic. But SRUs for DEP8 changes only are frowned upon, so the plan is to upload it to proposed and block it there, but AFTER bind-dyndb-ldap has been released. The tight coupling between bind9 and bind-dyndb-ldap is problematic (see [1], [2] and [3]). The moment a new bind9 hits proposed with this test, it fill fail until a new bind-dyndb-ldap is rebuilt with that proposed version. One option would perhaps to accept a one-time DEP8-only change for bind9, so that we can upload both packages together, instead of leaving this in proposed with a blocking tag, to be picked up by the next bind9 "real" update? 1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014503 2. https://pagure.io/bind-dyndb-ldap/issue/225 3. https://salsa.debian.org/dns-team/bind9/-/merge_requests/21 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration
This bug was fixed in the package bind9 - 1:9.18.18-0ubuntu0.23.04.1 --- bind9 (1:9.18.18-0ubuntu0.23.04.1) lunar; urgency=medium * New upstream release 9.18.18 (LP: #2028413) - Updates: + Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. + Mark dialup and heartbeat-interval options as deprecated. + Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. + Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. + Mark TKEY mode 2 as deprecated. + Mark delegation-only and root-delegation-only as deprecated. + Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. - Bug Fixes: + Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. + Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. + Fix the ability to read HMAC-MD5 key files (LP: #2015176). + Fix stability issues with the catalog zone implementation. + Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. + Do not return delegation from cache after stale-answer-client-timeout. + Fix failure to auto-tune clients-per-query limit in some situations. + Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. + Bring rndc read timeout back to 60 seconds from 30. + Treat libuv returning ISC_R_INVALIDPROTO as a network error. + Clean up empty-non-terminal NSEC3 records. + Fix log file rotation cleanup for absolute file path destinations. + Fix various catalog zone processing crashes. + Fix transfer hang when downloading large zones over TLS. + Fix named crash when adding a new zone into the configuration file for a name which was already configured as member zone for a catalog zone. + Delay DNSSEC key queries until all zones have finished loading. - See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional information. * d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in 9.18.16. * d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18. * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650) -- Lena Voytek Wed, 20 Sep 2023 14:52:27 -0700 ** Changed in: bind9 (Ubuntu Lunar) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-2828 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-2911 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3341 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2032650 Title: Add DEP8 tests for bind-dyndb-ldap integration Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Lunar: Fix Committed Status in bind9 source package in Lunar: Fix Released Status in bind-dyndb-ldap source package in Mantic: Fix Released Status in bind9 source package in Mantic: Fix Released Bug description: [ Impact ] bind-dyndb-ldap breaks very frequently with bind9 updates. Both must have DEP8 tests so these breakages can be caught before a release. [ Test Plan ] For both packages, the test plan consists in having the new dyndb-ldap DEP8 test run and succeed. [ Where problems could occur ] With this new DEP8 change, a bind9 update can be blocked by a bind-dyndb-ldap failure to build or run with it. While this is exactly the intent (not leave a broken bind-dyndb-ldap package in the release), there is a history indicating that bind- dyndb-ldap can be late in catching up to bind9 changes. We may reach a situation where an important bind9 security update, for example, will be blocked by a failing dyndb-ldap test, and it may be difficult to fix bind-dyndb-ldap in time, specially if the security update is under embargo and the bind-dyndb-ldap developers do not yet have details of the changes. [ Other Info ] The same test is to be applied to the bind9 package, and is already in mantic. But SRUs for DEP8 changes only are frowned upon, so the plan is to upload it to proposed and block it there, but AFTER bind-dyndb-ldap has been released. The tight coupling between bind9 and bind-dyndb-ldap
