[Freeipa] [Bug 2040359] Re: Merge bind9 from Debian unstable for noble
This bug was fixed in the package bind9 - 1:9.18.21-0ubuntu1 --- bind9 (1:9.18.21-0ubuntu1) noble; urgency=medium * New upstream release 9.18.21 (LP: #2040359) - Updates: + Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and 2801:1b8:10::b. + Honor nsupdate -v option when server command specified by sending both the UPDATE request and the initial query over TCP. + Mark cookie-algorithm aes as deprecated, use SipHash-2-4, instead. + Mark resolver-nonbackoff-tries and resolver-retry-interval as deprecated. + Mark dnssec-must-be-secure as deprecated. - Bug Fixes: + Do not schedule unsigned versions of inline-signed zones containing DNSSEC records for resigning. + Take local authoritative data into account when looking up stale cache data. + Fix use of named -X and lock-file at the same time. + Fix improper lock-file removal. + Fix bound checking in Content-Length header in the statistics channel. + Fix memory leaks from not clearing the OpenSSL error stack. + Fix SERVFAIL responses from introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs update policies. + Fix stale-refresh-time feature being disabled by cache flush. + Fix DNS message corruption from partial writes. - See https://bind9.readthedocs.io/en/v9.18.21/notes.html for additional information * d/p/CVE-2023-3341.patch, d/p/CVE-2023-4236.patch: Remove - fixed by upstream in version 9.18.19 * d/p/always-use-standard-library-stdatomic.patch: Maintain use of the standard library stdatomic.h -- Lena Voytek Thu, 25 Jan 2024 08:37:15 -0700 ** Changed in: bind9 (Ubuntu) Status: In Progress => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3341 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4236 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2040359 Title: Merge bind9 from Debian unstable for noble Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Bug description: Upstream: 9.18.19 Debian: 1:9.19.17-1 Ubuntu: 1:9.18.18-0ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### bind9 (1:9.19.17-1) unstable; urgency=medium * New upstream version 9.19.17 - CVE-2023-3341: A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly (Closes: #1052416) - CVE-2023-4236: named may terminate unexpectedly under high DNS-over-TLS query load (Closes: #1052417) -- Ondřej Surý Wed, 20 Sep 2023 18:13:07 +0200 bind9 (1:9.19.16-1) experimental; urgency=medium * New upstream version 9.19.16 -- Ondřej Surý Wed, 16 Aug 2023 17:54:24 +0200 bind9 (1:9.19.15-1) experimental; urgency=medium * New upstream version 9.19.15 -- Ondřej Surý Wed, 19 Jul 2023 14:16:46 +0200 bind9 (1:9.19.14-1) experimental; urgency=medium * New upstream version 9.19.14 -- Ondřej Surý Wed, 21 Jun 2023 21:00:01 +0200 bind9 (1:9.19.13-1) experimental; urgency=medium * New upstream version 9.19.13 -- Ondřej Surý Wed, 17 May 2023 17:50:48 +0200 bind9 (1:9.19.12-2) experimental; urgency=medium * Add liburcu-dev to Build-Depends -- Ondřej Surý Thu, 20 Apr 2023 14:24:06 +0200 bind9 (1:9.19.12-1) experimental; urgency=medium * New upstream version 9.19.12 -- Ondřej Surý Wed, 19 Apr 2023 15:01:59 +0200 bind9 (1:9.19.11-1) experimental; urgency=medium * New upstream version 9.19.11 * Update the d/bind9-dev.install, d/bind9.install and d/not-installed after library squash -- Ondřej Surý Wed, 15 Mar 2023 18:27:20 +0100 bind9 (1:9.19.10-1) experimental; urgency=medium * New upstream version 9.19.10 * Drop libtool-bin from B-D (Closes: #1022968) -- Ondřej Surý Fri, 10 Feb 2023 15:16:29 +0100 bind9 (1:9.19.9-2) experimental; urgency=medium * Allow the named to use systemd notify service -- Ondřej Surý Thu, 26 Jan 2023 21:18:35 +0100 bind9 (1:9.19.9-1) experimental; urgency=medium * New upstream version 9.19.9 -- Ondřej Surý Wed, 25 Jan 2023 16:04:03 +0100 bind9 (1:9.19.8-1) experimental; urgency=medium * New upstream version 9.19.8 -- Ondřej Surý Wed, 21 Dec 2022 18:02:17 +0100 bind9 (1:9.19.7-1) experimental; urgency=medium * New upstream version 9.19.7 -- Ondřej Surý Wed, 16 Nov 2022 14:05:15 +0100 bind9
[Freeipa] [Bug 2040359] Re: Merge bind9 from Debian unstable for noble
This bug was fixed in the package bind-dyndb-ldap - 11.10-6ubuntu4 --- bind-dyndb-ldap (11.10-6ubuntu4) noble; urgency=medium * No-change rebuild with bind9-libs 1:9.18.21-0ubuntu1 (LP: #2040359) -- Lena Voytek Thu, 25 Jan 2024 15:10:49 -0700 ** Changed in: bind-dyndb-ldap (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2040359 Title: Merge bind9 from Debian unstable for noble Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: In Progress Bug description: Upstream: 9.18.19 Debian: 1:9.19.17-1 Ubuntu: 1:9.18.18-0ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### bind9 (1:9.19.17-1) unstable; urgency=medium * New upstream version 9.19.17 - CVE-2023-3341: A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly (Closes: #1052416) - CVE-2023-4236: named may terminate unexpectedly under high DNS-over-TLS query load (Closes: #1052417) -- Ondřej Surý Wed, 20 Sep 2023 18:13:07 +0200 bind9 (1:9.19.16-1) experimental; urgency=medium * New upstream version 9.19.16 -- Ondřej Surý Wed, 16 Aug 2023 17:54:24 +0200 bind9 (1:9.19.15-1) experimental; urgency=medium * New upstream version 9.19.15 -- Ondřej Surý Wed, 19 Jul 2023 14:16:46 +0200 bind9 (1:9.19.14-1) experimental; urgency=medium * New upstream version 9.19.14 -- Ondřej Surý Wed, 21 Jun 2023 21:00:01 +0200 bind9 (1:9.19.13-1) experimental; urgency=medium * New upstream version 9.19.13 -- Ondřej Surý Wed, 17 May 2023 17:50:48 +0200 bind9 (1:9.19.12-2) experimental; urgency=medium * Add liburcu-dev to Build-Depends -- Ondřej Surý Thu, 20 Apr 2023 14:24:06 +0200 bind9 (1:9.19.12-1) experimental; urgency=medium * New upstream version 9.19.12 -- Ondřej Surý Wed, 19 Apr 2023 15:01:59 +0200 bind9 (1:9.19.11-1) experimental; urgency=medium * New upstream version 9.19.11 * Update the d/bind9-dev.install, d/bind9.install and d/not-installed after library squash -- Ondřej Surý Wed, 15 Mar 2023 18:27:20 +0100 bind9 (1:9.19.10-1) experimental; urgency=medium * New upstream version 9.19.10 * Drop libtool-bin from B-D (Closes: #1022968) -- Ondřej Surý Fri, 10 Feb 2023 15:16:29 +0100 bind9 (1:9.19.9-2) experimental; urgency=medium * Allow the named to use systemd notify service -- Ondřej Surý Thu, 26 Jan 2023 21:18:35 +0100 bind9 (1:9.19.9-1) experimental; urgency=medium * New upstream version 9.19.9 -- Ondřej Surý Wed, 25 Jan 2023 16:04:03 +0100 bind9 (1:9.19.8-1) experimental; urgency=medium * New upstream version 9.19.8 -- Ondřej Surý Wed, 21 Dec 2022 18:02:17 +0100 bind9 (1:9.19.7-1) experimental; urgency=medium * New upstream version 9.19.7 -- Ondřej Surý Wed, 16 Nov 2022 14:05:15 +0100 bind9 (1:9.19.6-2) experimental; urgency=medium * Use systemd notify for service readyness check (Closes: #994696) -- Bernhard Schmidt Sun, 30 Oct 2022 00:14:05 +0200 bind9 (1:9.19.6-1) experimental; urgency=medium * New upstream version 9.19.6 -- Ondřej Surý Wed, 19 Oct 2022 15:06:31 +0200 bind9 (1:9.19.5-1) experimental; urgency=medium * New upstream version 9.19.5 ### Old Ubuntu Delta ### bind9 (1:9.18.18-0ubuntu2) mantic; urgency=medium * SECURITY UPDATE: DoS via recusive packet parsing - debian/patches/CVE-2023-3341.patch: add a max depth check to lib/isc/include/isc/result.h, lib/isc/result.c, lib/isccc/cc.c. - CVE-2023-3341 * SECURITY UPDATE: Dos via DNS-over-TLS queries - debian/patches/CVE-2023-4236.patch: check return code in lib/isc/netmgr/tlsdns.c. - CVE-2023-4236 -- Marc Deslauriers Wed, 20 Sep 2023 12:45:21 -0400 bind9 (1:9.18.18-0ubuntu1) mantic; urgency=medium * New upstream release 9.18.18 (LP: #2034367) - Updates: + Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. + Mark dialup and heartbeat-interval options as deprecated. + Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. + Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. - Bug Fixes: + Fix