Public bug reported: Upstream: 9.18.26 Debian: 1:9.19.21-1 Ubuntu: 1:9.18.24-0ubuntu5
Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the Oracular Release Notes: https://discourse.ubuntu.com/c/release/38 ### New Debian Changes ### bind9 (1:9.19.21-1) unstable; urgency=high [ Helmut Grohne ] * Drop unused Build-Depends: python3. (Closes: #1063448) [ Ondřej Surý ] * New upstream version 9.19.21 - CVE-2023-4408: Parsing large DNS messages may cause excessive CPU load - CVE-2023-5517: Querying RFC 1918 reverse zones may cause an assertion failure when 'nxdomain-redirect' is enabled - CVE-2023-5679: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution - CVE-2023-6516: Specific recursive query patterns may lead to an out-of-memory condition - CVE-2023-50387: KeyTrap - Extreme CPU consumption in DNSSEC validator - CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources -- Ondřej Surý <[email protected]> Mon, 12 Feb 2024 17:04:19 +0100 bind9 (1:9.19.19-1) unstable; urgency=medium [ Ondřej Surý ] * New upstream version 9.19.19 [ Bernhard Schmidt ] * Sync 9.18 to 9.19 (Closes: #1056984) -- Ondřej Surý <[email protected]> Wed, 20 Dec 2023 17:01:32 +0100 bind9 (1:9.19.18-1) unstable; urgency=medium * New upstream version 9.19.18 -- Ondřej Surý <[email protected]> Wed, 15 Nov 2023 17:51:18 +0100 bind9 (1:9.19.17-1) unstable; urgency=medium * New upstream version 9.19.17 - CVE-2023-3341: A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly (Closes: #1052416) - CVE-2023-4236: named may terminate unexpectedly under high DNS-over-TLS query load (Closes: #1052417) -- Ondřej Surý <[email protected]> Wed, 20 Sep 2023 18:13:07 +0200 bind9 (1:9.19.16-1) experimental; urgency=medium * New upstream version 9.19.16 -- Ondřej Surý <[email protected]> Wed, 16 Aug 2023 17:54:24 +0200 bind9 (1:9.19.15-1) experimental; urgency=medium * New upstream version 9.19.15 -- Ondřej Surý <[email protected]> Wed, 19 Jul 2023 14:16:46 +0200 bind9 (1:9.19.14-1) experimental; urgency=medium * New upstream version 9.19.14 -- Ondřej Surý <[email protected]> Wed, 21 Jun 2023 21:00:01 +0200 bind9 (1:9.19.13-1) experimental; urgency=medium * New upstream version 9.19.13 -- Ondřej Surý <[email protected]> Wed, 17 May 2023 17:50:48 +0200 bind9 (1:9.19.12-2) experimental; urgency=medium * Add liburcu-dev to Build-Depends -- Ondřej Surý <[email protected]> Thu, 20 Apr 2023 14:24:06 +0200 bind9 (1:9.19.12-1) experimental; urgency=medium * New upstream version 9.19.12 -- Ondřej Surý <[email protected]> Wed, 19 Apr 2023 15:01:59 +0200 bind9 (1:9.19.11-1) experimental; urgency=medium * New upstream version 9.19.11 * Update the d/bind9-dev.install, d/bind9.install and d/not-installed after library squash -- Ondřej Surý <[email protected]> Wed, 15 Mar 2023 18:27:20 +0100 bind9 (1:9.19.10-1) experimental; urgency=medium * New upstream version 9.19.10 * Drop libtool-bin from B-D (Closes: #1022968) -- Ondřej Surý <[email protected]> Fri, 10 Feb 2023 15:16:29 +0100 bind9 (1:9.19.9-2) experimental; urgency=medium ### Old Ubuntu Delta ### bind9 (1:9.18.24-0ubuntu5) noble; urgency=high * No change rebuild against libssl3t64, libuv1t64. -- Julian Andres Klode <[email protected]> Mon, 08 Apr 2024 16:37:41 +0200 bind9 (1:9.18.24-0ubuntu4) noble; urgency=medium * No-change rebuild for CVE-2024-3094 -- Steve Langasek <[email protected]> Sun, 31 Mar 2024 00:04:23 +0000 bind9 (1:9.18.24-0ubuntu3) noble; urgency=medium * bind9-libs: Hard-code libuv1t64 instead of libuv1. -- Matthias Klose <[email protected]> Wed, 06 Mar 2024 12:35:21 +0100 bind9 (1:9.18.24-0ubuntu2) noble; urgency=medium * No-change rebuild against libssl3t64 -- Steve Langasek <[email protected]> Mon, 04 Mar 2024 17:27:42 +0000 bind9 (1:9.18.24-0ubuntu1) noble; urgency=medium * Updated to 9.18.21 to fix security issues. - Security Fixes: + Validating DNS messages containing a lot of DNSSEC signatures could cause excessive CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50387) + Preparing an NSEC3 closest encloser proof could cause excessive CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50868) + Parsing DNS messages with many different names could cause excessive CPU load. This has been fixed. (CVE-2023-4408) + Specific queries could cause named to crash with an assertion failure when nxdomain-redirect was enabled. This has been fixed. (CVE-2023-5517) + A bad interaction between DNS64 and serve-stale could cause named to crash with an assertion failure, when both of these features were enabled. This has been fixed. (CVE-2023-5679) + Under certain circumstances, the DNS-over-TLS client code incorrectly attempted to process more than one DNS message at a time, which could cause named to crash with an assertion failure. This has been fixed. - Bug Fixes: + The counters exported via the statistics channel were changed back to 64-bit signed values; they were being inadvertently truncated to unsigned 32-bit values since BIND 9.15.0. - See https://bind9.readthedocs.io/en/v9.18.24/notes.html for additional information -- Marc Deslauriers <[email protected]> Wed, 14 Feb 2024 14:31:05 -0500 bind9 (1:9.18.21-0ubuntu1) noble; urgency=medium * New upstream release 9.18.21 (LP: #2040359) - Updates: + Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and 2801:1b8:10::b. + Honor nsupdate -v option when server command specified by sending both the UPDATE request and the initial query over TCP. + Mark cookie-algorithm aes as deprecated, use SipHash-2-4, instead. + Mark resolver-nonbackoff-tries and resolver-retry-interval as deprecated. + Mark dnssec-must-be-secure as deprecated. - Bug Fixes: + Do not schedule unsigned versions of inline-signed zones containing DNSSEC records for resigning. + Take local authoritative data into account when looking up stale cache data. + Fix use of named -X and lock-file at the same time. + Fix improper lock-file removal. + Fix bound checking in Content-Length header in the statistics channel. + Fix memory leaks from not clearing the OpenSSL error stack. + Fix SERVFAIL responses from introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs update policies. + Fix stale-refresh-time feature being disabled by cache flush. + Fix DNS message corruption from partial writes. - See https://bind9.readthedocs.io/en/v9.18.21/notes.html for additional information * d/p/CVE-2023-3341.patch, d/p/CVE-2023-4236.patch: Remove - fixed by upstream in version 9.18.19 * d/p/always-use-standard-library-stdatomic.patch: Maintain use of the standard library stdatomic.h -- Lena Voytek <[email protected]> Thu, 25 Jan 2024 08:37:15 -0700 bind9 (1:9.18.18-0ubuntu2) mantic; urgency=medium * SECURITY UPDATE: DoS via recusive packet parsing - debian/patches/CVE-2023-3341.patch: add a max depth check to lib/isc/include/isc/result.h, lib/isc/result.c, lib/isccc/cc.c. - CVE-2023-3341 * SECURITY UPDATE: Dos via DNS-over-TLS queries - debian/patches/CVE-2023-4236.patch: check return code in lib/isc/netmgr/tlsdns.c. - CVE-2023-4236 -- Marc Deslauriers <[email protected]> Wed, 20 Sep 2023 12:45:21 -0400 bind9 (1:9.18.18-0ubuntu1) mantic; urgency=medium * New upstream release 9.18.18 (LP: #2034367) - Updates: + Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. + Mark dialup and heartbeat-interval options as deprecated. + Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. + Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. - Bug Fixes: + Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. + Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. + Fix the ability to read HMAC-MD5 key files (LP: #2015176). + Fix stability issues with the catalog zone implementation. - See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional information. -- Lena Voytek <[email protected]> Tue, 05 Sep 2023 13:20:06 -0700 bind9 (1:9.18.16-1ubuntu4) mantic; urgency=medium * d/t/dyndb-ldap: allow writing to the dns tree (LP: #2034250) -- Andreas Hasenack <[email protected]> Tue, 05 Sep 2023 10:20:27 -0300 bind9 (1:9.18.16-1ubuntu3) mantic; urgency=medium * d/t/control: exclude the i386 architecture for the dyndb-ldap test, since bind9-dyndb-ldap is not available there on Ubuntu * d/t/dyndb-ldap: fix for the ldap bind9 dn entry -- Andreas Hasenack <[email protected]> Wed, 30 Aug 2023 10:14:04 -0300 bind9 (1:9.18.16-1ubuntu2) mantic; urgency=medium * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650) -- Andreas Hasenack <[email protected]> Tue, 22 Aug 2023 09:24:02 -0300 bind9 (1:9.18.16-1ubuntu1) mantic; urgency=medium * Merge with Debian unstable (LP: #2018050). Remaining changes: - Don't build dnstap as it depends on universe packages: + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and protobuf-c-compiler (universe packages) + d/dnsutils.install: don't install dnstap + d/rules: don't build dnstap nor install dnstap.proto - Add back apport: + d/bind9.apport: add back old bind9 apport hook, but without calling attach_conffiles() since that is already done by apport itself, with confirmation from the user. + d/control, d/rules: build-depends on dh-apport and use it - d/control: remove optional libjemalloc-dev Build-Depends as it is not in main. - d/NEWS: mention relevant packaging changes - Improve dep-8 test suite (LP #2003584): + d/t/zonetest: Add dep8 test for checking the domain zone creation process + d/t/control: Add new test outline * Added Changes: - d/po/de.po: Fix German UTF-8 encoding - d/copyright: Fix lintian warnings + Remove the entry for lib/isc/hp.c lib/isc/include/isc/hp.h as they were deleted in 9.18.2 + Remove the entry for lib/isc/include/pkcs11/pkcs11.h as it is no longer bundled as of 9.17.19 + Update the location of random_test.c and add info about its public domain section + Add wildcards to folders as needed + Note that m4/ uses the FSFAP license - d/control: Remove lsb-base dependency as it is no longer needed + See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019851 -- Lena Voytek <[email protected]> Mon, 26 Jun 2023 14:25:50 -0700 ** Affects: bind9 (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge upgrade-software-version ** Changed in: bind9 (Ubuntu) Milestone: None => ubuntu-24.07 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064379 Title: Merge bind9 from Debian unstable for oracular To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/2064379/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
