** Description changed: This bug tracks an update for the bind9 package, moving to versions: * Questing (25.10): Bind9 9.20.18 - * Noble (24.04): Bind9 9.18.46 - * Jammy (22.04): Bind9 9.18.46 + * Noble (24.04): Bind9 9.18.47 + * Jammy (22.04): Bind9 9.18.47 These updates include bug fixes following the SRU policy exception defined at https://documentation.ubuntu.com/sru/en/latest/reference/exception- Bind9-Updates [Upstream changes] 9.20.12-9.20.18 Updates: Bug Fixes: CVE Fixes - already available as patch: - - 9.18.40-9.18.46 + 9.18.40-9.18.47 Updates: + https://gitlab.isc.org/isc-projects/bind9/-/issues/5444 - Add support for parsing HHIT and BRID records. + https://gitlab.isc.org/isc-projects/bind9/-/issues/4204 - Deprecate the "tkey-domain" statement. + https://gitlab.isc.org/isc-projects/bind9/-/issues/4204 - Deprecate the "tkey-gssapi-credential" statement. + + Bug Fixes: + + https://gitlab.isc.org/isc-projects/bind9/-/issues/5749 - Fix out-of-bound read of isdelegation() stack. + https://gitlab.isc.org/isc-projects/bind9/-/issues/5751 - Clear serve-stale flags when following the CNAME chains. + https://gitlab.isc.org/isc-projects/bind9/-/issues/5710 - Fix brid and hhit implementation. + https://gitlab.isc.org/isc-projects/bind9/-/issues/5711 - Fix DSYNC record creation from structure. + https://gitlab.isc.org/isc-projects/bind9/-/issues/5659 - Allow glue in delegations with QTYPE=ANY. + https://gitlab.isc.org/isc-projects/bind9/-/issues/5679 - Fix invalid zone from NSEC3 reconfiguration. + https://gitlab.isc.org/isc-projects/bind9/-/issues/5671 - Fix invalid NSEC3 opt-out records left in zone. + https://gitlab.isc.org/isc-projects/bind9/-/issues/5622 - Skip unsupported algorithms when looking for signing key. + https://gitlab.isc.org/isc-projects/bind9/-/issues/5294 - Prevent spurious SERVFAILs for certain 0-TTL resource records. + https://gitlab.isc.org/isc-projects/bind9/-/issues/5491 - Fix RPZ canonical warning displaying zone entry incorrectly. + https://gitlab.isc.org/isc-projects/bind9/-/issues/5502 - Add missing DNSSEC information when CD bit is set in query. + * https://gitlab.isc.org/isc-projects/bind9/-/issues/5639 - Fix AMTRELAY type 0 presentation format handling. + CVE Fixes - already available as patch: + CVE-2026-1519 - Fix unbounded NSEC3 iterations when validating referrals to unsigned delegations. + CVE-2025-13878 - Fix incorrect length checks for BRID and HHIT records. + CVE-2025-8677 - Fix DNSSEC validation failing if matching but invalid DNSKEY is found. + CVE-2025-40778 - Address various spoofing attacks. + CVE-2025-40780 - Avoid cache-poisoning due to weak pseudo-random number generator. [Test Plan] DEP-8 Tests: simpletest - Confirms bind9 daemon starts successfully and dig can find 127.0.0.1 through the default setup of bind9 zonetest - Added in this update, currently in lunar. Confirms the functionality of named and bind9 by creating a local DNS zone and domain, and having dig look it up dyndb-ldap (noble and earlier) - Verifies functionality of bind-dyndb- ldap against the updated bind9 package with a basic setup. This also fails intentionally prior to bind-dyndb-ldap being rebuilt against the package, as this is a necessary step for bind9 updates. validation - This test is provided by Debian and consistently fails both before and after the update due to several issues. It is marked as flaky, and does not block autopkgtest passing overall [Regression Potential] Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu- specific integrations. Backwards-incompatible changes: [Other Info] Previous backports: (LP: #2003586) (LP: #2028413) (LP: #2040459) (LP: #2073310) (LP: #2112520)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2126464 Title: Backport of bind9 for questing, noble, and jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/2126464/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
