-
bind9 (1:9.18.18-0ubuntu0.23.04.1) lunar; urgency=medium
* New upstream release 9.18.18 (LP: #2028413)
- Updates:
+ Mark a primary server as temporarily unreachable when a TCP connection
response to an SOA query times out, matching behavior of a refused TCP
connection.
+ Mark dialup and heartbeat-interval options as deprecated.
+ Retry DNS queries without an EDNS COOKIE when the first response is
FORMERR with the EDNS COOKIE that was sent originally.
+ Use NS records for the relaxed QNAME minimization mode to reduce the
number of queries from named.
+ Mark TKEY mode 2 as deprecated.
+ Mark delegation-only and root-delegation-only as deprecated.
+ Run RPZ and catalog zone updates on specialized offload threads to
reduce blocked query processing time.
- Bug Fixes:
+ Fix assertion failure from processing already-queued queries while
server is being reconfigured or cache is being flushed.
+ Fix failure to load zones containing resource records with a TTL value
larger than 86400 seconds when dnssec-policy is set to insecure.
+ Fix the ability to read HMAC-MD5 key files (LP: #2015176).
+ Fix stability issues with the catalog zone implementation.
+ Fix bind9 getting stuck when listen-on statement for HTTP is removed
from configuration.
+ Do not return delegation from cache after stale-answer-client-timeout.
+ Fix failure to auto-tune clients-per-query limit in some situations.
+ Fix proper timeouts when using max-transfer-time-in and
max-transfer-idle-in statements.
+ Bring rndc read timeout back to 60 seconds from 30.
+ Treat libuv returning ISC_R_INVALIDPROTO as a network error.
+ Clean up empty-non-terminal NSEC3 records.
+ Fix log file rotation cleanup for absolute file path destinations.
+ Fix various catalog zone processing crashes.
+ Fix transfer hang when downloading large zones over TLS.
+ Fix named crash when adding a new zone into the configuration file for
a name which was already configured as member zone for a catalog zone.
+ Delay DNSSEC key queries until all zones have finished loading.
- See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional
information.
* d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in
9.18.16.
* d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18.
* d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650)
-- Lena Voytek <email address hidden> Wed, 20 Sep 2023 14:52:27 -0700
-
bind9 (1:9.18.12-1ubuntu1.2) lunar-security; urgency=medium
* SECURITY UPDATE: DoS via recusive packet parsing
- debian/patches/CVE-2023-3341.patch: add a max depth check to
lib/isc/include/isc/result.h, lib/isc/result.c, lib/isccc/cc.c.
- CVE-2023-3341
* SECURITY UPDATE: Dos via DNS-over-TLS queries
- debian/patches/CVE-2023-4236.patch: check return code in
lib/isc/netmgr/tlsdns.c.
- CVE-2023-4236
-- Marc Deslauriers <email address hidden> Tue, 19 Sep 2023 07:18:28 -0400
-
bind9 (1:9.18.12-1ubuntu1.1) lunar-security; urgency=medium
* SECURITY UPDATE: Configured cache size limit can be significantly
exceeded
- debian/patches/CVE-2023-2828.patch: fix cache expiry in
lib/dns/rbtdb.c.
- CVE-2023-2828
* SECURITY UPDATE: Exceeding the recursive-clients quota may cause named
to terminate unexpectedly when stale-answer-client-timeout is set to 0
- debian/patches/CVE-2023-2911.patch: fix refreshing queries in
lib/ns/query.c.
- CVE-2023-2911
-- Marc Deslauriers <email address hidden> Tue, 20 Jun 2023 08:24:50 -0400
-
bind9 (1:9.18.12-1ubuntu1) lunar; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: build-depends on dh-apport and use it
- d/control: remove optional libjemalloc-dev Build-Depends as it is not in
main.
- d/NEWS: mention relevant packaging changes
- Improve dep-8 test suite (LP #2003584):
+ d/t/zonetest: Add dep8 test for checking the domain zone creation process
+ d/t/control: Add new test outline
-- Lena Voytek <email address hidden> Wed, 22 Feb 2023 10:10:14 -0700
-
bind9 (1:9.18.11-2ubuntu1) lunar; urgency=medium
* Merge with Debian unstable (LP: #2004172). Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: build-depends on dh-apport and use it
- d/control: remove optional libjemalloc-dev Build-Depends as it is not in
main.
- d/NEWS: mention relevant packaging changes
- Improve dep-8 test suite (LP #2003584):
+ d/t/zonetest: Add dep8 test for checking the domain zone creation process
+ d/t/control: Add new test outline
* Dropped Changes:
- d/extras/apparmor.d/usr.sbin.named: Allow systemd notify access in
apparmor for named
[Fixed in Debian 1:9.18.11-2]
-- Lena Voytek <email address hidden> Mon, 30 Jan 2023 08:37:28 -0700
-
bind9 (1:9.18.10-2ubuntu2) lunar; urgency=medium
* Improve dep-8 test suite (LP: #2003584):
- d/t/zonetest: Add dep8 test for checking the domain zone creation process
- d/t/control: Add new test outline
-- Lena Voytek <email address hidden> Fri, 27 Jan 2023 09:16:29 -0700
-
bind9 (1:9.18.10-2ubuntu1) lunar; urgency=medium
* Merge with Debian unstable (LP: #1993375). Remaining changes:
- Don't build dnstap as it depends on universe packages:
+ d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
+ d/dnsutils.install: don't install dnstap
+ d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
+ d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
+ d/control, d/rules: build-depends on dh-apport and use it
- d/NEWS: mention relevant packaging changes
- d/control: remove optional libjemalloc-dev Build-Depends as it is not in
main.
* Added Changes:
- d/extras/apparmor.d/usr.sbin.named: Allow systemd notify access in
apparmor for named
* Dropped Changes:
- fixed upstream:
+ debian/patches/CVE-2022-2795.patch
+ debian/patches/CVE-2022-2881.patch
+ debian/patches/CVE-2022-2906.patch
+ debian/patches/CVE-2022-3080.patch
+ debian/patches/CVE-2022-38178.patch
- d/bind9.named.service: use systemd Type=forking to signal daemon init.
+ Changed to Type=notify with sd_notify patch in debian
-- Lena Voytek <email address hidden> Tue, 10 Jan 2023 15:24:45 -0700
-
bind9 (1:9.18.4-2ubuntu2) kinetic; urgency=medium
* SECURITY UPDATE: Processing large delegations may severely degrade
resolver performance
- debian/patches/CVE-2022-2795.patch: add limit to lib/dns/resolver.c.
- CVE-2022-2795
* SECURITY UPDATE: Buffer overread in statistics channel code
- debian/patches/CVE-2022-2881.patch: clear buffer in lib/isc/httpd.c.
- CVE-2022-2881
* SECURITY UPDATE: Memory leaks in code handling Diffie-Hellman key
exchange via TKEY RRs
- debian/patches/CVE-2022-2906.patch: adjust return code handling in
lib/dns/openssldh_link.c.
- CVE-2022-2906
* SECURITY UPDATE: resolvers configured to answer from cache with zero
stale-answer-timeout may terminate unexpectedly
- debian/patches/CVE-2022-3080.patch: refactor stale RRset handling in
lib/ns/include/ns/query.h, lib/ns/query.c.
- CVE-2022-3080
* SECURITY UPDATE: memory leaks in EdDSA DNSSEC verification code
- debian/patches/CVE-2022-38178.patch: fix return handling in
lib/dns/openssleddsa_link.c.
- CVE-2022-38178
-- Marc Deslauriers <email address hidden> Wed, 21 Sep 2022 09:18:42 -0400
