UbuntuUpdates.org

Package "bind9"

Name: bind9

Description:

Internet Domain Name Server

Latest version: 1:9.18.18-0ubuntu0.22.04.2
Release: jammy (22.04)
Level: updates
Repository: main
Homepage: https://www.isc.org/downloads/bind/

Links


Download "bind9"


Other versions of "bind9" in Jammy

Repository Area Version
base main 1:9.18.1-1ubuntu1
base universe 1:9.18.1-1ubuntu1
security main 1:9.18.18-0ubuntu0.22.04.2
security universe 1:9.18.18-0ubuntu0.22.04.2
updates universe 1:9.18.18-0ubuntu0.22.04.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1:9.18.18-0ubuntu0.22.04.2 2024-02-13 18:06:55 UTC

  bind9 (1:9.18.18-0ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Multiple security issues
    - debian/patches/0001-CVE-2023-4408.patch: Parsing large DNS messages
      may cause excessive CPU load.
    - debian/patches/0002-CVE-2023-5517.patch: Querying RFC 1918 reverse
      zones may cause an assertion failure when nxdomain-redirect is
      enabled.
    - debian/patches/0003-CVE-2023-5679.patch: Enabling both DNS64 and
      serve-stale may cause an assertion failure during recursive
      resolution.
    - debian/patches/0004-CVE-2023-50387-CVE-2023-50868.patch: Extreme CPU
      consumption in DNSSEC validator and Preparing an NSEC3 closest
      encloser proof can exhaust CPU resources.
    - CVE-2023-4408
    - CVE-2023-5517
    - CVE-2023-5679
    - CVE-2023-50387
    - CVE-2023-50868

 -- Marc Deslauriers <email address hidden> Mon, 12 Feb 2024 14:29:56 -0500

Source diff to previous version

Version: 1:9.18.18-0ubuntu0.22.04.1 2023-10-26 21:07:12 UTC

  bind9 (1:9.18.18-0ubuntu0.22.04.1) jammy; urgency=medium

  * New upstream release 9.18.18 (LP: #2028413)
    - Updates:
      + Mark a primary server as temporarily unreachable when a TCP connection
        response to an SOA query times out, matching behavior of a refused TCP
        connection.
      + Mark dialup and heartbeat-interval options as deprecated.
      + Retry DNS queries without an EDNS COOKIE when the first response is
        FORMERR with the EDNS COOKIE that was sent originally.
      + Use NS records for the relaxed QNAME minimization mode to reduce the
        number of queries from named.
      + Mark TKEY mode 2 as deprecated.
      + Mark delegation-only and root-delegation-only as deprecated.
      + Run RPZ and catalog zone updates on specialized offload threads to
        reduce blocked query processing time.
    - Bug Fixes:
      + Fix assertion failure from processing already-queued queries while
        server is being reconfigured or cache is being flushed.
      + Fix failure to load zones containing resource records with a TTL value
        larger than 86400 seconds when dnssec-policy is set to insecure.
      + Fix the ability to read HMAC-MD5 key files (LP: #2015176).
      + Fix stability issues with the catalog zone implementation.
      + Fix bind9 getting stuck when listen-on statement for HTTP is removed
        from configuration.
      + Do not return delegation from cache after stale-answer-client-timeout.
      + Fix failure to auto-tune clients-per-query limit in some situations.
      + Fix proper timeouts when using max-transfer-time-in and
        max-transfer-idle-in statements.
      + Bring rndc read timeout back to 60 seconds from 30.
      + Treat libuv returning ISC_R_INVALIDPROTO as a network error.
      + Clean up empty-non-terminal NSEC3 records.
      + Fix log file rotation cleanup for absolute file path destinations.
      + Fix various catalog zone processing crashes.
      + Fix transfer hang when downloading large zones over TLS.
      + Fix named crash when adding a new zone into the configuration file for
        a name which was already configured as member zone for a catalog zone.
      + Delay DNSSEC key queries until all zones have finished loading.
    - See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional
      information.
  * d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in
    9.18.16.
  * d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18.
  * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650)

 -- Lena Voytek <email address hidden> Wed, 20 Sep 2023 15:15:41 -0700

Source diff to previous version
2028413 MRE updates of bind9 for focal, jammy and lunar
2015176 Ubuntu 22.04.2, nsupdate stopped recognizing HMAC-MD5 key after update from 1:9.18.1-1ubuntu1.3 to 1:9.18.12-0ubuntu0.22.04.1
2032650 Add DEP8 tests for bind-dyndb-ldap integration
CVE-2023-2828 named's configured cache size limit can be significantly exceeded
CVE-2023-2911 Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0
CVE-2023-3341 A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly

Version: 1:9.18.12-0ubuntu0.22.04.3 2023-09-20 16:08:38 UTC

  bind9 (1:9.18.12-0ubuntu0.22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS via recusive packet parsing
    - debian/patches/CVE-2023-3341.patch: add a max depth check to
      lib/isc/include/isc/result.h, lib/isc/result.c, lib/isccc/cc.c.
    - CVE-2023-3341
  * SECURITY UPDATE: Dos via DNS-over-TLS queries
    - debian/patches/CVE-2023-4236.patch: check return code in
      lib/isc/netmgr/tlsdns.c.
    - CVE-2023-4236

 -- Marc Deslauriers <email address hidden> Tue, 19 Sep 2023 07:21:46 -0400

Source diff to previous version
CVE-2023-3341 A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly
CVE-2023-4236 named may terminate unexpectedly under high DNS-over-TLS query load

Version: 1:9.18.12-0ubuntu0.22.04.2 2023-06-21 20:07:04 UTC

  bind9 (1:9.18.12-0ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Configured cache size limit can be significantly
    exceeded
    - debian/patches/CVE-2023-2828.patch: fix cache expiry in
      lib/dns/rbtdb.c.
    - CVE-2023-2828
  * SECURITY UPDATE: Exceeding the recursive-clients quota may cause named
    to terminate unexpectedly when stale-answer-client-timeout is set to 0
    - debian/patches/CVE-2023-2911.patch: fix refreshing queries in
      lib/ns/query.c.
    - CVE-2023-2911

 -- Marc Deslauriers <email address hidden> Tue, 20 Jun 2023 08:29:34 -0400

Source diff to previous version
CVE-2023-2828 named's configured cache size limit can be significantly exceeded
CVE-2023-2911 Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0

Version: 1:9.18.12-0ubuntu0.22.04.1 2023-03-29 05:06:50 UTC

  bind9 (1:9.18.12-0ubuntu0.22.04.1) jammy; urgency=medium

  * New upstream releases 9.18.2 - 9.18.12 (LP: #2003586)
    - Updates:
      + update-quota option
      + named -V shows supported cryptographic algorithms
      + Catalog Zones schema version 2 support in named
      + DNS error support Stale Answer and Stale NXDOMAIN Answer
      + Remote TLS certificate verification support
      + reusereport option
    - Bug Fixes Include:
      + Fix crash when using dig with +nssearch and +tcp (LP: #1258003)
      + Fix incomplete results using dig with +nssearch (LP: #1970252)
      + Fix loading of preinstalled plugins (LP: #2006972)
      + CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080,
        CVE-2022-38178, CVE-2022-3094, CVE-2022-3736, CVE-2022-3924,
        CVE-2022-1183
      + Fix thread safety in dns_dispatch
      + Fix ADB quota management in resolver
      + Fix Prohibited DNS error on allow-recursion
      + Fix crash when restarting server with active statschannel connection
      + Fix use after free for catalog zone processing
      + Fix leak of dns_keyfileio_t objects
      + Fix nslookup failure to use port option when record type ANY is used
      + Fix crash on dnssec-policy zone with NSEC3 and inline-signing turned on
      + Fix inheritance when setting remote server port
      + Fix assertion error when accessing statistics channel
      + Fix rndc dumpdb -expired for stuck cache
      + Fix check for other name servers after receiving FORMERR
      + Fix deletion of CDS after zone sign
      + Fix dighost query context management
      + Fix dig hanging due to IPv4 mapped IPv6 address
      + See https://bind9.readthedocs.io/en/v9_18_12/notes.html#notes-for-bind-9-18-12
        for additional bug fixes and information
  * Improve dep-8 test suite (LP: #2003584):
    - d/t/zonetest: Add dep8 test for checking the domain zone creation process
    - d/t/control: Add new test outline
  * d/bind9-doc.docs: Stop installing removed file doc/misc/options.active
  * Remove patches for bugs LP #1964400 and LP #1964686 fixed upstream:
    - lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv
    - lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the
    - lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo
    - lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh
    - lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe
    - lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC
    - lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error-
  * Remove CVE patches fixed upstream:
    - debian/patches/CVE-2022-1183.patch
      [Included in upstream release 9.18.3]
    - debian/patches/CVE-2022-2795.patch
    - debian/patches/CVE-2022-2881.patch
    - debian/patches/CVE-2022-2906.patch
    - debian/patches/CVE-2022-3080.patch
    - debian/patches/CVE-2022-38178.patch
      [Included in upstream release 9.18.7]
    - debian/patches/CVE-2022-3094.patch
    - debian/patches/CVE-2022-3736.patch
    - debian/patches/CVE-2022-3924.patch
      [Included in upstream release 9.18.11]

 -- Lena Voytek <email address hidden> Wed, 08 Mar 2023 12:08:55 -0700

2003586 MRE Updates 9.18.12 / 9.16.36
1258003 DiG crashes on +nssearch with +tcp in bind9 9.18
1970252 The `dig` and `host` commands core dump or give incomplete results in Ubuntu 22.04
2006972 bind9 can't load preinstalled plugins
2003584 Add better DEP-8 tests
1964400 host crashes with SIGABRT in isc_assertion_failed()
1964686 Command \
CVE-2022-2795 Processing large delegations may severely degrade resolver performance
CVE-2022-2881 Buffer overread in statistics channel code
CVE-2022-2906 Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs
CVE-2022-3080 BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly
CVE-2022-38178 Memory leaks in EdDSA DNSSEC verification code
CVE-2022-3094 Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack
CVE-2022-3736 BIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to a positive integer, and the
CVE-2022-3924 This issue can affect BIND 9 resolvers with `stale-answer-enable yes;` that also make use of the option `stale-answer-client-timeout`, configured wit
CVE-2022-1183 RESERVED



About   -   Send Feedback to @ubuntu_updates