Package "bind9-dnsutils"

  bind9 (1:9.18.39-0ubuntu0.22.04.4) jammy-security; urgency=medium

  * SECURITY UPDATE: BIND 9 server memory exhaustion during GSS-API TKEY
    negotiation
    - debian/patches/CVE-2026-3039-pre1.patch: Release gnamebuf also on the
      error path in lib/dns/gssapictx.c.
    - debian/patches/CVE-2026-3039-1.patch: Fix GSS-API context leak in TKEY
      negotiation in lib/dns/gssapictx.c, lib/dns/include/dst/gssapi.h,
      lib/dns/tkey.c.
    - debian/patches/CVE-2026-3039-3.patch: Fix output token and GSS context
      leaks in TKEY/GSS-API error paths in lib/dns/gssapictx.c,
      lib/dns/tkey.c.
    - CVE-2026-3039
  * SECURITY UPDATE: Amplification vulnerabilities via self-pointed glue
    records
    - debian/patches/CVE-2026-3592-1.patch: Limit the number of addresses
      returned per ADB find in bin/named/main.c, lib/dns/adb.c.
    - debian/patches/CVE-2026-3592-2.patch: Remove duplicate addresses from
      the resolver SLIST in lib/dns/resolver.c.
    - debian/patches/CVE-2026-3592-3.patch: Add system test for self-pointed
     glue deduplication in bin/tests/system/selfpointedglue/ns1/named.conf.j2,
      bin/tests/system/selfpointedglue/ns1/root.db,
      bin/tests/system/selfpointedglue/ns2/named.conf.j2,
      bin/tests/system/selfpointedglue/ns2/tld.db,
      bin/tests/system/selfpointedglue/ns3/example.tld.db,
      bin/tests/system/selfpointedglue/ns3/example2.tld.db,
      bin/tests/system/selfpointedglue/ns3/named.conf.j2,
      bin/tests/system/selfpointedglue/ns4/named.args.j2,
      bin/tests/system/selfpointedglue/ns4/named.conf.j2,
      bin/tests/system/selfpointedglue/ns4/root.hint,
      bin/tests/system/selfpointedglue/prereq.sh,
      bin/tests/system/selfpointedglue/tests_selfpointedglue.py.
    - debian/patches/CVE-2026-3592-5.patch: Add SRTT-based server selection
      system test in bin/tests/system/srtt/README,
      bin/tests/system/srtt/ans2/ans.py, bin/tests/system/srtt/ans3/ans.py,
      bin/tests/system/srtt/ans4/ans.py, bin/tests/system/srtt/ans5/ans.py,
      bin/tests/system/srtt/ns1/named.conf.j2,
      bin/tests/system/srtt/ns1/root.db, bin/tests/system/srtt/ns6/named.args,
      bin/tests/system/srtt/ns6/named.conf.j2, bin/tests/system/srtt/prereq.sh,
      bin/tests/system/srtt/srtt_ans.py, bin/tests/system/srtt/tests_srtt.py.
    - CVE-2026-3592
  * SECURITY UPDATE: Invalid handling of CLASS != IN
    - debian/patches/CVE-2026-5946-1.patch: Disable recursion for non-IN
      classes in bin/named/server.c, bin/tests/system/checkconf/tests.sh,
      bin/tests/system/resolver/tests.sh, lib/bind9/check.c.
    - debian/patches/CVE-2026-5946-2.patch: Disable UPDATE and NOTIFY for
      non-IN classes in bin/named/server.c, lib/dns/adb.c,
      lib/ns/client.c, lib/ns/update.c.
    - debian/patches/CVE-2026-5946-3.patch: Validate DNS message CLASS early
      in request processing in bin/tests/system/unknown/tests.sh,
      lib/ns/client.c.
    - debian/patches/CVE-2026-5946-4.patch: Reject meta-classes in UPDATE and
      NOTIFY messages in lib/dns/message.c.
    - debian/patches/CVE-2026-5946-5.patch: Skip "deny-answer-address" for
      non-IN addresses in lib/dns/resolver.c.
    - debian/patches/CVE-2026-5946-6.patch: Test CHAOS view recursion behavior
      in bin/tests/system/checkconf/tests.sh,
      bin/tests/system/checkconf/warn-chaos-recursion.conf,
      bin/tests/system/class/ns1/chaos.db.in,
      bin/tests/system/class/ns1/named.conf.j2,
      bin/tests/system/class/ns2/example.db.in,
      bin/tests/system/class/ns2/localhost.db.in,
      bin/tests/system/class/ns2/named.conf.j2,
      bin/tests/system/class/ns3/named.conf.j2, bin/tests/system/class/setup.sh,
      bin/tests/system/class/tests_class_chaos.py,
      bin/tests/system/isctest/check.py.
    - debian/patches/CVE-2026-5946-7.patch: Test UPDATE behavior in CHAOS and
      other non-IN classes in bin/named/server.c,
      bin/tests/system/class/ns2/localhost.db.in,
      bin/tests/system/class/tests_class_update.py.
    - debian/patches/CVE-2026-5946-8.patch: Test server behavior when sending
      various UPDATE requests in bin/tests/system/class/tests_class_update.py,
      bin/tests/system/nsupdate/setup.sh, bin/tests/system/nsupdate/tests.sh,
      bin/tests/system/packet.pl.
    - debian/patches/CVE-2026-5946-9.patch: Make the RD flag optional in
      isctest.query() in bin/tests/system/isctest/query.py.
    - CVE-2026-5946
  * SECURITY UPDATE: Unbounded resend loop in BIND 9 resolver
    - debian/patches/CVE-2026-5950-1.patch: Add reproducer for BADCOOKIE
      resend loop in bin/tests/system/resend_loop/ans3/ans.py,
      bin/tests/system/resend_loop/ns4/named.conf.j2,
      bin/tests/system/resend_loop/ns4/root.hint,
      bin/tests/system/resend_loop/tests_resend_loop.py.
    - debian/patches/CVE-2026-5950-2.patch: Refactor incrementing query
      counters in lib/dns/resolver.c.
    - debian/patches/CVE-2026-5950-3.patch: rctx_resend() increment query
      counters in lib/dns/resolver.c.
    - CVE-2026-5950

 -- Marc Deslauriers <email address hidden> Thu, 21 May 2026 10:42:08 -0400

  bind9 (1:9.18.39-0ubuntu0.22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: Excessive NSEC3 iterations cause high CPU load during
    insecure delegation validation
    - debian/patches/CVE-2026-1519-1.patch: add reproducers to bin/tests/*.
    - debian/patches/CVE-2026-1519-2.patch: check iterations in
      isdelegation() in lib/dns/validator.c.
    - debian/patches/CVE-2026-1519-3.patch: don't verify already trusted
      rdatasets in lib/dns/include/dns/types.h, lib/dns/validator.c.
    - debian/patches/CVE-2026-1519-4.patch: check RRset trust in
      validate_neg_rrset() in lib/dns/validator.c.
    - CVE-2026-1519

 -- Marc Deslauriers <email address hidden> Tue, 24 Mar 2026 11:31:16 -0400

  bind9 (1:9.18.39-0ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Resource exhaustion via malformed DNSKEY handling
    - debian/patches/CVE-2025-8677.patch: count invalid keys as validation
      failures in lib/dns/validator.c.
    - CVE-2025-8677
  * SECURITY UPDATE: Cache poisoning attacks with unsolicited RRs
    - debian/patches/CVE-2025-40778.patch: no longer accept DNAME records
      or extraneous NS records in the AUTHORITY section unless these are
      received via spoofing-resistant transport in
      lib/dns/include/dns/message.h, lib/dns/message.c, lib/dns/resolver.c.
    - CVE-2025-40778
  * SECURITY UPDATE: Cache poisoning due to weak PRNG
    - debian/patches/CVE-2025-40780.patch: change internal random generator
      to a cryptographically secure pseudo-random generator in
      lib/isc/include/isc/random.h, lib/isc/random.c,
      tests/isc/random_test.c.
    - CVE-2025-40780

 -- Marc Deslauriers <email address hidden> Tue, 21 Oct 2025 09:15:59 -0400

  bind9 (1:9.18.39-0ubuntu0.22.04.1) jammy; urgency=medium

  * New upstream release 9.18.39 (LP: #2112520)
    - Features:
      + Add support for parsing the DSYNC record.
      + Add support for the CO flag to dig.
      + Add a new option to configure the maximum number of outgoing queries
        per client request.
      + Add WALLET type.
    - Updates:
      + Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest type 1.
      + Make TLS data processing more reliable in various network conditions.
      + Print the expiration time of the stale records.
      + Remove –with-tuning=small/large configuration option.
      + Update built-in bind.keys file with the new 2025 IANA root key.
      + Move contributed DLZ modules into a separate repository.
      + Emit more helpful log messages for exceeding max-records-per-type.
      + Harden key management when key files have become unavailable.
      + Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS.
    - Bug Fixes:
      + Fix a possible crash when adding a zone while recursing.
      + Clean enough memory when adding new ADB names/entries under memory pressure.
      + Prevent spurious validation failures.
      + Rescan the interfaces again when reconfiguring the server.
      + Fix the default interface-interval from 60s to 60m.
      + Fix purge-keys bug when using views.
      + Set name for all the isc_mem contexts.
      + Stop caching lack of EDNS support.
      + Fix resolver statistics counters for timed-out responses.
      + Don’t enforce NOAUTH/NOCONF flags in DNSKEYs.
      + Fix inconsistency in CNAME/DNAME handling during resolution.
      + Fix deferred validation of unsigned DS and DNSKEY records.
      + Fix RPZ race condition during a reconfiguration.
      + Fix “CNAME and other data check” not being applied to all types.
      + Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
      + Fix rndc flushname for longer name server names.
      + Fix recently expired records sending timestamps in the future.
      + Fix YAML string not terminated in negative response in delv.
      + Apply the memory limit only to ADB database items.
      + Avoid unnecessary locking in the zone/cache database.
      + Improve the resolver performance under attack.
      + Fix nsupdate hang when processing a large update.
      + Fix possible assertion failure when reloading server while processing
        update policy rules.
      + Fix dnssec-signzone signing non-DNSKEY RRsets with revoked keys.
      + Fix improper handling of unknown directives in resolv.conf.
      + Fix dig parsing of {&dns}.
      + Fix NSEC3 closest encloser lookup for names with empty non-terminals.
      + Fix display of dig options with format form [+-]option=<value>.
      + Provide more visibility into TLS configuration errors by logging
      + Fix a statistics channel counter bug when “forward only” zones are
        used.
      + Fix wrong address queries in the static-stub implementation.
      + Limit the outgoing UDP send queue size.
      + Do not set SO_INCOMING_CPU.
    - See https://bind9.readthedocs.io/en/v9.18.39/notes.html for additional
      information.
  * d/p/CVE-2024-11187.patch, d/p/CVE-2024-12705.patch - Remove - fixed
    upstream in 9.18.33.
  * d/bind9.postinst: Perform postinst config check. (LP: #1492212)
  * Clean up terminal after SIGINT call in interactive tools. (LP: #2112278)
    - d/p/add-sigint-on-interactive-cleanup.patch: Run rl_reset_terminal before
      SIGINT exit.
    - d/rules: Link with libedit to use readline command in base library.

 -- Lena Voytek <email address hidden> Thu, 21 Aug 2025 10:58:41 -0400

  bind9 (1:9.18.30-0ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Many records in the additional section cause CPU
    exhaustion
    - debian/patches/CVE-2024-11187.patch: limit the additional processing
      for large RDATA sets in bin/tests/*, lib/dns/include/dns/rdataset.h,
      lib/dns/rbtdb.c, lib/dns/rdataset.c, lib/dns/resolver.c,
      lib/ns/query.c.
    - CVE-2024-11187
  * SECURITY UPDATE: DNS-over-HTTPS implementation suffers from multiple
    issues under heavy query load
    - debian/patches/CVE-2024-12705.patch: fix flooding issues in
      lib/isc/netmgr/http.c, lib/isc/netmgr/netmgr-int.h,
      lib/isc/netmgr/netmgr.c, lib/isc/netmgr/tcp.c,
      lib/isc/netmgr/tlsstream.c.
    - CVE-2024-12705

 -- Marc Deslauriers <email address hidden> Tue, 28 Jan 2025 09:30:35 -0500