Package "bind9-dnsutils"
Name: |
bind9-dnsutils
|
Description: |
Clients provided with BIND 9
|
Latest version: |
1:9.18.30-0ubuntu0.22.04.2 |
Release: |
jammy (22.04) |
Level: |
updates |
Repository: |
main |
Head package: |
bind9 |
Homepage: |
https://www.isc.org/downloads/bind/ |
Links
Download "bind9-dnsutils"
Other versions of "bind9-dnsutils" in Jammy
Changelog
bind9 (1:9.18.30-0ubuntu0.22.04.2) jammy-security; urgency=medium
* SECURITY UPDATE: Many records in the additional section cause CPU
exhaustion
- debian/patches/CVE-2024-11187.patch: limit the additional processing
for large RDATA sets in bin/tests/*, lib/dns/include/dns/rdataset.h,
lib/dns/rbtdb.c, lib/dns/rdataset.c, lib/dns/resolver.c,
lib/ns/query.c.
- CVE-2024-11187
* SECURITY UPDATE: DNS-over-HTTPS implementation suffers from multiple
issues under heavy query load
- debian/patches/CVE-2024-12705.patch: fix flooding issues in
lib/isc/netmgr/http.c, lib/isc/netmgr/netmgr-int.h,
lib/isc/netmgr/netmgr.c, lib/isc/netmgr/tcp.c,
lib/isc/netmgr/tlsstream.c.
- CVE-2024-12705
-- Marc Deslauriers <email address hidden> Tue, 28 Jan 2025 09:30:35 -0500
|
Source diff to previous version |
CVE-2024-11187 |
Many records in the additional section cause CPU exhaustion |
CVE-2024-12705 |
DNS-over-HTTPS implementation suffers from multiple issues under heavy query load |
|
bind9 (1:9.18.30-0ubuntu0.22.04.1) jammy; urgency=medium
* New upstream release 9.18.30 (LP: #2073310)
- Features:
+ Print initial working directory during named startup, and changed
working directory when loading or reloading the configuration file
+ Add max-query-restarts configuration statement
- Updates:
+ Restrain named to specified number of cores when running via taskset,
cpuset, or numactl
+ Reduce default max-recursion-queries value from 100 to 32
+ Raise the log level of priming failures
- Bug Fixes:
+ Fix privacy verification of EDDSA keys
+ Fix algorithm rollover bug when there are two keys with the same keytag
+ Return SERVFAIL for a too long CNAME chain
+ Reconfigure catz member zones during named reconfiguration
+ Update key lifetime and metadata after dnssec-policy reconfiguration
+ Fix generation of 6to4-self name expansion from IPv4 address
+ Fix invalid dig +yaml output
+ Reject zero-length ALPN during SVBC ALPN text parsing
+ Fix false QNAME minimisation error being reported
+ Fix dig +timeout argument when using +http
- See https://bind9.readthedocs.io/en/v9.18.30/notes.html for additional
information.
-- Lena Voytek <email address hidden> Mon, 23 Sep 2024 17:16:16 -0400
|
Source diff to previous version |
2073310 |
Backport of bind9 for focal, jammy and noble |
|
bind9 (1:9.18.28-0ubuntu0.22.04.1) jammy-security; urgency=medium
* Updated to 9.18.28 to fix multiple security issues.
- CVE-2024-0760: A flood of DNS messages over TCP may make the server
unstable
- CVE-2024-1737: BIND's database will be slow if a very large number of
RRs exist at the same name
- CVE-2024-1975: SIG(0) can be used to exhaust CPU resources
- CVE-2024-4076: Assertion failure when serving both stale cache data
and authoritative zone content
-- Marc Deslauriers <email address hidden> Tue, 16 Jul 2024 14:16:20 -0400
|
Source diff to previous version |
bind9 (1:9.18.24-0ubuntu0.22.04.1) jammy; urgency=medium
* New upstream version 9.18.24 (LP: #2040459)
- Updates:
+ Mark use of AES as the DNS COOKIE algorithm as depricated.
+ Mark resolver-nonbackoff-tries and resolver-retry-interval statements
as depricated.
+ Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and
2801:1b8:10::b.
+ Mark dnssec-must-be-secure option as deprecated.
+ Honor nsupdate -v option for SOA queries by sending both the UPDATE
request and the initial query over TCP.
+ Reduce memory consumption through dedicated jemalloc memory arenas.
- Bug fixes:
+ Fix accidental truncation to 32 bit of statistics channel counters.
+ Do not schedule unsigned versions of inline-signed zones containing
DNSSEC records for resigning.
+ Take local authoritive data into account when looking up stale data
from the cache.
+ Fix assertion failure when lock-file used at the same time as named -X.
+ Fix lockfile removal issue when starting named 3+ times.
+ Fix validation of If-Modified-Since header in statistics channel for
its length.
+ Add Content-Length header bounds check to avoid integer overflow.
+ Fix memory leaks from OpenSSL error stack.
+ Fix SERVFAIL responses after introduction of krb5-subdomain-self-rhs
and ms-subdomain-self-rhs UPDATE policies.
+ Fix accidental disable of stale-refresh-time feature on rndc flush.
+ Fix possible DNS message corruption from partial writes in TLS DNS.
- See https://bind9.readthedocs.io/en/v9.18.24/notes.html for additional
information.
* Remove CVE patches fixed upstream:
- CVE-2023-3341.patch
- CVE-2023-4236.patch
[ Fixed in 9.18.19 ]
- 0001-CVE-2023-4408.patch
- 0002-CVE-2023-5517.patch
- 0003-CVE-2023-5679.patch
- 0004-CVE-2023-50387-CVE-2023-50868.patch
[ Fixed in 9.18.24 ]
* d/p/always-use-standard-library-stdatomic.patch: Maintain use of the
standard library stdatomic.h.
-- Lena Voytek <email address hidden> Thu, 11 Apr 2024 14:11:18 -0700
|
Source diff to previous version |
2040459 |
MRE updates of bind9 for noble |
CVE-2023-3341 |
A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly |
CVE-2023-4236 |
named may terminate unexpectedly under high DNS-over-TLS query load |
CVE-2023-4408 |
The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS |
CVE-2023-5517 |
A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect <domain>;` is configured, |
CVE-2023-5679 |
A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these |
CVE-2023-50387 |
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU |
CVE-2023-50868 |
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of se |
|
bind9 (1:9.18.18-0ubuntu0.22.04.2) jammy-security; urgency=medium
* SECURITY UPDATE: Multiple security issues
- debian/patches/0001-CVE-2023-4408.patch: Parsing large DNS messages
may cause excessive CPU load.
- debian/patches/0002-CVE-2023-5517.patch: Querying RFC 1918 reverse
zones may cause an assertion failure when nxdomain-redirect is
enabled.
- debian/patches/0003-CVE-2023-5679.patch: Enabling both DNS64 and
serve-stale may cause an assertion failure during recursive
resolution.
- debian/patches/0004-CVE-2023-50387-CVE-2023-50868.patch: Extreme CPU
consumption in DNSSEC validator and Preparing an NSEC3 closest
encloser proof can exhaust CPU resources.
- CVE-2023-4408
- CVE-2023-5517
- CVE-2023-5679
- CVE-2023-50387
- CVE-2023-50868
-- Marc Deslauriers <email address hidden> Mon, 12 Feb 2024 14:29:56 -0500
|
About
-
Send Feedback to @ubuntu_updates