Package "bind9-libs"
Name: |
bind9-libs
|
Description: |
Shared Libraries used by BIND 9
|
Latest version: |
1:9.18.39-0ubuntu0.22.04.2 |
Release: |
jammy (22.04) |
Level: |
updates |
Repository: |
main |
Head package: |
bind9 |
Homepage: |
https://www.isc.org/downloads/bind/ |
Links
Download "bind9-libs"
Other versions of "bind9-libs" in Jammy
Changelog
bind9 (1:9.18.39-0ubuntu0.22.04.2) jammy-security; urgency=medium
* SECURITY UPDATE: Resource exhaustion via malformed DNSKEY handling
- debian/patches/CVE-2025-8677.patch: count invalid keys as validation
failures in lib/dns/validator.c.
- CVE-2025-8677
* SECURITY UPDATE: Cache poisoning attacks with unsolicited RRs
- debian/patches/CVE-2025-40778.patch: no longer accept DNAME records
or extraneous NS records in the AUTHORITY section unless these are
received via spoofing-resistant transport in
lib/dns/include/dns/message.h, lib/dns/message.c, lib/dns/resolver.c.
- CVE-2025-40778
* SECURITY UPDATE: Cache poisoning due to weak PRNG
- debian/patches/CVE-2025-40780.patch: change internal random generator
to a cryptographically secure pseudo-random generator in
lib/isc/include/isc/random.h, lib/isc/random.c,
tests/isc/random_test.c.
- CVE-2025-40780
-- Marc Deslauriers <email address hidden> Tue, 21 Oct 2025 09:15:59 -0400
|
Source diff to previous version |
|
bind9 (1:9.18.39-0ubuntu0.22.04.1) jammy; urgency=medium
* New upstream release 9.18.39 (LP: #2112520)
- Features:
+ Add support for parsing the DSYNC record.
+ Add support for the CO flag to dig.
+ Add a new option to configure the maximum number of outgoing queries
per client request.
+ Add WALLET type.
- Updates:
+ Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest type 1.
+ Make TLS data processing more reliable in various network conditions.
+ Print the expiration time of the stale records.
+ Remove âwith-tuning=small/large configuration option.
+ Update built-in bind.keys file with the new 2025 IANA root key.
+ Move contributed DLZ modules into a separate repository.
+ Emit more helpful log messages for exceeding max-records-per-type.
+ Harden key management when key files have become unavailable.
+ Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS.
- Bug Fixes:
+ Fix a possible crash when adding a zone while recursing.
+ Clean enough memory when adding new ADB names/entries under memory pressure.
+ Prevent spurious validation failures.
+ Rescan the interfaces again when reconfiguring the server.
+ Fix the default interface-interval from 60s to 60m.
+ Fix purge-keys bug when using views.
+ Set name for all the isc_mem contexts.
+ Stop caching lack of EDNS support.
+ Fix resolver statistics counters for timed-out responses.
+ Donât enforce NOAUTH/NOCONF flags in DNSKEYs.
+ Fix inconsistency in CNAME/DNAME handling during resolution.
+ Fix deferred validation of unsigned DS and DNSKEY records.
+ Fix RPZ race condition during a reconfiguration.
+ Fix âCNAME and other data checkâ not being applied to all types.
+ Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
+ Fix rndc flushname for longer name server names.
+ Fix recently expired records sending timestamps in the future.
+ Fix YAML string not terminated in negative response in delv.
+ Apply the memory limit only to ADB database items.
+ Avoid unnecessary locking in the zone/cache database.
+ Improve the resolver performance under attack.
+ Fix nsupdate hang when processing a large update.
+ Fix possible assertion failure when reloading server while processing
update policy rules.
+ Fix dnssec-signzone signing non-DNSKEY RRsets with revoked keys.
+ Fix improper handling of unknown directives in resolv.conf.
+ Fix dig parsing of {&dns}.
+ Fix NSEC3 closest encloser lookup for names with empty non-terminals.
+ Fix display of dig options with format form [+-]option=<value>.
+ Provide more visibility into TLS configuration errors by logging
+ Fix a statistics channel counter bug when âforward onlyâ zones are
used.
+ Fix wrong address queries in the static-stub implementation.
+ Limit the outgoing UDP send queue size.
+ Do not set SO_INCOMING_CPU.
- See https://bind9.readthedocs.io/en/v9.18.39/notes.html for additional
information.
* d/p/CVE-2024-11187.patch, d/p/CVE-2024-12705.patch - Remove - fixed
upstream in 9.18.33.
* d/bind9.postinst: Perform postinst config check. (LP: #1492212)
* Clean up terminal after SIGINT call in interactive tools. (LP: #2112278)
- d/p/add-sigint-on-interactive-cleanup.patch: Run rl_reset_terminal before
SIGINT exit.
- d/rules: Link with libedit to use readline command in base library.
-- Lena Voytek <email address hidden> Thu, 21 Aug 2025 10:58:41 -0400
|
Source diff to previous version |
2112520 |
Backport upstream microreleases for questing cycle |
1492212 |
postinst should validate config before restarting bind |
2112278 |
shell error typing after nslookup |
CVE-2024-11187 |
Many records in the additional section cause CPU exhaustion |
CVE-2024-12705 |
DNS-over-HTTPS implementation suffers from multiple issues under heavy query load |
|
bind9 (1:9.18.30-0ubuntu0.22.04.2) jammy-security; urgency=medium
* SECURITY UPDATE: Many records in the additional section cause CPU
exhaustion
- debian/patches/CVE-2024-11187.patch: limit the additional processing
for large RDATA sets in bin/tests/*, lib/dns/include/dns/rdataset.h,
lib/dns/rbtdb.c, lib/dns/rdataset.c, lib/dns/resolver.c,
lib/ns/query.c.
- CVE-2024-11187
* SECURITY UPDATE: DNS-over-HTTPS implementation suffers from multiple
issues under heavy query load
- debian/patches/CVE-2024-12705.patch: fix flooding issues in
lib/isc/netmgr/http.c, lib/isc/netmgr/netmgr-int.h,
lib/isc/netmgr/netmgr.c, lib/isc/netmgr/tcp.c,
lib/isc/netmgr/tlsstream.c.
- CVE-2024-12705
-- Marc Deslauriers <email address hidden> Tue, 28 Jan 2025 09:30:35 -0500
|
Source diff to previous version |
CVE-2024-11187 |
Many records in the additional section cause CPU exhaustion |
CVE-2024-12705 |
DNS-over-HTTPS implementation suffers from multiple issues under heavy query load |
|
bind9 (1:9.18.30-0ubuntu0.22.04.1) jammy; urgency=medium
* New upstream release 9.18.30 (LP: #2073310)
- Features:
+ Print initial working directory during named startup, and changed
working directory when loading or reloading the configuration file
+ Add max-query-restarts configuration statement
- Updates:
+ Restrain named to specified number of cores when running via taskset,
cpuset, or numactl
+ Reduce default max-recursion-queries value from 100 to 32
+ Raise the log level of priming failures
- Bug Fixes:
+ Fix privacy verification of EDDSA keys
+ Fix algorithm rollover bug when there are two keys with the same keytag
+ Return SERVFAIL for a too long CNAME chain
+ Reconfigure catz member zones during named reconfiguration
+ Update key lifetime and metadata after dnssec-policy reconfiguration
+ Fix generation of 6to4-self name expansion from IPv4 address
+ Fix invalid dig +yaml output
+ Reject zero-length ALPN during SVBC ALPN text parsing
+ Fix false QNAME minimisation error being reported
+ Fix dig +timeout argument when using +http
- See https://bind9.readthedocs.io/en/v9.18.30/notes.html for additional
information.
-- Lena Voytek <email address hidden> Mon, 23 Sep 2024 17:16:16 -0400
|
Source diff to previous version |
2073310 |
Backport of bind9 for focal, jammy and noble |
|
bind9 (1:9.18.28-0ubuntu0.22.04.1) jammy-security; urgency=medium
* Updated to 9.18.28 to fix multiple security issues.
- CVE-2024-0760: A flood of DNS messages over TCP may make the server
unstable
- CVE-2024-1737: BIND's database will be slow if a very large number of
RRs exist at the same name
- CVE-2024-1975: SIG(0) can be used to exhaust CPU resources
- CVE-2024-4076: Assertion failure when serving both stale cache data
and authoritative zone content
-- Marc Deslauriers <email address hidden> Tue, 16 Jul 2024 14:16:20 -0400
|
About
-
Send Feedback to @ubuntu_updates