Package "bind9"

  bind9 (1:9.18.39-0ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Resource exhaustion via malformed DNSKEY handling
    - debian/patches/CVE-2025-8677.patch: count invalid keys as validation
      failures in lib/dns/validator.c.
    - CVE-2025-8677
  * SECURITY UPDATE: Cache poisoning attacks with unsolicited RRs
    - debian/patches/CVE-2025-40778.patch: no longer accept DNAME records
      or extraneous NS records in the AUTHORITY section unless these are
      received via spoofing-resistant transport in
      lib/dns/include/dns/message.h, lib/dns/message.c, lib/dns/resolver.c.
    - CVE-2025-40778
  * SECURITY UPDATE: Cache poisoning due to weak PRNG
    - debian/patches/CVE-2025-40780.patch: change internal random generator
      to a cryptographically secure pseudo-random generator in
      lib/isc/include/isc/random.h, lib/isc/random.c,
      tests/isc/random_test.c.
    - CVE-2025-40780

 -- Marc Deslauriers <email address hidden> Tue, 21 Oct 2025 09:15:59 -0400

  bind9 (1:9.18.30-0ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Many records in the additional section cause CPU
    exhaustion
    - debian/patches/CVE-2024-11187.patch: limit the additional processing
      for large RDATA sets in bin/tests/*, lib/dns/include/dns/rdataset.h,
      lib/dns/rbtdb.c, lib/dns/rdataset.c, lib/dns/resolver.c,
      lib/ns/query.c.
    - CVE-2024-11187
  * SECURITY UPDATE: DNS-over-HTTPS implementation suffers from multiple
    issues under heavy query load
    - debian/patches/CVE-2024-12705.patch: fix flooding issues in
      lib/isc/netmgr/http.c, lib/isc/netmgr/netmgr-int.h,
      lib/isc/netmgr/netmgr.c, lib/isc/netmgr/tcp.c,
      lib/isc/netmgr/tlsstream.c.
    - CVE-2024-12705

 -- Marc Deslauriers <email address hidden> Tue, 28 Jan 2025 09:30:35 -0500

  bind9 (1:9.18.28-0ubuntu0.22.04.1) jammy-security; urgency=medium

  * Updated to 9.18.28 to fix multiple security issues.
    - CVE-2024-0760: A flood of DNS messages over TCP may make the server
      unstable
    - CVE-2024-1737: BIND's database will be slow if a very large number of
      RRs exist at the same name
    - CVE-2024-1975: SIG(0) can be used to exhaust CPU resources
    - CVE-2024-4076: Assertion failure when serving both stale cache data
      and authoritative zone content

 -- Marc Deslauriers <email address hidden> Tue, 16 Jul 2024 14:16:20 -0400

  bind9 (1:9.18.18-0ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Multiple security issues
    - debian/patches/0001-CVE-2023-4408.patch: Parsing large DNS messages
      may cause excessive CPU load.
    - debian/patches/0002-CVE-2023-5517.patch: Querying RFC 1918 reverse
      zones may cause an assertion failure when nxdomain-redirect is
      enabled.
    - debian/patches/0003-CVE-2023-5679.patch: Enabling both DNS64 and
      serve-stale may cause an assertion failure during recursive
      resolution.
    - debian/patches/0004-CVE-2023-50387-CVE-2023-50868.patch: Extreme CPU
      consumption in DNSSEC validator and Preparing an NSEC3 closest
      encloser proof can exhaust CPU resources.
    - CVE-2023-4408
    - CVE-2023-5517
    - CVE-2023-5679
    - CVE-2023-50387
    - CVE-2023-50868

 -- Marc Deslauriers <email address hidden> Mon, 12 Feb 2024 14:29:56 -0500

  bind9 (1:9.18.12-0ubuntu0.22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS via recusive packet parsing
    - debian/patches/CVE-2023-3341.patch: add a max depth check to
      lib/isc/include/isc/result.h, lib/isc/result.c, lib/isccc/cc.c.
    - CVE-2023-3341
  * SECURITY UPDATE: Dos via DNS-over-TLS queries
    - debian/patches/CVE-2023-4236.patch: check return code in
      lib/isc/netmgr/tlsdns.c.
    - CVE-2023-4236

 -- Marc Deslauriers <email address hidden> Tue, 19 Sep 2023 07:21:46 -0400