UbuntuUpdates.org

Package "bind9-dev"

Name: bind9-dev

Description:

Static Libraries and Headers used by BIND 9
Latest version: 1:9.20.11-1ubuntu2.4
Release: questing (25.10)
Level: security
Repository: main
Head package: bind9
Homepage: https://www.isc.org/downloads/bind/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "bind9-dev"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "bind9-dev" in Questing

Repository Area Version
base main 1:9.20.11-1ubuntu2
updates main 1:9.20.11-1ubuntu2.4
proposed main 1:9.20.11-1ubuntu2.3

Changelog

Version: 1:9.20.11-1ubuntu2.4 2026-05-21 20:07:43 UTC

  bind9 (1:9.20.11-1ubuntu2.4) questing-security; urgency=medium

  * SECURITY UPDATE: BIND 9 server memory exhaustion during GSS-API TKEY
    negotiation
    - debian/patches/CVE-2026-3039-pre1.patch: Release gnamebuf also on the
      error path in lib/dns/gssapictx.c.
    - debian/patches/CVE-2026-3039-1.patch: Fix GSS-API context leak in TKEY
      negotiation in lib/dns/gssapictx.c, lib/dns/include/dst/gssapi.h,
      lib/dns/tkey.c.
    - debian/patches/CVE-2026-3039-3.patch: Fix output token and GSS context
      leaks in TKEY/GSS-API error paths in lib/dns/gssapictx.c,
      lib/dns/tkey.c.
    - CVE-2026-3039
  * SECURITY UPDATE: Amplification vulnerabilities via self-pointed glue
    records
    - debian/patches/CVE-2026-3592-1.patch: Limit the number of addresses
      returned per ADB find in bin/named/main.c, lib/dns/adb.c.
    - debian/patches/CVE-2026-3592-2.patch: Remove duplicate addresses from
      the resolver SLIST in lib/dns/resolver.c.
    - debian/patches/CVE-2026-3592-3.patch: Add system test for self-pointed
      glue deduplication in bin/tests/system/selfpointedglue/ns1/named.conf.j2,
      bin/tests/system/selfpointedglue/ns1/root.db,
      bin/tests/system/selfpointedglue/ns2/named.conf.j2,
      bin/tests/system/selfpointedglue/ns2/tld.db,
      bin/tests/system/selfpointedglue/ns3/example.tld.db,
      bin/tests/system/selfpointedglue/ns3/example2.tld.db,
      bin/tests/system/selfpointedglue/ns3/named.conf.j2,
      bin/tests/system/selfpointedglue/ns4/named.args.j2,
      bin/tests/system/selfpointedglue/ns4/named.conf.j2,
      bin/tests/system/selfpointedglue/ns4/root.hint,
      bin/tests/system/selfpointedglue/tests_selfpointedglue.py.
    - debian/patches/CVE-2026-3592-4.patch: Add SRTT-based server selection
      system test in bin/tests/system/srtt/README,
      bin/tests/system/srtt/ans2/ans.py, bin/tests/system/srtt/ans3/ans.py,
      bin/tests/system/srtt/ans4/ans.py, bin/tests/system/srtt/ans5/ans.py,
      bin/tests/system/srtt/ns1/named.conf.j2,
      bin/tests/system/srtt/ns1/root.db, bin/tests/system/srtt/ns6/named.args,
      bin/tests/system/srtt/ns6/named.conf.j2,
      bin/tests/system/srtt/srtt_ans.py, bin/tests/system/srtt/tests_srtt.py.
    - CVE-2026-3592
  * SECURITY UPDATE: Heap use-after-free vulnerability in BIND 9
    DNS-over-HTTPS implementation
    - debian/patches/CVE-2026-3593-1.patch: Add system test for HTTP/2
      SETTINGS frame flood in bin/tests/system/doth/tests_malicious.py.
    - debian/patches/CVE-2026-3593-2.patch: Fix use-after-free in DoH write
      buffer after HTTP/2 send in lib/isc/netmgr/http.c.
    - CVE-2026-3593
  * SECURITY UPDATE: Invalid handling of CLASS != IN
    - debian/patches/CVE-2026-5946-1.patch: Disable recursion for non-IN
      classes in bin/named/server.c, lib/isccfg/check.c.
    - debian/patches/CVE-2026-5946-2.patch: Disable UPDATE and NOTIFY for
      non-IN classes in bin/named/server.c, lib/dns/adb.c,
      lib/ns/client.c, lib/ns/update.c.
    - debian/patches/CVE-2026-5946-3.patch: Validate DNS message CLASS early
      in request processing in bin/tests/system/unknown/tests.sh,
      lib/ns/client.c.
    - debian/patches/CVE-2026-5946-4.patch: Reject meta-classes in UPDATE and
      NOTIFY messages in lib/dns/message.c.
    - debian/patches/CVE-2026-5946-5.patch: Skip "deny-answer-address" for
      non-IN addresses in lib/dns/resolver.c.
    - debian/patches/CVE-2026-5946-6.patch: Test CHAOS view recursion behavior
      in bin/tests/system/checkconf/tests.sh,
      bin/tests/system/checkconf/warn-chaos-recursion.conf,
      bin/tests/system/class/ns1/chaos.db.in,
      bin/tests/system/class/ns1/named.conf.j2,
      bin/tests/system/class/ns2/example.db.in,
      bin/tests/system/class/ns2/localhost.db.in,
      bin/tests/system/class/ns2/named.conf.j2,
      bin/tests/system/class/ns3/named.conf.j2, bin/tests/system/class/setup.sh,
      bin/tests/system/class/tests_class_chaos.py,
      bin/tests/system/isctest/check.py.
    - debian/patches/CVE-2026-5946-7.patch: Test UPDATE behavior in CHAOS and
      other non-IN classes in bin/named/server.c,
      bin/tests/system/class/ns2/localhost.db.in,
      bin/tests/system/class/tests_class_update.py.
    - debian/patches/CVE-2026-5946-8.patch: Test server behavior when sending
      various UPDATE requests in bin/tests/system/class/tests_class_update.py,
      bin/tests/system/nsupdate/setup.sh, bin/tests/system/nsupdate/tests.sh,
      bin/tests/system/packet.pl.
    - CVE-2026-5946
  * SECURITY UPDATE: SIG(0) validation during query flood may lead to
    undefined behavior
    - debian/patches/CVE-2026-5947.patch: Fix use-after-free in resolver SIG(0)
      async verification path in lib/dns/resolver.c.
    - CVE-2026-5947
  * SECURITY UPDATE: Unbounded resend loop in BIND 9 resolver
    - debian/patches/CVE-2026-5950-1.patch: Add reproducer for BADCOOKIE
      resend loop in bin/tests/system/resend_loop/ans3/ans.py,
      bin/tests/system/resend_loop/ns4/named.conf.j2,
      bin/tests/system/resend_loop/ns4/root.hint,
      bin/tests/system/resend_loop/tests_resend_loop.py.
    - debian/patches/CVE-2026-5950-2.patch: Refactor incrementing query
      counters in lib/dns/resolver.c.
    - debian/patches/CVE-2026-5950-3.patch: rctx_resend() increment query
      counters in lib/dns/resolver.c.
    - CVE-2026-5950
  * This package does _not_ contain the changes from 1:9.20.11-1ubuntu2.3
    in questing-proposed.

 -- Marc Deslauriers <email address hidden> Thu, 21 May 2026 08:49:03 -0400
Source diff to previous version
CVE-2026-3039 BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving an
CVE-2026-3592 BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone
CVE-2026-3593 A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 thr
CVE-2026-5946 Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `
CVE-2026-5947 Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SI
CVE-2026-5950 An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated atta

Version: 1:9.20.11-1ubuntu2.2 2026-03-25 20:08:22 UTC

  bind9 (1:9.20.11-1ubuntu2.2) questing-security; urgency=medium

  * SECURITY UPDATE: Excessive NSEC3 iterations cause high CPU load during
    insecure delegation validation
    - debian/patches/CVE-2026-1519-1.patch: add reproducers to bin/tests/*.
    - debian/patches/CVE-2026-1519-2.patch: check iterations in
      isdelegation() in lib/dns/validator.c.
    - debian/patches/CVE-2026-1519-3.patch: don't verify already trusted
      rdatasets in lib/dns/include/dns/types.h, lib/dns/validator.c.
    - debian/patches/CVE-2026-1519-4.patch: combine validator_log and
      marksecure in lib/dns/validator.c.
    - debian/patches/CVE-2026-1519-5.patch: check RRset trust in
      validate_neg_rrset() in lib/dns/validator.c.
    - CVE-2026-1519
  * SECURITY UPDATE: Memory leak in code preparing DNSSEC proofs of
    non-existence
    - debian/patches/CVE-2026-3104-1.patch: add tests to bin/tests/*.
    - debian/patches/CVE-2026-3104-2.patch: fix memory leak in QPcache
      addnoqname/addclosest mechanism in lib/dns/qpcache.c,
      lib/dns/rbtdb.c.
    - CVE-2026-3104
  * SECURITY UPDATE: Authenticated query containing a TKEY record may cause
    named to terminate unexpectedly
    - debian/patches/CVE-2026-3119-1.patch: add tests to bin/tests/*.
    - debian/patches/CVE-2026-3119-2.patch: fix a bug in
      dns_tkey_processquery() in lib/dns/tkey.c.
    - CVE-2026-3119
  * SECURITY UPDATE: A stack use-after-return flaw in SIG(0) handling code
    may enable ACL bypass
    - debian/patches/CVE-2026-3591-1.patch: add tests to bin/tests/*.
    - debian/patches/CVE-2026-3591-2.patch: fix stack Use-After-Return in
      SIG(0) handling in bin/named/server.c.
    - CVE-2026-3591

 -- Marc Deslauriers <email address hidden> Tue, 24 Mar 2026 11:17:07 -0400
Source diff to previous version
CVE-2026-1519 Excessive NSEC3 iterations cause high CPU load during insecure delegation validation
CVE-2026-3104 Memory leak in code preparing DNSSEC proofs of non-existence
CVE-2026-3119 Authenticated query containing a TKEY record may cause named to terminate unexpectedly
CVE-2026-3591 A stack use-after-return flaw in SIG(0) handling code may enable ACL bypass

Version: 1:9.20.11-1ubuntu2.1 2025-10-22 20:08:11 UTC

  bind9 (1:9.20.11-1ubuntu2.1) questing-security; urgency=medium

  * SECURITY UPDATE: Resource exhaustion via malformed DNSKEY handling
    - debian/patches/CVE-2025-8677.patch: count invalid keys as validation
      failures in lib/dns/validator.c.
    - CVE-2025-8677
  * SECURITY UPDATE: Cache poisoning attacks with unsolicited RRs
    - debian/patches/CVE-2025-40778.patch: no longer accept DNAME records
      or extraneous NS records in the AUTHORITY section unless these are
      received via spoofing-resistant transport in doc/arm/reference.rst,
      lib/dns/include/dns/message.h, lib/dns/message.c, lib/dns/resolver.c.
    - CVE-2025-40778
  * SECURITY UPDATE: Cache poisoning due to weak PRNG
    - debian/patches/CVE-2025-40780.patch: change internal random generator
      to a cryptographically secure pseudo-random generator in
      configure.ac, lib/isc/Makefile.am, lib/isc/hash.c, lib/isc/hashmap.c,
      lib/isc/include/isc/nonce.h, lib/isc/include/isc/random.h,
      lib/isc/random.c, tests/isc/random_test.c.
    - CVE-2025-40780

 -- Marc Deslauriers <email address hidden> Tue, 21 Oct 2025 07:57:20 -0400
CVE-2025-8677 Resource exhaustion via malformed DNSKEY handling
CVE-2025-40778 Cache poisoning attacks with unsolicited RRs
CVE-2025-40780 Cache poisoning due to weak PRNG


About   -   Send Feedback to @ubuntu_updates