Package "bind9"

  bind9 (1:9.16.1-0ubuntu2.7) focal; urgency=medium

  * Fix a race between deactivating socket handle and processing
    async callbacks, which can lead to sockets not being closed
    properly, exhausting TCP connection limits. (LP: #1909950)
    - d/p/lp-1909950-fix-race-between-deactivating-handle-async-callback.patch

 -- Matthew Ruffell <email address hidden> Thu, 18 Feb 2021 16:28:44 +1300

  bind9 (1:9.16.1-0ubuntu2.6) focal-security; urgency=medium

  * SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
    - debian/patches/CVE-2020-8625.patch: properly calculate length in
      lib/dns/spnego.c.
    - CVE-2020-8625
  * This update does _not_ contain the changes from 1:9.16.1-0ubuntu2.5 in
    focal-proposed.

 -- Marc Deslauriers <email address hidden> Tue, 16 Feb 2021 15:08:33 -0500

  bind9 (1:9.16.1-0ubuntu2.4) focal; urgency=medium

  * Fix rare condition that can break bind9 with a crash (LP: #1896740)
    - 0003-Print-diagnostics-on-dns_name_issubdomain-failure-in.patch

 -- Christian Ehrhardt <email address hidden> Mon, 28 Sep 2020 12:30:22 +0200

  bind9 (1:9.16.1-0ubuntu2.3) focal-security; urgency=medium

  * SECURITY UPDATE: A specially crafted large TCP payload can trigger an
    assertion failure
    - debian/patches/CVE-2020-8620.patch: add extra checks to
      lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/netmgr.c,
      lib/isc/netmgr/tcp.c, lib/isc/netmgr/udp.c.
    - CVE-2020-8620
  * SECURITY UPDATE: Attempting QNAME minimization after forwarding can
    lead to an assertion failure
    - debian/patches/CVE-2020-8621.patch: disable QNAME minimization in
      lib/dns/resolver.c.
    - CVE-2020-8621
  * SECURITY UPDATE: A truncated TSIG response can lead to an assertion
    failure
    - debian/patches/CVE-2020-8622.patch: move code in lib/dns/message.c.
    - CVE-2020-8622
  * SECURITY UPDATE: A flaw in native PKCS#11 code can lead to a remotely
    triggerable assertion failure
    - debian/patches/CVE-2020-8623.patch: add extra checks in
      lib/dns/pkcs11rsa_link.c, lib/isc/include/pk11/internal.h,
      lib/isc/pk11.c.
    - CVE-2020-8623
  * SECURITY UPDATE: update-policy rules of type subdomain were enforced
    incorrectly
    - debian/patches/CVE-2020-8624.patch: add extra check in
      bin/named/zoneconf.c.
    - CVE-2020-8624

 -- Marc Deslauriers <email address hidden> Tue, 18 Aug 2020 07:38:53 -0400

  bind9 (1:9.16.1-0ubuntu2.2) focal-security; urgency=medium

  * SECURITY UPDATE: assertion when attempting to fill oversized TCP buffer
    - debian/patches/CVE-2020-8618.patch: add fix to lib/ns/client.c,
      lib/ns/include/ns/client.h, lib/ns/xfrout.c.
    - CVE-2020-8618
  * SECURITY UPDATE: INSIST failure when a zone with an interior wildcard
    label was queried in a certain pattern
    - debian/patches/CVE-2020-8619.patch: add fix to lib/dns/rbtdb.c.
    - CVE-2020-8619

 -- Marc Deslauriers <email address hidden> Tue, 16 Jun 2020 09:29:41 -0400