Package "bind9"

  bind9 (1:9.18.30-0ubuntu0.20.04.2) focal-security; urgency=medium

  * SECURITY UPDATE: Many records in the additional section cause CPU
    exhaustion
    - debian/patches/CVE-2024-11187.patch: limit the additional processing
      for large RDATA sets in bin/tests/*, lib/dns/include/dns/rdataset.h,
      lib/dns/rbtdb.c, lib/dns/rdataset.c, lib/dns/resolver.c,
      lib/ns/query.c.
    - CVE-2024-11187
  * SECURITY UPDATE: DNS-over-HTTPS implementation suffers from multiple
    issues under heavy query load
    - debian/patches/CVE-2024-12705.patch: fix flooding issues in
      lib/isc/netmgr/http.c, lib/isc/netmgr/netmgr-int.h,
      lib/isc/netmgr/netmgr.c, lib/isc/netmgr/tcp.c,
      lib/isc/netmgr/tlsstream.c.
    - CVE-2024-12705

 -- Marc Deslauriers <email address hidden> Tue, 28 Jan 2025 09:31:22 -0500

  bind9 (1:9.18.30-0ubuntu0.20.04.1) focal; urgency=medium

  * New upstream release 9.18.30 (LP: #2073310)
    - Features:
      + Print initial working directory during named startup, and changed
        working directory when loading or reloading the configuration file
      + Add max-query-restarts configuration statement
    - Updates:
      + Restrain named to specified number of cores when running via taskset,
        cpuset, or numactl
      + Reduce default max-recursion-queries value from 100 to 32
      + Raise the log level of priming failures
    - Bug Fixes:
      + Fix privacy verification of EDDSA keys
      + Fix algorithm rollover bug when there are two keys with the same keytag
      + Return SERVFAIL for a too long CNAME chain
      + Reconfigure catz member zones during named reconfiguration
      + Update key lifetime and metadata after dnssec-policy reconfiguration
      + Fix generation of 6to4-self name expansion from IPv4 address
      + Fix invalid dig +yaml output
      + Reject zero-length ALPN during SVBC ALPN text parsing
      + Fix false QNAME minimisation error being reported
      + Fix dig +timeout argument when using +http
    - See https://bind9.readthedocs.io/en/v9.18.30/notes.html for additional
      information.

 -- Lena Voytek <email address hidden> Mon, 23 Sep 2024 17:21:48 -0400

  bind9 (1:9.18.28-0ubuntu0.20.04.1) focal-security; urgency=medium

  * Updated to 9.18.28 to fix multiple security issues.
    - Please see the following for a list of changes, including possibly
      incompatible ones:
      https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-bind-916-to-918
    - CVE-2024-0760: A flood of DNS messages over TCP may make the server
      unstable
    - CVE-2024-1737: BIND's database will be slow if a very large number of
      RRs exist at the same name
    - CVE-2024-1975: SIG(0) can be used to exhaust CPU resources
    - CVE-2024-4076: Assertion failure when serving both stale cache data
      and authoritative zone content
  * Packaging changes required for 9.18.28:
    - Dropped patches no longer required with 9.18.28:
      + 0001-Add_--install-layout=deb_to_setup.py_call.patch
      + 0002-python-fix-for-dist-packages.patch
      + 0003-Remove-the-reference-to-OPTIONS.md-it-breaks-build-o.patch
    - Synced patch with jammy's 1:9.18.28-0ubuntu0.22.04.1 package:
      + always-use-standard-library-stdatomic.patch
    - debian/NEWS: list changes in 9.18, taken from jammy.
    - debian/*: sync most of the packaging with jammy's package, including
      autopkgtests except for dyndb-ldap as the bind-dyndb-ldap package is
      broken in focal.
    - debian/tests/simpletest: wait a couple of seconds for the service to
      actually start.

 -- Marc Deslauriers <email address hidden> Tue, 16 Jul 2024 14:48:12 -0400

  bind9 (1:9.16.48-0ubuntu0.20.04.1) focal-security; urgency=medium

  * Updated to 9.16.48 to fix multiple security issues.
    - Please see the following for a list of changes, including possibly
      incompatible ones:
      https://downloads.isc.org/isc/bind9/9.16.48/doc/arm/html/notes.html
    - CVE-2023-4408
    - CVE-2023-5517
    - CVE-2023-6516
    - CVE-2023-50387
    - CVE-2023-50868
  * Packaging changes required for 9.16.48:
    - Dropped patches no longer required with 9.16.48:
      + CVE-*.patch
      + fix-rebinding-protection.patch,
      + 0003-Print-diagnostics-on-dns_name_issubdomain-failure-in.patch
      + lp-1909950-fix-race-between-deactivating-handle-async-callback.patch
      + lp1997375-segfault-isc-nm-tcp-send.patch
    - Synced other patches with Debian's 1:9.16.48-1 package
    - debian/*.install, debian/*.links: updated with new files in 9.16.48.
    - debian/rules, debian/not-installed: don't delete old -dev files, just
      don't install them.
    - debian/control, debian/rules: switch packages required to build
      documentation.

 -- Marc Deslauriers <email address hidden> Wed, 14 Feb 2024 07:49:14 -0500

  bind9 (1:9.16.1-0ubuntu2.16) focal-security; urgency=medium

  * SECURITY UPDATE: DoS via recusive packet parsing
    - debian/patches/CVE-2023-3341.patch: add a max depth check to
      lib/isccc/include/isccc/result.h, lib/isccc/result.c, lib/isccc/cc.c.
    - CVE-2023-3341

 -- Marc Deslauriers <email address hidden> Tue, 19 Sep 2023 07:22:19 -0400